HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContactIco

Contact
de|en|it

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



Asset Investigations and Web Scraping: lessons from the CEREBRO Case for Businesses

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​​​​published on 22 September 2025 | reading time approx. 5 minutes​


In its decision on the 4th of August 2025, the Italian Data Protection Authority (the “Garante per la Protezione dei Dati Personali”) issued a favourable opinion on the Data Protection Impact Assessment (DPIA) relating to CEREBRO, the “System for Data Analysis and Processing in Support of Asset Investigations” developed by the Ministry of the Interior – Department of Public Security.


​This proceeding originated from the request for prior consultation submitted by the Ministry of the Interior concerning a DPIA relating to the CEREBRO system.

The CEREBRO platform, in particular, constitutes a centralized investigative tool, designed to identify and deprive criminal organisations of unlawfully obtained assets. The platform operates primarily through two methods: the acquisition of data from “external” institutional sources and the processing of such data, combined with manually entered information, in order to identify financial and asset holdings deemed “disproportionate” and potentially linked to illicit activities.

Following the submission of the aforementioned request, the Authority, while recognising the objective of preventing and prosecuting criminal offences, requested clarifications on certain critical aspects with a view to perfecting the Impact Assessment.

The main concerns related to:
  • the ambiguity of the term “web scraping,” employed in the DPIA to describe the method of data acquisition. This expression could be understood as referring to the mass and indiscriminate collection of personal data from the web, such activity is generally considered unlawful under data protection law as they are conducted without verification of the accuracy of the information acquired;
  • the lack of adequate measures to guarantee the exertion of data subjects’ rights, bearing in mind the possibility that the system could rely on an “automated decision-making process,” an aspect that entails specific risks and requires the implementation of appropriate safeguards under data protection law.

The Department of Public Security therefore submitted an updated version of the DPIA, addressing the Authority’s concerns and clarifying that the term “web scraping”, in this case, does not refer to mass and indiscriminate collection of personal data from the internet, but rather to a targeted extraction of information from specific authorised institutional databases, to which only authorised law enforcement officers have access. The accuracy of the data is ensured through human verification of the extracted information, and it was specified that, as soon as feasible, alternative modalities based on application-to-application cooperation would be adopted to further safeguard data subjects. Indeed, the use of targeted extraction techniques (“web scraping”) was described as the only currently available method to automatically acquire information necessary for asset investigations from certain specific institutional databases.

Moreover, the identification of individuals subject to investigation occurs only following a preliminary investigative phase, carried out under the direction of the competent authority or judicial authority, during which indicators of “disproportionate” economic and financial resources must emerge. It was also established that a data protection notice would be published on the institutional website of the State Police, containing all the information required under Articles 13 and 14 GDPR, together with a point of contact for the exercise of data subjects’ rights. Finally, it was reiterated that reports generated by CEREBRO serve merely as investigative support tools and do not produce any direct adverse legal effects on the data subject, since judicial measures are adopted only following adversarial proceedings involving the defence of the individual, thereby ensuring the primacy of human intervention.

The Authority’s inquiry focused on the analysis of the legal basis chosen for the processing activities, in compliance with Article 6 GDPR, and concluded that the legislative sources identified by the Ministry were suitable to legitimise the processing of personal data.

The Authority also clarified that the uptake of new technologies and the nature of the processing nonetheless presented a high risk for the rights and freedoms of data subjects, such that the prior consultation of the Authority was indeed necessary.

Equally central to the analysis were the essential principles of transparency and protection of the fundamental rights and freedoms of data subjects: on the one hand, the Ministry undertook to publish a detailed data protection notice on the processing activities; on the other hand, the assurance that the CEREBRO system produced only investigative support reports and that any legally binding decision required an additional procedural phase with human intervention in adversarial proceedings dispelled concerns regarding the risk of significant consequences for data subjects arising from decisions based solely on automated processing.

The Authority further held that the principle of storage limitation had been respected through the identification of a maximum retention period. Indeed, the “closure of the digital file” coincides with the “cessation of the specific and concrete need” justifying the collection and analysis of the data, and once the maximum period of 10 years has elapsed, the system automatically deletes the data, ensuring that the information is not retained longer than necessary.

Accordingly, the final decision of the Authority, expressed in its order of 4 August 2025, was to issue a favourable opinion on the DPIA concerning the CEREBRO system.

In conclusion, although this case demonstrates how public authorities may resort to tools such as CEREBRO for investigative and law enforcement purposes, the Authority’s decision also offers valuable insights for private undertakings wishing to adopt similar tools for asset investigation purposes. In particular:
  1. Clear and documented legal basis: companies, unlike law enforcement authorities, cannot rely on the legal bases available to police bodies. They must instead identify a lawful ground among those listed in Article 6 GDPR, supported by a properly documented risk assessment and, in high-risk cases, a DPIA.
  2. No mass or indiscriminate scraping: indiscriminate collections from websites or social networks are likely to be unlawful. Companies must restrict themselves to genuinely accessible and relevant institutional sources (e.g. commercial information systems and authorised databases).
  3. Accuracy and updating of data: information acquired must be verified against official sources or subject to human checks, so as to prevent obsolete or inaccurate data from producing prejudicial effects.
  4. Transparency and notices: it is advisable to prepare clear and accessible general notices on the asset investigation activities carried out.
  5. Storage limitation: data cannot be retained indefinitely. Specific and documented retention periods must be set, linked to the concrete purpose pursued (e.g. until the closure of a debt recovery procedure or termination of a contractual relationship, taking into account applicable statutes of limitation).
  6. Avoid automated decision-making: analytical tools must serve a supporting function and not entirely replace human assessment. Any automated choice with legal effects on the counterparty (e.g. initiating legal proceedings, blocking commercial relations) must always be subject to informed human intervention.
  7. Involve the DPO and legal counsel: given the regulatory complexity, it is best practice to involve the Data Protection Officer and specialised legal counsel to safeguard data subjects’ rights, structure processes, draft clear notices, and implement security measures in compliance with data protection law.


Authors​: 
Martina Ortillo - Associate Partner
Vanessa Cunico - Intern

from the newsletter
Legal Newsletter​​​​​​​

contact

Contact Person Picture

Martina Ortillo

Attorney at law (Italy)

Associate Partner

+39 02 6328 841

Send inquiry

Profile

our services

​DATA PROTECTION, CYBER SECURITY & INNOVATION
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu