Garante per la protezione dei dati personali (Italy) - 9776444

From GDPRhub
Garante per la protezione dei dati personali - 9776444
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(c) GDPR
Article 9(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.04.2022
Published:
Fine: 1000 EUR
Parties: Educationest s.r.l.
National Case Number/Name: 9776444
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT) (in IT)
Initial Contributor: Carloc

The Italian DPA held that the controller had no legal ground to inform the parents of the children enrolled in a private nursery school about the pregnancy of a teacher. The DPA also held that this was a violation of the principles of lawfulness and data minimization.

English Summary[edit | edit source]

Facts[edit | edit source]

On 15 February 2021, the Italian DPA received a complaint about unlawful communication of personal data by a controller to third parties. The controller is private nursery school Educationest s.r.l. The data-subject is a teacher at this school.

The private nursery school emailed a group of parents of the children enrolled in the school about the prolonged absence of a teacher. In doing so, the school informed the parents that the teacher was on pregnancy leave. The school did not inform the teacher that it disclosed her pregnancy to the parents. The school claimed that the processing of personal data was lawful based on Articles 6(c) and 9(2)(b). The school did not specify the source of the legal obligation under Article 6(1)(c) GDPR, nor the source of the obligations or of the specific rights of the controller or of the data subject under Article 9(2)(b).

Holding[edit | edit source]

The DPA found multiple violations of the GDPR. The DPA held that personal data was processed without a lawful ground as there was no legal obligation to disclose the pregnancy (Article 6(1)(c)). The DPA also held that the processing of personal data was a violation of the data minimization principle (Article 5(1)(c)) as it is also not necessary for its purpose, namely the execution of the employment relationship. The school was fined for €1000, taking into account the peculiar situation of the education sector during the pandemic.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Order injunction against Educationest s.r.l. - April 28, 2022

Record of measures
n. 152 of 28 April 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint of February 15, 2021 submitted pursuant to art. 77 of the Regulation by Mrs. XX towards Educationest s.r.l .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Attorney Guido Scorza;

WHEREAS

1. The complaint against the company and the preliminary investigation.

With a complaint dated February 15, 2021, submitted pursuant to art. 77 of the Regulation, regularized on June 14, 2021, Ms XX complained that Educationest s.r.l. (hereinafter, the company) would have carried out data processing in violation of the regulations on the protection of personal data, in relation to the communication to third parties of information relating to her state of pregnancy, carried out by sending an e-mail , on January 22, 2021, to the families of the children enrolled in the nursery school for whom the complainant was an educator. In particular, the complainant complained that this communication to the families, of which she accidentally learned the content having not been previously consulted or informed about it, violated her right to confidentiality relating to a personal status ascertained moreover a few days ago, so much so that her own family members had not yet been made aware of it.

The Office initiated proceedings with a note dated 21 September 2021, in which it asked the Company to provide information and clarifications on the facts of the complaint.

With a note dated 19 October 2021, in providing feedback to the Office's requests, the Company stated that:

to. in the context of a school, such as that managed by the company, which consists of a "small educational reality that welcomes children from nine months of age and that is structured as a family environment where the sharing of families and the school (in the figure of educators) is a founding value of the educational project ", once he learned from the complainant, via e-mail, that" the prolonged absence was not for assessments due to an illness, but to the happy event of a pregnancy [...] and given the pandemic period and the serious biological risk linked to her working role, it was clear to the school that the [complainant] would be absent for a long period without being able to say goodbye to the children ";

b. therefore "in order to respond to the incessant pressure of parents regarding the reasons for the [...] (clearly already noted) absence [of the complainant], the school in order to protect the reputation of the educator, who had had to leave the class abruptly and without greeting , acted in total good faith by communicating to the parents of the class concerned that the educator had entered maternity leave and that - as ours is a risky job - she had to leave the class immediately ";

c. at the same time, the company "communicated to the parents who it would replace [the complainant]";

d. with this communication to the parents "we also wanted to defend the educator herself from malice, rumors and suspicions that in a short time had begun to circulate";

And. the company acted "in absolute good faith in a period complicated by the spread of the pandemic";

f. "The legal basis of the processing is given by the combination of Art. 6, par. 1, lett. c) and Art. 9, par. 2, lett. b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ".

The Company has also attached a copy of the e-mails exchanged with the complainant as well as a "copy of the register of violations, adopted pursuant to Art. 33, par. 5, of Regulation (EU) 2016/679, duly completed on 25/05/2021 ".

