g-docweb-display Portlet

Business Information: Only Relevant Data May Be Processed [1589979]

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1589979]
versione italiana

Business Information: Only Relevant Data May Be Processed

THE ITALIAN DATA PROTECTION AUTHORITY

Having met today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Giovanni Buttarelli, Secretary General;

Having regard to the DP Code (decree no. 196 dated 30 June 2003);

Having regard to the records on file;

Having regard to the considerations submitted by the Secretary General in pursuance of Article 15 of the Italian DPA´s Rules of Procedure (no. 1/2000);

Acting on the report submitted by Prof. Francesco Pizzetti;

WHEREAS

1. Processing of personal data by Cerved Business Information S.p.A. in connection with so-called business information
1.1. Taking account of the claims, reports and complaints lodged repeatedly with the Italian DPA concerning certain features of the processing of personal data carried out by Cerved Business Information S.p.A. (hereinafter, Cerved) in the so-called business information sector, preliminary inquiries were performed based on an initial request for information sent to Cerved. Given the complex, multifarious issues that could be highlighted following the response provided by Cerved, additional on site investigations were carried out on the 7th, 8th and 15th of May and on the 3rd of June 2008 in order to probe more deeply into the processing operations in questions – with particular regard to compliance with the data protection principles laid down in Section 11 of the DP Code.

Subject to such adjustments as may be found to be necessary in pursuance of the Codes of Practice mentioned in Sections 61, 118 and 119 of the DP Code – especially as for the mechanisms to update the information and the applicable retention periods – this decision is issued under Section 154(1)c. of the DP Code, taking account of the considerations submitted by the company and the documents acquired by the DPA, to provide for the necessary measures to be adopted in order to bring the processing operations into line with the principles set forth in Section 11 of the DP Code as regards, in particular, the principles of data accuracy, relevance and non-excessiveness in respect of the purposes to be achieved.

This Authority reserves hereby the right to carry out additional investigations concerning other data controllers that disclose personal data to Cerved in order to enable the latter to provide its information-related services; this is without prejudice to such provisions and measures as may be found to be necessary also in connection with specific cases.

Such additional processing operations as are carried out by the company for purposes other than the provision of business information were not investigated and fall accordingly outside the scope of this decision.

2. Features of the Processing, Purposes of the Processing, and Data Categories
2.1. Based on the relevant findings, Cerved manages own databases that have been generated by extracting information from other filing systems (whether set up by public or private entities) to provide its customers – mostly business professionals and practitioners such banks, finance companies, information companies and agencies – with information-related services focused on the so-called business information. However, in some cases Cerved merely distributes services provided by others – based on agency agreements.

The data used by the company to develop the services they market are taken, directly or indirectly, from public registers including, for instance, Chambers of Commerce, cadastral registers, the register of protested bills of exchange, data taken from lists of professionals, etc.; the data also include information from publicly accessible sources such as "corporate URLs", lists of ISO-certified companies, and specialised media information. Additionally, Cerved collects information from CONSOB [Italy´s Securities and Exchange Commission] as for "substantial interests in listed companies".

Conversely, some data relating to "prejudicial information" contained in Land Registries, which is taken from private entities, are currently stored in a "separate database; they are neither disclosed to Cerved customers nor linked to the information provided to such customers and are only used to monitor data quality – with particular regard to checking identification data and tax IDs." (statements rendered by Cerved).

Cerved has also acquired personal information contained in electoral rolls and/or the consolidated database (CDB) referred to in decisions 36/02/Cons and 180/02/Cons by the Authority for Communications Safeguards [containing contact information on all telephone subscribers]; such information is allegedly used "to carry out checks in respect of other data contained in Cerved´s databases, in particular if no Tax ID is available, so as to identify a given entity as precisely as possible" as well as more generally to "improve/refine the information contained in […] databases".

The services developed by means of the personal data collected as above are marketed via customized information dossiers concerning both natural and legal persons; the dossiers  differ by data categories and information details. The company has coined several definitions for its information products – such as "dossier impresa" (corporate  dossier); "dossier persona" (personal dossier); "report"; "quick report"; "quick report plus"; and "overview".

