Clubhouse fined EUR 2 million by the Italian SA

20 January 2023

Background information

  • Date of final decision: 6 October 2022
  • National case, Article 3(2) applies
  • Controller: Alpha Exploration Co. Inc. (Clubhouse)
  • Legal Reference: Principles relating to processing of personal data (Article 5(1)(a)(e); Lawfulness of processing (Article 6); Conditions for consent (Article 7); Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12); Information to be provided where personal data are collected from the data subject (Article 13); Information to be provided where personal data have not been obtained from the data subject (Article 14); Representatives of controllers not established in the Union (Article 27); Data protection impact assessment (Article 35)            
  • Decision: Infringement of the GDPR, Administrative fine, Ban on processing, Order to comply
  • Key words: Social network, Vocal chats, Jurisdiction under EU law, Representative in the EU, DPIA

 

Summary of the Decision

 

Origin of the case

The proceeding originated from an Italian SA’s own volition inquiry following press reports and an alert lodged by a consumer association on several data protection issues relating to Clubhouse, a social media platform provided by the USA-based company Alpha Exploration Inc.

 

Key Findings

The inquiry and the assessment by the Italian SA found several infringements: processing of personal data in violation of lawfulness, transparency and storage limitation principles; infringement of Articles 6 and 7 GDPR; failure to provide the information set out by Articles 13 and 14 or provision of incomplete, unclear, non-transparent and unintelligible information; failure to designate a representative in the EU in breach of Article 27(4); failure to carry out a DPIA with regard to  processing operations for profiling purposes.

 

Decision

The Italian SA imposed a fine amounting to EUR 2 million.

Additionally, the Italian SA imposed a ban on any further processing operations of personal data for direct marketing and profiling purposes and ordered the controller to bring processing operations into compliance with the GDPR as for the transparency-related infringements - by listing a number of specific measures - and the DPIA-related obligations.

 

For further information: decision in national language Ordinanza ingiunzione nei confronti di Alpha Exploration Co. Inc. - 6 ottobre 2022

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.