Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
Iban: Cassation, communication may constitute a violation of privacy.

Iban: Cassation, communication may constitute a violation of privacy.

The apartment of Mr. M.F. and Mr. C.A. was affected by water infiltration since the apartment of Mr. D.B.M. The latter, benefiting from insurance cover, requested the intervention of INA Assitalia (then Generali Italia), which settled the damage out of court. At the request of the insured, Generali sent him a press release from the company’s internal information system as well as an act of liquidation, which finally indicated the bank details of the insured, details acquired by the expert himself in the course of the procedure opened for the coverage of the claim.

These documents were presented at the subsequent meeting of the condominium owners and annexed to the verbal assembly. Mr. M. and Mr. C. complained that a personal data had become public knowledge without any valid reason and motivation.

When this was rejected by the Court of Rome, they appealed to the Court of Cassation.

The Supreme Court, with order n. 4475/2021, upheld the claimants on the basis of a linear (and logical) factual element: to leave proof of having compensated the damage, as requested by the insured: “it cannot in any way subsume also the dissemination of the banking coordinates of the compensated persons”, this processing of the data being neither functional to the purpose for which it will be collected nor necessary to fulfil the transposed request.

In the case in question, the personal data unlawfully communicated is formed from the banking coordinates of a damaged person. It is well known to the operators and the sector’s experts that the banking coordinates constitute a personal data (on the point, among other proceedings, see Data Protection Authority, procedimento 21 April 2018, n. 231 i.e. Court of Ragusa, Judgment 31-01-2019).

The Supreme Court reiterates that proving the fulfilment of a contractual obligation cannot be detrimental to the confidentiality and protection of third parties in accordance with the so-called principles of proportionality, relevance and non-excessiveness.

In this context, it makes no sense to argue that, as it is a matter of compliance with contractual obligations, consent is not necessary for such processing. On this point, the judgment specifies that “the insurance contract whose performance is in dispute did not have the present plaintiffs as contracting parties”, being at most applicable to their own insured parties. The injured party was a third party to the insurance contract.

The Court therefore refers first of all to the principle of correctness as a general principle of social solidarity, on the basis of which, also in the area of non-contractual liability, there is an obligation to behave fairly, which was clearly lacking in this case.

In particular, collecting the data of the data subject (in this case the injured party’s bank details) and communicating them to his client in order to prove that he has compensated for the damage infringes the principles of fairness and minimisation, in particular the relevance and limitation of the processing to the purposes for which the data were collected. On the contrary, “it would have been sufficient to send D.B. a communication acknowledging that the damage had been reimbursed, as is customary for companies, and/or, at most, to give him the receipt after having duly obscured the information on the personal data that cannot be disclosed in accordance with privacy legislation”.


Recommended to you

Advanced Research