2.2. Cerved has specified which purposes are sought via the activities described so far – which can be generally referred to as consisting in the "provision" of business-relevant information. This specification is fundamental in order to establish both whether the processing operations are lawful and which data is relevant to the given purpose(s).

Based on the statements rendered initially by the company, the processing operations performed by Cerved as a separate data controller are aimed at "providing wide-ranging business information on creditworthiness and reliability" of the entities surveyed. This has been re-affirmed repeatedly by the company, which has clarified that – in order to afford top-level transparency and safeguards in business, commercial and/or financial transactions – they provide "wide-ranging information, taken exclusively from publicly available public sources, in respect of business, entrepreneurial and/or professional activities, whether past or present, as for organisation, management, production, assets and liabilities, accounting and financial information – including information on credit history, creditworthiness, and fulfilment of applicable obligations – related to natural and legal persons, organisations, businesses, one-man companies, handicrafts, self-employed professionals, directors and members of companies and/or any other entities carrying out similar activities. [Additionally, our company provides] wide-ranging information on natural persons´ assets, liabilities and obligations by communicating data taken from public registers and publicly available lists, instruments and/or documents".

However, the company´s representatives clarified during the inspections carried out by the Italian DPA that "generally speaking, the dossiers – whether related to natural or legal persons – are intended for similar purposes. Firstly, they make available publicly accessible information; secondly, as for certain entities defined group-wise on the basis of standards developed by our company, they provide assessment data on the "soundness" and/or "reliability" of the entities in question from a business standpoint, by having regard to temporal and value factors in respect of the data. The information processed by Cerved in this manner is not meant to provide guidance on creditworthiness of the given entities." This clarification is actually confirmed by several circumstances as also resulting from the communications and disclosures performed by the company to the Italian DPA.

In the light of the above considerations, it can be argued accordingly that the purposes sought by Cerved – with particular regard to the information services provided via their "personal" and "corporate" dossiers and irrespective of their being generally labelled as "business information services" – consist, first and foremost, in marketing information-oriented services by aggregating data that is publicly available (see point 3 below as for the lawful scope of the relevant activities); furthermore, they consist in marketing evaluation-oriented services by means of scoring indexes that result from processing of the available histories with regard to the business reliability of certain entities (see point 4 below).

2.3 As already remarked, the scope of the surveyed entities is quite broad as it includes any entity that is mentioned, on whatever grounds, in certain public registers and/or other publicly accessible sources.

Thus, the entities in question consist in companies, individual entrepreneurs and/or natural persons; the information provided in their regard includes the so-called "management tasks/positions", i.e. "any office and/or executive role mentioned in the registers held by Chambers of Commerce", as well as equity interests; protested bills of exchange; prejudicial information held by Land Registries; etc.. Additionally, the indexes referred to above are also developed, which allow inferring their "business reliability" in the light of the relevant public events taken into consideration. However, the information gathered by the company also applies to "natural persons carrying out no business activities, e.g. as for an individual that had issued protested bills of exchange and/or in whose respect prejudicial information has been recorded in a Land Register" as well as to "private individuals" including "natural persons that are no longer in office and/or do not discharge management tasks".

In terms of figures, "there are about 5 million businesses and about 8 million natural persons" in Cerved´s databases.

3. Personal Data Protection Principles and Information Concerning the Target Entity of A Dossier/Report by Cerved
3.1. Based on the available information, the processing operations performed by Cerved – except for the processing of personal data taken from electoral rolls (see point 7 below) or from the tax returns disclosed in 2008 by Italy´s Revenue Office (see point 8 below) – are to be regarded as lawful subject to such adjustments as might prove necessary in pursuance of the (future) codes of practice provided for in sections 61, 118 and 119 of the DP Code. More specifically, the processing is lawful to the extent it concerns information taken from public registers, which may be used without the data subjects´ consent under section 24(1)c. of the DP Code. However, when processing such information Cerved must comply with the principles set forth in section 11 of the DP Code – whereby personal data must be processed lawfully and fairly for purposes that are not incompatible with those for which they have been collected, and must be accurate, complete, relevant and not excessive.

It is unquestionable that the data protection principles intended to safeguard individuals´ privacy, personal identity and dignity apply in full to the business information industry as well.

