DATA PROTECTION
Supreme Court of Cassation: there is a profiling even if data are not linked to a single individual.
The Italian Supreme Court ("Corte di Cassazione") has recently confirmed that the use of an algorithm implies profiling even if personal data (i) are not actually stored by the data controller and (ii) cannot be linked with the single customer (judgment No. 32411/2021).
The case takes steps from an old (and repealed) regulatory framework, which required data controllers to notify the #GarantePrivacy about any processing activities carried out through electronic means, aimed at defining the profile and personality of individuals, or to analyse their habits and choices, or to monitor their use of electronic communications services (Article 37(1)(d) – now repealed - of the Italian Data protection Code).
Before the #GDPR, the Italian legal framework did not provide for a specific definition of “profiling” – only the general resolution issued by the #Garante on March 19, 2015 provided for a sort of definition of profiling, mainly focused on the processing of personal data for purposes of online profiling activities (definition that, as also stressed by the Italian Supreme Court, was different from the law provision referred to in the above mentioned Article 37(1)(d) of the Italian Data Protection Code).
That being said, in general terms the case at stake and the decision of the Corte di Cassazione do not seem to be actually “innovative” with regard to the processing of customers’ personal data for profiling purposes.
Notwithstanding to the above, I think that it should be instead interesting to focus the attention on the declaration of the Italian Supreme Court concerning the use of an algorithm for profiling purposes, although personal data (i) are not actually stored by the data controller and (ii) cannot be linked with the single customer.
In other words, by confirming the ruling of the Tribunale di Livorno, the Italian Supreme Court said that the processing of personal data through an algorithm to analyse or predict specific customers’ needs must be deemed as a profiling activity, although personal data are not directly traceable to the single individual or stored by the controller.
The case takes steps from an old (and repealed) regulatory framework, which required data controllers to notify the #GarantePrivacy about any processing activities carried out through electronic means, aimed at defining the profile and personality of individuals, or to analyse their habits and choices, or to monitor their use of electronic communications services (Article 37(1)(d) – now repealed - of the Italian Data protection Code).
Before the #GDPR, the Italian legal framework did not provide for a specific definition of “profiling” – only the general resolution issued by the #Garante on March 19, 2015 provided for a sort of definition of profiling, mainly focused on the processing of personal data for purposes of online profiling activities (definition that, as also stressed by the Italian Supreme Court, was different from the law provision referred to in the above mentioned Article 37(1)(d) of the Italian Data Protection Code).
That being said, in general terms the case at stake and the decision of the Corte di Cassazione do not seem to be actually “innovative” with regard to the processing of customers’ personal data for profiling purposes.
Notwithstanding to the above, I think that it should be instead interesting to focus the attention on the declaration of the Italian Supreme Court concerning the use of an algorithm for profiling purposes, although personal data (i) are not actually stored by the data controller and (ii) cannot be linked with the single customer.
In other words, by confirming the ruling of the Tribunale di Livorno, the Italian Supreme Court said that the processing of personal data through an algorithm to analyse or predict specific customers’ needs must be deemed as a profiling activity, although personal data are not directly traceable to the single individual or stored by the controller.
