Garante per la protezione dei dati personali (Italy) - 10039453

Garante per la protezione dei dati personali - 10039453

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 9(1) GDPR Article 9(2)(h) GDPR Article 9(4) GDPR Article 32(1) GDPR Art. 75 d.lgs. 196/2003
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	06.06.2024
Published:
Fine:	24,000 EUR
Parties:	Azienda Unità Sanitaria Locale della Romagna
National Case Number/Name:	10039453
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a health authority €24,000 after it unlawfully transmitted to a third party a certificate regarding the recognition of disability status without redacting the HIV diagnosis.

English Summary

Facts

The data subject submitted an application to the local health authority in order to acquire the status of a disabled person as she is HIV positive. After acquiring this status, according to Italian national law, a family member of the person is entitled to take some days off from their job to take care of the disabled person.

Therefore, the son-in-law of the data subject, who worked for the Ministry of Justice in a jail, applied for these days off to his employer. After that, the employer directly contacted the health authority (controller) in order to confirm that the data subject had obtained the status of a disabled person.

The controller sent the Ministry of Justice the whole certificate regarding the disabled status of the data subject, including the part containing the HIV-diagnosis.

The data subject filed a complaint with the DPA, arguing that transferring the whole certificate to her son-in-law’s employer was unlawful.

The controller argued that this transfer happened due to human error during a time in which a lot of employees were not working due to a Covid infection.

Holding

First of all, the DPA noted that, according to Article 9(1) GDPR, processing personal data concerning health is in principle forbidden.

The DPA noted that Article 9(2)(h) GDPR introduces an exception to this prohibition when processing is necessary to provide healthcare. However, Article 75 of the Italian Data Protection Code sets further conditions with regard to the processing of data concerning health in accordance with Article 9(4) GDPR which gives the member state such an option. These further conditions can be contained in sectorial legislation, such as Law 135/1990, which imposes that information relating to a HIV diagnosis can be revealed only to the data subject.

Secondly, the DPA pointed out that according to national law, employers who are public administrations have a duty to verify if the declarations made by their employees correspond to truth. However, the DPA held that this duty must be interpreted in light of the general principles set by Article 5 GDPR and, more specifically, of the principles of data minimisation and of integrity and security.

As for the principle of data minimisation, it recalled that, in the case at hand, it was not necessary to disclose the HIV diagnosis to the Ministry of Justice, as just knowing that the certificate had been issued could have been sufficient to ensure the truthfulness of the declaration. Therefore, it found a violation of Article 5(1)(c) GDPR.

The DPA also held that the controller did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk since it should have provided its employees with more specific instructions on how to act when dealing with HIV data. Therefore, it found a violation of Article 5(1)(f) and 32(1) GDPR.

On these grounds, the DPA issued a fine of €24,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10039453]

Provision of 6 June 2024

Register of measures
n. 337 of 6 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The complaint and notification of infringement

With note dated XX, Mrs. HIV infection at the Department of Penitentiary Administration-Directorate of the prison in Rimini.

In particular, in the aforementioned complaint, accompanied by specific documentation, it was represented that the complainant, in respect of whom a disability of 75% had been ascertained, was assisted by her son-in-law, who had requested from the administration where he worked, Penitentiary Administration of the Ministry of Justice-Rimini Prison, the benefits provided for by law 5 February 1992, n. 104. The aforementioned Administration, with the intention of carrying out random checks regarding the authenticity of the reports verifying the status of a person with a serious handicap pursuant to art. 3, paragraph 3, of the aforementioned law no. 104/1992 produced by employees who benefited from the benefits provided for by the aforementioned law, asked the Company to "confirm or not the existence in the documents of a report verifying the state of disability relating to the person of the" complainant. Following this request, the Company provided feedback by transmitting "«copy of the report of L 104/92 present in Mrs. XX's AUSL file». The copy of the report forwarded (...) with the aforementioned communication consisted of the complete photographic reproduction of the report of the Medical Commission "in plain text", totally legible and without any type of masking, with the complete medical history and handicap assessment. From this report, (...), forwarded to the prison administration in a complete and fully readable version, it emerges unequivocally that among the pathologies suffered by the undersigned there is also HIV infection and HIV-related nephropathy".