3.2. The records on file and the findings of the inspections performed by the DPA have shown that Cerved – when providing information-oriented services about a given entity – aggregates information items that may relate to other natural or legal persons.

Aggregating such information is lawful under the aforementioned data protection principles, by having also regard to the "personal data" definition as per section 4(1)b. of the DP Code, to the extent the information in question is a personal data "related" to the entities that are the subject of the given information-oriented product. That is to say, the information contained in a dossier on a given entity must either relate directly to the said entity or concern events and circumstances that may impact on the entity in question, from the standpoint of business reliability, by taking account of the existing legal framework (see also Opinion 4/2007 by the Article 29 Working Party – WP 136 – on the concept of personal data, dated 20 June 2007).

For instance, in pursuing the information-oriented purposes concerning natural persons (via the so-called "personal report/dossier"), Cerved may lawfully disclose equity interests, tasks and/or positions applying to the given individual (insofar as they are taken from publicly available sources) by also reporting summary information on the companies where the individual in question was employed – exactly because the personal data at issue can be related to the given individual (data subject) and are relevant and not excessive vis-à-vis the information-oriented purposes that are lawfully pursued by Cerved.

By the same token, it is lawful to process information on board members, corporate officials and/or other positions as taken from public sources and/or on the (prejudicial) events involving the given company when providing information-oriented services with regard to corporate entities (e.g. via the "corporate report/dossier"), since the information in question is related to the entity (i.e. the company) that is the subject of the information-oriented service.

4. Personal Data Protection Principles and Information Related to Entities Other than the Target Entity of a Report/Dossier by Cerved
4.1. The personal data contained in a report/dossier are more than just a copy of the information taken from public sources that is related directly to the given entity. Indeed, Cerved matches the personal information concerning the given entity with events relating to third party bodies/organisations that employed the said entity and/or where that entity held specific offices; for instance, the "personal dossiers" include information related to bankruptcy and/or winding-up proceedings affecting the so-called "related companies". That is to say, Cerved links up a given individual with  information that does not relate directly to that individual.

Furthermore, this additional information, where it refers to negative events – typically, bankruptcy proceedings – is highlighted in red (unlike the remainder), reported in full within the dossier and flagged in the very heading of the given dossier by wording such as "proceedings concerning related companies" (as for the "personal report/dossier") and "previous proceedings concerning companies related to individual subjects" (as for the "corporate report/dossier).

4.2. The matching with such additional information that relates to entities other than the target data subject should be evaluated carefully in the light of personal data protection principles – with particular regard to fairness, purpose specification, and relevance (see section 11 of the DP Code).

Indeed, when offering their customers services that rely on the said matching, Cerved is doing something more than merely disseminating information that is already publicly available pursuant to the publicity requirements applying to the public registers Cerved draws upon in building up their databases (as described above). This activity places the information in question in one and the same context and, given the graphics that are used, sheds a (partly) negative light, albeit indirectly, on the given target entity – whilst such negative elements relate to third parties. This is all the more evident if one considers the information products that also contain summary judgments; such judgments are pieced together by also relying on data concerning entities other than the one that is being reported on (see point 5 below).

4.3. Generally speaking, it is neither fair nor relevant to link up a given entity – be it a natural or a legal person or else a partnership without legal personality that is nevertheless covered by the legal system – with information related to another entity in order to gauge whether the former entity is commercially sound and reliable.

Accordingly, the information related to an event that involved a given company may not be associated directly and immediately with that on individuals that worked and/or held offices in that company – considering, moreover, that the information in question can be retrieved at any time, also via the "corporate dossier" concerning the company at issue – exactly because one has to do with different, separate entities. This is without prejudice to the possibility of blaming the given event on the target individual  based on factual evidence as well as to the liability for the specific event that is vested in the given individual under the law. Reference can be made in this regard to bankruptcy proceedings concerning a general partnership, which produce immediate effects on all partners under section 2291 of Italy´s Civil Code; in this case, it is justified to mention, in the personal dossier, the information in question as related to the partnership. A similar consideration can be made in respect of the general partners in a limited partnership company under sections 2313 and 2318 of Italy´s Civil Code. Conversely, it would be misleading to link up the information on the given individual with the winding up proceedings involving the public company where the said individual used to work and/or held offices or whose shares or interests that individual is currently holding.