On 9 February 2022 the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification of alleged violations of the Regulation found, with reference to Articles 5, par. 1, lett. a) and c) and 6, par. 1, lett. b) and c) of the Regulations.

On March 4, 2022, the company sent its defense writings in which it stated that:

to. "The recipients of the communication (the families concerned) belong to a small group of reliable subjects having a purely private interest and relating to the awareness of the integrity and respectability of persons with responsibility for their children" (see note 4.3.2022, p . 1);

b. "The duration of the alleged violation took place instantaneously and not continuously, condensed in the sending of a single e-mail message. The number of interested parties involved in the violation is equal to one, that is, of course, the only pregnant educator "(see cit. note, p. 1);

c. "The alleged violation appears devoid of any intentionality as it is dictated solely by the will, in good faith, to reassure the families concerned about the reasons for the prolonged absence of the educator (not due to COVID contagion, misfortunes, or abandonment of the Institute), in light of the delicate pandemic context of COVID-19, and to protect the latter from unfair judgments of little professionalism and little attachment to school reality. The legitimate need to give an account to the families of the reasons and the duration of the complainant's absence is not believed to have been satisfied by communicating information referring to the teacher other than the specific ones relating to her state of pregnancy "(see note cit., p. 1-2);

d. with reference to the measures adopted by the company to mitigate the effects of the violation "a first, essential, measure to mitigate the effects consisted in the management of the consequent investigation procedure, in order to avoid the" amplifying "effect of the private information subject to the disputed violation . The head of the School then wanted to personally contact the educator by telephone to explain the reasons for that communication and the underlying purposes "(see note cit., P. 2);

And. with regard to the obligations required by the regulations on the protection of personal data "the [...] School has equipped itself to comply with the legislation [...] for some time now convinced of the importance of primary and constant respect for fundamental rights." (see cit. note, p. 2);

f. in relation to the degree of cooperation with the Authority, the company believes "that it has done everything possible to mitigate the negative effects of the communication object of this proceeding, explaining to the educator, as well as to the Authority, the reasons for the [...] conduct in good faith "(see cit. note, p. 3);

g. as a further mitigating factor, society has represented that in a school the balance and relationship of trust that is established between administrative staff, educators, families and children is complex and delicate. It is essential to ensure maximum transparency and honesty and a constant flow of information and communications. The state of health of the children we take care of is considered of the utmost importance for their families especially in the pandemic period in light of the fact that they spend most of their day in a community where the opportunities to contract Covid 19 were and are major. As will be understood, the period in question (early 2021) was very delicate and tense for the school communities and the precariousness of communications at that juncture of the spread of the pandemic may have influenced our way of acting, trying to reconcile the needs of the teacher with those of the community of our children and their families anxious to be aware of every case of contagion, especially if it has arisen among teachers ”(see note cit., p. 4).

The Company has also attached the documentation relating to the obligations carried out in execution of the provisions of the regulations on the protection of personal data (copy of the Register of processing activities, of the information model and collection of consent from users of the services offered, of the Procedure for the management of complaints and other requests from interested parties, the Procedure for the notification and communication of the violation of personal data - Data breach, a model of the Deed of appointment as authorized to process personal data and the Regulations relating to the use of corporate and private IT tools for work purposes).

2. The outcome of the investigation and the procedure for the adoption of corrective measures.

2.1. Established facts and observations on the legislation on the protection of personal data relevant in this case.

Given that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor", following the outcome of the investigation it emerged that the Company, by e-mail dated January 22, 2021, communicated to the families of the children, already entrusted to the complainant as educator, that the latter had "entered maternity leave and, as required by the rules on labor law, had to immediately detach herself from her role as teacher as it was considered a high risk. […] The communication of her early maternity leave has reached us in these days ”.

This involved the processing, through communication to third parties unrelated to the employment relationship, of the complainant's personal data relating to her state of pregnancy and the need, for the same, to take time off from work, in consideration of the qualification of the role of teacher as " high risk position ".

On the basis of the regulations regarding the protection of personal data in the context of the private employment relationship, "common" personal data relating to employees can be processed by the data controller, ordinarily, only insofar as this is necessary to correctly execute the employment relationship or to implement provisions contained in laws, regulations, contracts and collective agreements (see articles 6, paragraph 1, letters b) and c) of the Regulations). In any case, the processing must comply with the general principles of lawfulness, correctness and minimization (see Article 5, paragraph 1, letter a) and c) of the Regulation).

2.3. Established violations.

The processing of the complainant's personal data carried out by the Company does not comply with the provisions referred to for the reasons indicated below.