Following the request for information from this Office dated XX (prot. n. XX), the Company responded with a note dated XX, declaring that:

- "it should be noted that the request of the XX coming from the Management of the Rimini Prison was initially acknowledged on 13 November by the Secretariat for Civil Invalids based in Cesena - pertaining to the U.O. Forensic Medicine and Risk Management - informing of the existence of a report dated XX and communicating, at the same time, the assessment contained in the report itself";

- "on the 20th date, however, the express request for the transmission of the 20th report to allow the necessary checks was received from the prison of Rimini, with an email sent directly to the Civil Invalids Secretariat of Cesena, to which the operator of the Invalids Secretariat civil, induced by the nature of the Public Administration of the requesting party to consider the positive feedback due also in the spirit of collaboration between entities, responded on 16 December by sending the requested report containing, on the back, for a mere clerical error, also the medical history and objective examination in clear";

- "as for the context in which the accidental sending took place, as is known, autumn XX was a moment of particular resurgence of the Covid pandemic and the Civil Invalids Secretariat of Cesena found itself in a situation of particular suffering for the shortage of staff due to quarantine measures due to Covid positivity, due to which the only operators present had to take on activities even if they were not strictly within their competence, as happened in the present case";

- "having become aware of the event, the Company has adopted a series of improvement actions, which are in addition to the technical and organizational measures already in place at the time of the event (...), aimed at guaranteeing greater protection of personal data specifically scope of reference. In fact, meetings and service meetings were organized in relation to the procedures and operational methods for the release of copies of documents and reports of the medico-legal commissions, with particular reference to the rules to be respected regarding confidentiality and protection of health data and protection strengthened data relating to HIV infection, furthermore, periodic training/information sessions are held with the administrative operators of the Unit, for the purpose of regular updating on the relevant regulatory provisions and company regulations. In addition to this, the Management of the U.O. Forensic Medicine and Risk Management has provided that the role of reference function and the Central Secretariat of the U.O. monitor and manage all requests received and the related feedback, and has adopted precise provisions aimed at all administrative operators so that, for the management of access requests and for any case of particular relevance and sensitivity, they always refer to the holder of the role of Function and to the Central Secretariat”;

- "there is no evidence (...) of any violation of law on the part of this Company, but only the mere material error of an operator not specifically trained in responding to requests for documentation, determined by the particularly critical situation better described above";

- "in the face of the adverse event in context, this Company has implemented technical and organizational measures aimed at greater security of personal data and timely compliance with the relevant legislation".

In relation to the issue covered by the complaint, the Company had, on XX, notified a personal data breach, declaring, among other things, that:

- “the civil disabled secretariat, Cesena headquarters of the U.O. Forensic medicine and risk management on XX sent to the Rimini Prison, upon specific request of the same aimed at ascertaining the requirements for the right to benefit from the L.104/92 permits of one of its employees, a report relating to L.104 /92 reported to a family member of the same. The document sent erroneously also contained a clear medical history and physical examination on the back. This was due to the carelessness of the operator who did not deactivate the front/back printing function, thus producing a printout of the report for the interested party (where the health data is omitted) and part of the following report of the same person containing the health data. It should be clarified that the event occurred at a particularly critical moment for the emergency of the second COVID19 wave. In fact, the Cesena-based disability secretariat was working with reduced resources due to quarantine measures due to COVID positivity, requiring the support of other operators not specifically assigned to the secretarial support of the Disability Commissions, as occurred in this case in context";

- "with Law 102/2009, from 1.1.2010, the administrative process for the recognition of civil invalidity, handicap, blindness and deafness is the responsibility of INPS, including the sending of the reports of the visits, acting also as a verification body while the organization of the health part (establishment of the Commissions and organization of the sessions) remained in charge of the Local Health Authorities".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described in the complaint and in the notification of violation, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). This, as it was deemed that the Company processed health data, including those relating to HIV infection, in violation of the basic principles of processing pursuant to art. 5 par. 1, letter. c) and f) of the Regulation, of the safety obligations provided for by the art. 32 of the same Regulation, as well as art. 75 of the Code, in relation to the specific sector provisions regarding urgent interventions for the prevention and fight against AIDS (art. 5, paragraph 4 and art. 1, paragraph 2, law 5 June 1990, n. 135).

With note dated XX, the Company sent its defense briefs, in which, in confirming what was already expressed in note dated XX, it highlighted, in particular, that:

- “on XX this Company received a request for compensation for damages from the lawyer of Messrs. XX and XX in relation to the erroneous communication of Ms.'s health data to the management of the Rimini prison. XX”;

- "following an internal investigation it was learned that: - on XX a request was received from the Management of the Rimini Prison to verify the authenticity of the report assessing Ms XX's handicap; - the Civil Invalids Secretariat of Cesena responded to this request on 13 November, informing of the existence of a report dated XX and communicating, at the same time, the assessment contained in the report itself; - followed by a further letter from the Management of the Rimini Prison of the XX, sent by email directly to the Invalids Secretariat of Cesena, with a request for transmission of the report relating to Law 104/92 of Mrs. XX drawn up on the XX, in order to allow the necessary investigations; - the Invalids Secretariat responded to the prison on XX by sending the requested report, which also contained, on the back, a clear medical history and objective examination";

- "it is considered appropriate to highlight that the erroneous sending of a full copy of the report occurred in an emergency context characterized by an exceptional and contingent shortage of personnel connected to the Covid pandemic. Examining the concrete case, it is noted that the erroneous sending of the double-sided report, a communication concerning the health data of an individual interested party, occurred following a reminder from the prison, following which the administrative operator, who had to take charge of activities not falling within his competence, acting in place of colleagues absent due to quarantine measures, induced by the nature of the public administration of the requesting party to consider immediate feedback due, in a spirit of loyal collaboration between public administrations, and following a reminder, he sent the report containing, due to a mere material error in the reproduction (printing) of the same, also Ms.'s health data. XX”;

- "with regard to the seriousness of the violation, analyzing it in light of the criteria set out in the Guidelines on the notification of personal data violations adopted by the Working Party article 29 on 3 October 2017 - amended version dated 6 February 2018 - it is deduced as in the case of loss of confidentiality due to incorrect communication of data to a third party, the circumstance that the recipient of the communication enjoys a certain "reliability" may become relevant. Indeed, in the same Guidelines it is made clear that "the fact that the recipient is reliable can neutralize the seriousness of the consequences of the violation" since "even if the data had been consulted, the data controller could still trust in the fact that the recipient does not will take further action regarding the same."

In the case in question, given the indisputable nature of public administration of the prison, recipient of the erroneous communication of health data with enhanced protection, it appears clear that the violation should not have entailed the risk of any prejudice for the interested party if the data had been processed by the receiving Administration in compliance with the principles of the EU Regulation, which it is obliged to do";

- "no malice is even conceivable, since it was an accidental sending, moreover isolated, and constituting an exceptional case, dependent on the mere material error of the operator, who replaced the actual holder of the functions, who found the request for the complete report coming from from the prison”;

- "in the ordinary context of operation - outside, therefore, of the emergency situation described - the operators of the Civil Invalids Secretariat of Cesena who are in charge of communications to INPS, duly authorized to process the data, carry out the communications by deactivating the function of "front/back" printing, producing a printout of the report for the interested party in such a way that the health data is omitted";

- "in this case the operator, not assigned to the task in question and therefore poorly accustomed to encountering this type of request, having taken charge of the feedback in place of colleagues absent due to quarantine due to Covid positivity, took steps to send the prison the copy of the report with the health data omitted without realizing that on the back this reported part of the subsequent report with clear health data";

- "in light of the complexity of the contingent situation in which the operator of the Civil Invalids Secretariat finds himself, it is believed that the alleged prejudice suffered by the complainant should not be considered a source of liability for this Healthcare Company as it is an error that is excusable as it is not at fault and, since it did not depend on negligence but on the extreme complexity of the situation that arose, justified by good faith pursuant to art. 3 L. 681/1989”;

- "all the Company's employees, as well as all those who are in various capacities included within the organization carrying out data processing operations, have been appointed "Authorized" for the processing with the release of instructions relating to the correct processing of personal data. At the time of the circumstances described above, which occurred, as specified, due to a situation of a non-ordinary nature characterized by an exceptional and contingent shortage of personnel in the competent office, specific technical and organizational measures were also in place in the Company aimed at ensuring the protection of personal data with particular reference to the situation in context; however, these specific instructions were not known to the operator who encountered the request from the prison, who found himself (...) having to replace in an emergency the operators ordinarily responsible for this activity, who were absent due to quarantine measures due to Covid positivity";

- "as soon as it became aware of the erroneous communication of the data to the prison, the Company promptly took action by implementing improvement actions to avoid the occurrence of further similar non-compliances";

- "it is also noted that the accidental sending occurred following the request for the full report by the District Court, a subject required to respect the same principles that govern the administrative action of each public administration and therefore also required to protect of personal data".

3. Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs, it is noted that:

1. the Regulation provides for a general prohibition on processing data on the health of interested parties; the aforementioned prohibition does not apply where one of the legal conditions indicated in the art. exists. 9, par. 2 of the Regulation and, in particular, if the processing is necessary to fulfill specific obligations "in matters of labor law [...] to the extent authorized by law [...] in the presence of appropriate guarantees" (art. 9, par. 2, letter) of the Regulation) and for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide appropriate and specific measures to protect the fundamental rights and interests of the interested party (art. 9, par. 2, letter g) of the Regulation). In light of the Code, the aforementioned processing is permitted if it is provided for by European Union law or, in the internal system, by legal or regulatory provisions or by general administrative acts which specify the types of data that can be processed, the executable operations and the reason of significant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party. The Code considered relevant the public interest relating to treatments carried out by subjects who carry out tasks of public interest or connected to the exercise of public powers in social-welfare activities for the protection of minors and needy subjects, for the protection of social integration and rights of disabled people, as well as the establishment, management and termination of employment relationships (art. 2-sexies, paragraphs 1 and 2, letter s) and aa), dd) of the Code);

2. the Ministry of Justice has adopted a regulation containing "Discipline of the processing of sensitive and judicial data by the Ministry of Justice, adopted pursuant to articles 20 and 21 of Legislative Decree 30 June 2003, n. 196" on which the Guarantor expressed a favorable opinion (provision of 18 May 2006), which provides that, in relation to the management of Penitentiary Police personnel, "data relating to the health of family members may be collected exclusively for the purposes of granting of particular benefits to the employee, provided for by law" (sheet no. 7);

3. as regards the regulations regarding permits for assistance to severely disabled people, art. 33, paragraph 3, of law no. 104 of 1992, provides that "the employee, whether public or private, has the right to benefit from three days of paid monthly leave covered by a notional contribution, even on a continuous basis, to assist a person with a disability in a serious situation, which is not full-time hospitalized, in respect of which the worker is a spouse, part of a civil union pursuant to article 1, paragraph 20, of law 20 May 2016, n. 76, de facto cohabitant pursuant to article 1, paragraph 36, of the same law, relative or similar within the second degree"; the art. 7-bis of the aforementioned law, introduced by art. 24 of law 4 November 2010, n. 183 provides that: "without prejudice to the verification of the conditions for ascertaining disciplinary responsibility, the worker referred to in paragraph 3 loses the rights referred to in this article, if the employer or INPS ascertains the non-existence or failure to meet the conditions required for the legitimate enjoyment of the same rights";

4. the art. 71 of the Presidential Decree 28 December 2000, n. 445, containing the “Consolidated text of the legislative and regulatory provisions on administrative documentation” provides that “the proceeding administrations are required to carry out suitable checks, including on a sample basis, in proportion to the risk and extent of the benefit, and in cases of reasonable doubt, on the truthfulness of the declarations referred to in articles 46 and 47, even after the provision of the benefits, however named, for which the declarations are made. The checks regarding declarations in lieu of certification are carried out by the proceeding administration in the manner referred to in article 43 by directly consulting the archives of the certifying administration or by requesting from it, also through IT or telematic tools, written confirmation of the correspondence of what was declared with the results of the registers kept by it" (paragraphs 1 and 2);

5. the aforementioned legislation, as well as all provisions of national law, must be interpreted and applied in light of the European Union regulations on the protection of personal data (art. 22, paragraph 1, of Legislative Decree 10 August 2018, n. 101), with particular reference to the principles applicable to the processing of personal data, set out in the art. 5 of the Regulation;

6. in this regard, the data controller is required to respect the principle of "minimization", according to which personal data must be "adequate, relevant and imitated to what is necessary with respect to the purposes for which they are processed", as well as that of "integrity and confidentiality", according to which data must be "processed in a way that guarantees adequate security (...), including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing and from loss, destruction or accidental damage” (art. 5, par. 1, letters c) and f) of the Regulation). The adequacy of such measures must be assessed by the data controller with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the interested parties, taking into account the risks arising from the destruction , from loss, modification, unauthorized disclosure or access to personal data (art. 32, par. 1 and 2 of the Regulation, Recital no. 83);

7. the Guarantor, on several occasions, has had the opportunity to specify, for the protection of disabled people, that, "in implementation of the principles of relevance, non-excess and indispensability, in the certifications requested by the interested party [...] it is not essential to indicate the personal data relating to the diagnosis ascertained during the medical examination" (Provision dated 21 March 2007, web doc. no. 1395821; see also provisions dated 21 April 2009, web doc. no. 1616870; 9 November 2005, web doc. no. . 1191411; point 4.2. provision 16 February 2011, in which it was reiterated that the commissions doctors issue, for the purposes of issuing the disabled permit as well as for tax breaks relating to vehicles provided for people with disabilities, a copy of the report with the omission of the parts dedicated to the description of the anamnestic data, the objective examination and the diagnosis of the person with disabilities);

8. the legislator has provided for strengthened protection for the processing of data relating to HIV infection, on the one hand, establishing the obligation to communicate the results of direct or indirect diagnostic tests for the aforementioned infection to the sole person to whom such tests are carried out report, on the other hand, introducing the obligation on the health worker and any other person who becomes aware of a case of AIDS or HIV infection, to adopt every measure or precaution for the protection of the person's rights and his dignity (art. 5, paragraph 4 and art. 1, paragraph 2, law 5 June 1990, n. 135; on this point, see also ruling of the Civil Cassation, section III, 30 January 2009, n. 2468, according to which "pursuant to (...) art. 5, paragraph 1, it is the healthcare personnel's responsibility to demonstrate that they have adopted all the necessary measures to guarantee the patient's right to confidentiality and to prevent the relating to the outcome of the test and the patient's health conditions may come to the attention of third parties");

9. the aforementioned regulatory provision falls within the specific sector provisions without prejudice to art. 75 of the Code, which summarizes the conditions for the processing of personal data in the healthcare sector. The described confidentiality regime has, moreover, been reiterated several times by the Guarantor in the context of various interventions, qualifying such data among those subject "to greater protection of anonymity" (opinion on the draft decree on electronic health records, of 22 May 2014, web doc. no. 3230826; Guidelines on health dossiers, dated 4 June 2015, web doc. no. 4084632).

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the Company in the violation notification and in the defense briefs do not allow the notified findings to be overcome by the Office with the aforementioned act of initiation of the procedure, since, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

As described above, the failure to adopt a measure aimed at verifying the content of the attachments to be transmitted resulted in the Company transmitting the report including the data relating to the complainant's HIV infection to the Administration Department penitentiary - Rimini prison directorate, where the complainant's son-in-law, who had requested the benefits provided for by the art. 3, paragraph 3, of law no. 104/1992 to assist her in relation to her disability, provided her professional activity. This resulted in processing of health data in violation of the minimization principle; in compliance with the aforementioned principle, in fact, the Company should have provided the requesting Administration with confirmation of the existence or otherwise of the requirement of the severity of the woman's disability, required by the legislation to access the described benefits, but not also the entire documentation , including the diagnosis, with clear anamnesis and physical examination. Furthermore, in compliance with the principle of data integrity and confidentiality and the obligation to adopt adequate technical and organizational measures to guarantee a level of security adequate to the risk, in consideration of the particular category of data processed, subject to greater protection, the Company should have provided specific instructions to the operator called to carry out the treatment in question. On this point, with reference to the error made by the operator, we do not recognize the condition that allows us to affirm that the same error was inevitable and blameless, i.e. such that it could have been avoided with ordinary diligence. In light of consolidated jurisprudence of the S.C. (Cass. n. 7885/2011, Cass. n. 16320/2010, Cass. n. 19759/2015, Cass. n. 33441/2019 and Cass. n. 17822/2021), for the purposes of applying the invoked art. 3 of law no. 689/1981 it is necessary that the good faith or the error is based on a positive element, extraneous to the agent and capable of determining in him the belief in the lawfulness of his behavior (excusable error). This positive element must not be remedied by the agent with the use of ordinary diligence. In this case, the duly trained operator could have diligently ascertained, through a more accurate check, that he had not deactivated the front/back printing function, thus avoiding attaching, in addition to the printout of the report for the interested party (where the data healthcare workers are omitted), also the part of the report containing the medical history and the objective examination in plain text (see also European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, par. 4.2.2., which highlights that certain circumstances, including human error, "may be indicative of negligence").

Therefore, considering that the arguments put forward by the Company are not suitable to exclude its liability in relation to what is contested, the unlawfulness of the processing of personal data carried out by the owner is noted, within the terms set out in the motivation.

In this context, considering, in any case, that the conduct has exhausted its effects and that the Company has declared that it has promptly taken action by implementing improvement actions to avoid the recurrence of the complained of conduct, the conditions for the adoption of of measures, of a prescriptive or injunctive nature, referred to in the art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. c) and f) and 32 of the Regulation, as well as art. 75 of the Code, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 5 of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, on the basis of the elements provided for by art. 83, par. 2, of the Regulation.

In light of the above and, in particular, the category of personal data affected by the violation, which fall within the data considered to be subject to greater protection, the number of interested parties (1) and the non-intentional nature of the violation, it is believed that the level the severity of the violation committed by the Company is high (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, some elements have been assessed as a whole and, in particular, that:

- the Guarantor became aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation, and by a subsequent complaint by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the owner, in order to avoid the repetition of the event that occurred, is committed to implementing the training activity of the operators authorized to process personal data (art. 83, par. 2, letters c) and f) of the Regulation);

- the Company has already been the recipient of sanctions in relation to relevant violations (provisions dated 27 January 2021, no. 36, web doc. no. 9544504 and 27 May 2021, no. 211, web doc. no. 9682619) ( art. 83, par. 2, letter e) of the Regulation);

- the violation concerned a specific internal structure of the data controller and not the overall organization of the same and was caused by an operator's error (art. 83, par. 2, letter k) of the Regulation);

- the event occurred in the context of employment in secretarial activities of personnel not ordinarily responsible for this activity, as part of an organizational change undertaken by the Company during the pandemic period, to prepare for the absences of the operators involved from quarantine measures due to positivity to Sars CoV 2 (art. 83, par. 2, letter k) of the Regulation);

it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 24,000.00 (twenty-four thousand) euros for the violation of the articles. 5 and 32 of the same Regulation, as well as art. 75 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Romagna Local Health Authority, due to the violation of the basic principles of processing referred to in the art. 5, par. 1, letter. c) and f) and the obligations referred to in art. 32 of the Regulation, as well as art. 75 of the Code, in the terms set out in the motivation;

ORDER

to the Romagna Local Health Authority, with registered office in the Registered Office: Via De Gasperi n. 8 – 48121 Ravenna, Tax Code/VAT no. 02483810392, to pay the sum of €24,000.00 (twenty-four thousand/00) as a pecuniary administrative sanction, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 24,000.00 (twenty-four thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981;

HAS

the publication in full of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions for the annotation in the internal register of the Authority pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 6 June 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

[doc. web no. 10039453]

Provision of 6 June 2024

Register of measures
n. 337 of 6 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. The complaint and notification of infringement

With note dated XX, Mrs. HIV infection at the Department of Penitentiary Administration-Directorate of prison in Rimini.