4.4. The above considerations obtain not only because the information linked with the given entity is not "related" to the latter – and accordingly it may not be regarded as "personal" information related to the entity in question – but also because the processing operations at issue, given the specific arrangements implemented in their regard (as described above), can affect the social and professional image of the target entity by establishing a link between such entity and a (prejudicial) event – such as a winding-up proceeding – that does not concern the said entity directly. This can affect the entity´s standing in particular as for business relationships.

The processing operations mentioned above are also liable to infringe the target entities´ right to identity (see section 2 of the DP Code) – meaning everyone´s right "not to be disregarded as the makers of their own decisions, […] and, above all, not to be regarded as responsible for the decisions made by others, i.e. not to have their own personal identity misconstrued." (see the well-known decision dated 6 May 1974 by the Rome´s Pretura as published in Foro Italiano, 1974, I, 1806).

Indeed, the information matching performed by Cerved is liable to shed a negative light on the entity the information is ultimately traced back to, given the mechanisms of such matching. This might accordingly infringe the data subject´s legally protected right "to be represented in personal relationships according to their true identity in the way such identity was or could have been known under the given societal, general and specific circumstances if the standards of diligence and good faith had been applied". The underlying risk is that, by associating "elements or events that are alien" to the given entity, one will harm (i.e. alter or mishandle) "that entity´s social profile" (see judgment by Italy´s Court of Cassation dated 22 June 1985, and the decision dated 3 February 1994 by Italy´s Constitutional Court).

These considerations also apply to the case at issue, given that the matching described above can result into misinterpreting the data subject´s features and professional and entrepreneurial qualifications and can thereby jeopardise the data subject´s business reliability (or creditworthiness) – whilst there is no proof that the facts at issue can be traced back to the said data subject.

Therefore, in order to bring the processing into line with data protection principles, Cerved is required under section 154(1)c. of the DP Code to take such measures as are both necessary and appropriate to safeguard data subjects´ rights – here, the target entities – by preventing information that cannot be related directly to the given data subject, as it has to do with events concerning other entities, from being linked up with the said data subject in one and the same context. This is without prejudice to the case where liability for the given event can be traced back to the target entity based on substantiated evidence, or where liability for the given event is vested in the said target entity under the law.

5. Data Protection Principles and the Assessment Contained in the Dossiers by Cerved
5.1. In certain cases, the services offered by the company are not limited to providing and/or aggregating information items that are already publicly available; as said, they consist in providing  summary judgments – grouped into three sets: "low/nil"; "medium"; and "high" – in respect of certain natural persons (who are specified by Cerved and termed "leading office holders") and businesses. Such judgments are liable to impact considerably on the social and business standing of the said individuals and/or businesses.

The summary judgments in question were introduced in 2005 "following the limitations placed on re-use of Registry data by the 2004 Budget Act"; they are currently reflected in the RSFI index (historical relevance of insolvency events) as for businesses, and the ISEPR index (historical index of relevant public events) as for natural persons, respectively – except for those persons who "do not carry out business" or else "are no longer in office and do not hold active management positions".

According to Cerved, the RSFI index is a "summary index – relying exclusively on the processing of data taken from public registers – to signify how relevant the given prejudicial events are to the target business and/or individual".

In developing this index as well as the index currently called "ISEPR" (which, according to Cerved, is a "data summarising the items contained in the dossier and does not entail any evaluation"), Cerved takes into account "information from three macro-areas – namely, protested bills of exchange; prejudicial information contained in Registries; prior bankruptcy proceedings and bankruptcy proceedings affecting related businesses." This information is then subjected to "specific adjustments such as amount of the default, nature of the event (…) office held in a wound-up company, interest held in that company, etc."; in case of protested bills of exchange, account is taken of "the amount outstanding, the date of the given event, etc.".

Cerved further clarified that "in calculating the RSFI index, which features in the so-called corporate dossier, … account is taken not only of protested bills of exchange, prejudicial information contained in Registries, and bankruptcy proceedings concerning the target company, but also of the personal data related to individuals/partners in the given company (e.g. managers)". However, "only management offices coupled with specific responsibilities are relevant in view of developing the said indexes". Indeed, the company "draws a distinction between management offices/positions depending on whether they entail liability for negative events (such as bankruptcy/winding-up proceedings) affecting the company – e.g. in the case of a manager or executive – or else do not entail such liability – e.g. in the case of a receiver in bankruptcy. A further distinction applies to supervisory offices such as those of company auditors".

5.2. Given the above circumstances, it should be considered that the indexes in question – contrary to the company´s statements – do not consist merely in a summary of personal data related to the target entities as taken from public registries; in fact, they are self-standing evaluations developed directly by the company with the help of computerised procedures, which allocate different weights to the individual items of information (protested bills of exchange, registry data) based on own standards that are not publicly available.

This being the case, the indexes in question are separate personal data and have nothing to do with the "initial" information taken from public sources. Processing of these data – unlike what is the case with publicly available information – requires the data subjects´ consent under section 23 of the DP Code; alternatively, any of the other preconditions should be fulfilled as set forth in section 24 of the DP Code.

Therefore, the processing in question may only be performed with the data subjects´ (i.e. the target entities´) consent – subject to the company´s liability for breaches of the target entities´ rights under section 15 of the DP Code; alternatively, if no consent is available, the processing is permitted if it concerns data related to the performance of business activities (see sections 23 and 24(1)d. of the DP Code).

This prevents such summary indexes from being processed within the framework of the "personal dossiers" as for the individuals who, though considered by the company to be "leading office holders", do not carry out business activities in a professional capacity and have not consented to the said processing.

5.3. Additionally, the records on file clearly show that the items impacting on the weighting of the indexes – both the RFSI and the ISEPR – do not relate exclusively to the target entities as they also involve third parties.

As regards the creation of "personal dossiers", the items considered and weight-adjusted by the company in order to develop the summary evaluation do not relate only to facts that concern directly the target entity – such as the existence of protested bills of exchange and prejudicial information contained in Registries, even though the negative impact of the latter events might have to do with highly private circumstances concerning a given natural person that would have no bearing on that person´s business performance. Indeed, the items in question include events (whether negative or positive) that concern the so-called "related companies". From this standpoint, the processing performed to develop the said summary indexes is in breach of fairness, relevance and non-excessiveness principles – on the grounds specified in points 4.3 and 5.4 – and violates the right to personal identity because a judgment is passed on a given individual by relying on events that concern a different, separate entity (see sections 2 and 11 of the DP Code). This is done in the absence of any proof as to the actual contribution the target individual has given to the bad management (and the possibly resulting bankruptcy) of the "related company" – it is as if a sort of "position-based liability" were postulated, which is utterly unsubstantiated according to our legal system (see, for instance, section 2392 et seq. of Italy´s Civil Code).

Similarly, the items considered and weight-adjusted by Cerved concerning "corporate dossiers" in order to develop the summary evaluation do not relate only to facts that concern directly the target company; indeed, several events (whether positive or negative) are taken into account that relate to other entities such as current or past executives and partners – in which case account is also taken of the existence of protested bills of exchange and/or prejudicial information contained in Registries that is in no way related to the activities performed for the target company, whilst attention is also paid in some cases to exclusively personal circumstances. Additionally, consideration is also given to past bankruptcy proceedings and/or proceedings affecting "related" companies – whereby "this wording is unrelated to the definition contained in the Civil Code, as it … refers to any company other than the target one in which any leading office holder discharges/discharged certain tasks".

In the light of the above circumstances, the processing of personal data is unfair, excessive and irrelevant (under section 11(1)d. of the DP Code) as well as being liable to shed a negative light onto the target company. The latter is actually linked up with events related to third parties who, on different grounds, work for and/or hold offices in the said company – whilst in other cases such third parties are utterly alien to the company as they are no longer employed by the latter. This link, which might have to do with personal circumstances of the individual entities and be accordingly irrelevant to the company´s business, is arbitrarily used to gauge the target company´s business reliability and creditworthiness.