By sending the aforementioned communication via e-mail to the families of the children enrolled in the nursery school, for whom the complainant acted as educator, the Company communicated to third parties information relating to a particular state of the complainant herself ( pregnancy), moreover without his knowledge, resulting in a violation of his right to privacy. In particular, the right of the interested party to determine their choices regarding the methods and times with which to disclose a state - having an eminently private nature - to third parties, unrelated to the employment relationship, in the context of which the information had been dutifully provided, however, at a still quite early stage of pregnancy, therefore subject to the possible incidence of negative or in any case risky events for its physiological evolution and conclusion.

The ascertained treatment is not among those necessary for the execution of the employment relationship in place between the Company and the complainant, at the time of the facts which are the subject of the complaint, nor for the execution of a legal obligation placed on the owner, therefore the conditions of lawfulness provided for by the law in force in the terms indicated above did not exist. Furthermore, in the specific case, the legitimate need to inform the families about the reasons and the presumable duration of the absence of the educator could have been satisfied, even in the pandemic context, through the communication of information referring to the complainant other than those, specific, afferent. to her private life, while providing reassurance that there was no danger of contagion for the children who had had contact with the educator.

It is also noted that the same Company, while underlining that it operated in good faith also in light of the particular context in which the treatment took place (health emergency and consequent fears of contagion also in the particular context of childcare services), to include in its document called "register of violations" the event constituted by the communication object of the complaint (see attachment to the reply of 19.10.2021).

The Company, therefore, by sending the e-mail communication of January 22, 2021, within the terms indicated above, acted in violation of the principles of lawfulness and data minimization (see Article 5, paragraph 1, letter a ) and c), of the Regulation) as it has provided information to third parties that is not necessary with respect to the purposes pursued and in the absence of a suitable legitimation criterion among those provided for by the law (see Article 6, paragraph 1, letter b ) and c), of the Regulation).

3. Conclusions: declaration of illegality of the treatment. Corrective measure pursuant to art. 58, par. 2, Regulation.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and which are therefore unsuitable to allow the filing of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lett. a) and c) and 6, par. 1, lett. b) and c) of the Regulations.

Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulations, there is a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

At the outcome of the procedure, it appears that Educationest s.r.l. has violated the articles 5, par. 1, lett. a) e) and 6, par. 1, lett. b) and c) of the Regulations. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. a) of the Regulations, through the adoption of an injunction order (Article 18, Law 11/24/1981, n. 689).

Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation ", the total amount of the sanction is calculated so as not to exceed the legal maximum provided for by the same art. 83, par. 5.

With reference to the elements listed in art. 83, par. 2 of the Regulation for the purpose of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), it is stated that , in the present case, the following circumstances were considered:

a) in relation to the nature, gravity and duration of the violation, the nature of the violation was considered relevant which concerned the right of the interested party to determine their choices regarding the knowledge by third parties of a state of a private nature such as state of pregnancy;

b) with reference to the willful or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the company and the degree of responsibility of the same that has not complied with the regulations on data protection have been taken into consideration;

c) in favor of the company it has been taken into account that there are no previous relevant violations of the rules on the protection of personal data;

d) the particular context in which the violation occurred was considered as an additional mitigating factor, conditioned by the health emergency and the consequent fears of contagion by the users of the facility.

It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must comply in determining the amount of the sanction (Article 83, paragraph 1, of the Regulation), in firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the ordinary financial statements for the year 2020. Lastly, the extent of the sanctions imposed in similar cases is taken into account. In light of the elements indicated above and the assessments made, it is believed, in this case, to apply towards Educationest s.r.l. the administrative sanction for the payment of a sum equal to Euro 1,000 (one thousand).

In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of data processing and the conditions of lawfulness of the processing, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of reg. of the Guarantor n. 1/2019.

WHEREAS, THE GUARANTOR

detects the unlawfulness of the processing carried out by Educationest s.r.l., in the person of the legal representative, with registered office in Via Sgarzeria 1, Modena (MO), P.I. 03806400366, pursuant to art. 143 of the Code, for the violation of art. 5, par. 1, lett. a) e) and 6, par. 1, lett. b) and c) of the Regulations;

ORDER

pursuant to art. 58, par. 2, lett. i) of the Regulations to Educationest s.r.l., to pay the sum of Euro 1,000 (one thousand) as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

then to the same Company to pay the aforementioned sum of € 1,000 (one thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1.9.2011 envisaged for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code);

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions set out in art. 17 of Regulation no. 1/2019.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, April 28, 2022

THE VICE-PRESIDENT
Cerrina Feroni

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei