On March 10, Italy’s data protection authority, Il Garante per la protezione dei dati personali (the “Garante”), announced that it had ordered fines totaling more than €11 million on five companies operating in the money transfers sector for breach of Italian data protection law. The sanctions have been described as the largest privacy fines ever imposed in the European Union.
The Garante’s review grew out of an investigation by the Guardia di Financia, Italy’s financial police, of potential money-laundering violations by UK-based Sigue Global Service Limited (“Sigue”) and four companies operating as its agents in Italy, in connection with more than € 1 billion in money remittances to China. According to the Garante, in order to enable their customers to evade money laundering controls and avoid being associated with the transfers, the companies concerned engaged in fractionation (i.e., dividing transfers to the same recipient into multiple, successive operations, each below money-laundering thresholds) and attributed the transfers to persons other than the actual senders, in some cases deceased or non-existent persons.
The Garante’s intervention in the matter was grounded on the false attribution of senders. In a series of five orders dated February 2, 2017, the Garante found that the attribution of the money transfers to persons who had not provided consent was a violation of the Italian Data Protection Code, which requires consent or another legal basis for processing of personal data. In view of the seriousness of the violations, the number of persons concerned, and the importance of the database involved, the Garante imposed a fine of €5,880,000 on Sigue and fines of €1,590,000, €1,430,000, €1,260,000 and €850,000, respectively, on the other four companies, for a total amount of sanctions of over €11 million.
The Garante’s press release (in Italian), which includes links to the five sanctions orders, may be consulted here.