Based on the above considerations, in order to bring the processing into line with personal data protection principles, Cerved is hereby prohibited – under section 154(1)d. of the Code – from further using information that is irrelevant and anyhow not directly related to the target entities in developing the aforementioned summary indexes, since the said information relates to events that have to do with other entities and are such as to infringe the target entities´ right to personal identity.

5.4. Concerning use of the "low/nil" wording – subject to the above considerations – the company´s representatives stated that it was introduced in 2005 along with the RSFI index "because of the especially cumbersome nature (in those days) of the inquiries leading to the exclusion of prejudicial items" with regard to "the cases where, since no or minor prejudicial events could be established, it was considered that providing Registry data was not cost-effective because of the expenses incurred for the so-called "re-use".

In this connection, it should be pointed out that – partly on account of the regulatory amendments brought about via the 2007 Budget Act as for the re-use of public data for commercial purposes – the wording used by Cerved is inappropriate, since two adjectives are used in the same context, whilst those adjectives are not synonymous and do not allow – where used jointly – to clearly and unambiguously appreciate the allegedly relevant public events that relate to the target entity as claimed by the company.

Indeed, the wording in question does not allow realizing whether the index is "low" or  "nil". It should be considered that, based on the information the company relies upon in developing the index, the "nil" rate is by necessity other than the "low" rate and should be notified to customers accordingly, i.e. consistently with the underlying items.

In the light of the above considerations, Cerved is hereby ordered under section 154(1)c. of the DP Code to take any and all measures that are necessary as well as appropriate to safeguard data subjects´ rights in order to draw a distinction between the cases where, based on the available elements, no prejudicial items are found to relate to the target entity (in which case the "nil" rate is applicable) and the cases where the business reliability rate is set on "low".

6. Data Concerning the Queries Performed on a Target Entity over the Past Six Months
6.1. The investigations in question led our DPA to also find that the dossiers developed by Cerved include information on the number of queries performed on the given entity over the past six months as well as on the entities (categories) that requested such information.

Based on the statements made by the company, "this information is included as it may be commercially appealing". "No consent is obtained from the individual data subjects because the information relates to business activities under the terms of section 24 of the DP Code".

6.2. Again, there is no proof under section 11 of the DP Code that the information in question is relevant to the purposes sought by Cerved. In fact, disclosure of such information can shed light indirectly on the target entity´s  business strategies and/or loan applications – e.g. if it is found that banking institutions have performed several queries on that entity´s dossier in a short time span.

Additionally, the personal data related to frequency of the queries – which is held only by Cerved and for whose disclosure no consent has been obtained by Cerved as required by section 23 of the DP Code – is not publicly available nor does it concern the target entity´s business activities (under the terms of section 24(1)d. of the DP Code). Indeed, the data in question is the outcome of the queries performed by other entities; such queries fall beyond the target entity´s control; and, finally,  the data does not consist in the business activity carried out by the said target entity.

Based on the above considerations, Cerved is hereby prohibited under section 154(1)d. of the DP Code from further providing their customers with data related to the number of queries performed in respect of the dossier on a given target entity.

7. Data Taken from Electoral Rolls
7.1. Cerved also was found to process personal data taken from electoral rolls. Cerved stated that they complied with the requirements made in section 177(5) of the DP Code since the processing was aimed, in particular, at achieving a public interest that consisted allegedly in ensuring the transparency of business relationships and transactions.

According to Cerved, this purpose could only be achieved by relying on several public sources "to cope with the current shortcomings of the computerised Register of protested bills of exchange" in order to ensure that "accurate links can be established between protested bills of exchange and the respective protested drawers, via a list of surnames giving the frequency of a given surname in a certain area." (…) More specifically, the data taken from electoral rolls "are used to perform checks against the other data contained in the Cerved database (especially if no Tax ID data are available) so as to identify a given entity as accurately as possible".

7.2. It should be pointed out that the data taken from electoral rolls are used by Cerved for purposes other than those set out in the law – see section 51(5) of Presidential decree no. 223 dated 20 March 1967 (as amended by section 177(5) of the DP Code), whereby "electoral rolls may be provided in copy in order to implement the provisions concerning elections, for purposes of study, for statistical, scientific and/or historical researches, or else for purposes related to social welfare and/or in order to achieve a public interest".

This clearly prevents the information in question from being used for purposes other than those that are expressly set out in the law on a mandatory basis – which is the case of the processing performed by Cerved, allegedly aimed at checking consistency of the data they process when delivering the relevant services.

Processing the personal data at issue as taken from electoral rolls for the said "corporate" purposes is therefore in breach of the lawfulness principle (see section 11 of the DP Code) and is accordingly to be prohibited under section 154(1)d. of the DP Code.

8. Processing of Personal Data Taken from Tax Returns As Published by Italy´s Revenue Office
8.1. Representatives from the company stated in the course of the inquiries that "following publication of tax returns data on the Revenue Office´s website, we had started acquiring the data in question. This activity was not finalised throughout Italy because the service in question was suspended." It was also clarified that "following the decision issued by the Italian DPA, which found the processing in question to be unlawful, the data were not incorporated into the databases made available to customers, even though they are currently stored in the company´s databases".ù

8.2. We have already addressed this issue and found that the processing of such data by the Revenue Office was in breach of the law; accordingly, the processed data were declared to be unusable (as per section 11(2) of the DP Code). The Italian DPA also ordered that "whoever obtained the taxpayers´ data, albeit indirectly, from the website in question may not disseminate such data further on account of the DPA´s having found such processing to be unlawful." The Italian DPA pointed out that "disseminating the data further, in particular via electronic networks and/or computerised media, is in breach of the law and is punishable as a criminal offence under given circumstances (see section 11(1)a. and sections 2, 13, 23, 24, 161 and 167 of the DP Code)".

In the light of the above considerations (…) Cerved is hereby prohibited, under section 154(1)d. of the DP Code, from further processing the personal data related to taxpayers´ returns as submitted for 2005 and stored following their publication by Italy´s Revenue Office; additionally, Cerved is ordered hereby to erase the said data without delay and notify erasure to the Italian DPA by no later than February 2nd, 2009.

9. Deadline for Compliance
Considering the requirements to be met and the rights vested in data subjects, it is appropriate and necessary for Cerved to comply with the applicable provisions by no later than February 2nd, 2009 and notify compliance to the Italian DPA on a documentary basis.

NOW, THEREFORE, THE ITALIAN DATA PROTECTION AUTHORITY:

1. Orders Cerved Business Information S.p.A., under section 154(1)c. of the DP Code, to take any and all measures that are necessary as well as appropriate to safeguard data subjects in order to:

a. prevent information that cannot be related directly to the given data subject, as it has to do with events concerning other entities, from being linked up with the said data subject. This is without prejudice to the case where liability for the given event can be traced back to the target entity based on substantiated evidence, or where liability for the given event is vested directly in the said target entity under the law (point 4.4);

b. draw a distinction between the cases where, based on the available elements, no prejudicial items are found to relate to the target entity (in which case a "nil" rate is applicable) and the cases where the business reliability rate is set on "low" (point 5.4);

2. Prohibits Cerved Business Information S.p.A., under section 154(1)d. of the DP Code,

a. From using information that is irrelevant and anyhow not directly related to the target entities in developing the aforementioned summary indexes, since the said information relates to events that have to do with other entities and is such as to infringe the target entities´ right to personal identity (points 5.3 and 4.4.);

b. From providing their customers with data related to the number of queries performed in respect of the dossier on a given target entity (point 6.2);

c. From processing the data taken from electoral rolls in order to perform consistency checks when providing their services (point 7.2);

d. From processing the personal data related to taxpayers´ returns as submitted for 2005 and stored following their publication by Italy´s Revenue Office; additionally, Cerved is ordered hereby to erase the said data without delay (point 8.2);

3. Requires Cerved Business Information S.p.A. to provide detailed information to the Italian DPA by February 2nd, 2009 on the measures taken to bring their processing operations into line with the provisions set forth herein by also making available any and all data that may be helpful in this regard.

Done in Rome, this 30th day of the month of October 2008

THE PRESIDENT
Pizzetti

THE RAPPORTEUR
Pizzetti

THE SECRETARY GENERAL
Buttarelli