In particular, in the aforementioned complaint, accompanied by specific documentation, it was represented that the complainant, in respect of whom a disability of 75% had been ascertained, was assisted by her son-in-law, who had requested from the administration where he worked, Penitentiary Administration of the Ministry of Justice-Rimini Prison, the benefits provided for by law 5 February 1992, n. 104. The aforementioned Administration, with the intention of carrying out random checks regarding the authenticity of the reports verifying the status of a person with a serious handicap pursuant to art. 3, paragraph 3, of the aforementioned law no. 104/1992 produced by employees who benefited from the benefits provided for by the aforementioned law, asked the Company to "confirm or not the existence in the documents of a report verifying the state of disability relating to the person of the" complainant. Following this request, the Company provided feedback by sending "«copy of the report of L 104/92 present in Mrs. XX's AUSL file». The copy of the report forwarded (...) with the aforementioned communication was made up of the complete photographic reproduction of the report of the Medical Commission "in plain text", totally legible and without any type of masking, with the complete medical history and evaluation of the handicap. From this report, (...), forwarded to the prison administration in a complete and fully readable version, it emerges unequivocally that among the pathologies suffered by the undersigned there is also HIV infection and HIV-related nephropathy".

Following the request for information from this Office dated XX (prot. n. XX), the Company responded with a note dated XX, declaring that:

- "it should be noted that the request of the XX coming from the Management of the Rimini Prison was initially acknowledged on 13 November by the Secretariat for Civil Invalids based in Cesena - pertaining to the U.O. Forensic Medicine and Risk Management - informing of the existence of a report dated XX and communicating, at the same time, the assessment contained in the report itself";

- "on the 20th date, however, the express request for the transmission of the 20th report to allow the necessary checks was received from the prison of Rimini, with an email sent directly to the Civil Invalids Secretariat of Cesena, to which the operator of the Invalids Secretariat civil, induced by the nature of the Public Administration of the requesting party to consider the positive feedback due also in the spirit of collaboration between entities, responded on 16 December by sending the requested report containing, on the back, for a mere clerical error, also the medical history and objective examination in clear";

- "as for the context in which the accidental sending took place, as is known, autumn XX was a moment of particular resurgence of the Covid pandemic and the Civil Invalids Secretariat of Cesena found itself in a situation of particular suffering for the shortage of staff due to quarantine measures due to Covid positivity, due to which the only operators present had to take on activities even if they were not strictly within their competence, as happened in the present case";

- "having become aware of the event, the Company has adopted a series of improvement actions, which are in addition to the technical and organizational measures already in place at the time of the event (...), aimed at guaranteeing greater protection of personal data specifically scope of reference. In fact, meetings and service meetings were organized in relation to the procedures and operational methods for the release of copies of documents and reports of the medico-legal commissions, with particular reference to the rules to be respected regarding confidentiality and protection of health data and protection strengthened data relating to HIV infection, furthermore, periodic training/information sessions are held with the administrative operators of the Unit, for the purpose of regular updating on the relevant regulatory provisions and company regulations. In addition to this, the Management of the U.O. Forensic Medicine and Risk Management has provided that the role of reference function and the Central Secretariat of the U.O. monitor and manage all requests received and the related feedback, and has adopted precise provisions aimed at all administrative operators so that, for the management of access requests and for any case of particular relevance and sensitivity, they always refer to the holder of the Assignment of Function and to the Central Secretariat”;

- "there is no evidence (...) of any violation of law on the part of this Company, but only the mere material error of an operator not specifically trained in responding to requests for documentation, determined by the particularly critical situation better described above";

- "in the face of the adverse event in context, this Company has implemented technical and organizational measures aimed at greater security of personal data and timely compliance with the relevant legislation".

In relation to the issue covered by the complaint, the Company had, on XX, notified a personal data breach, declaring, among other things, that:

- “the civil disabled secretariat, Cesena headquarters of the U.O. Forensic medicine and risk management on XX sent to the Rimini Prison, upon specific request of the same aimed at ascertaining the requirements for the right to benefit from the L.104/92 permits of one of its employees, a report relating to L.104 /92 reported to a family member of the same. The document sent erroneously also contained a clear medical history and physical examination on the back. This was due to the carelessness of the operator who did not deactivate the front/back printing function, thus producing a printout of the report for the interested party (where the health data are omitted) and part of the following report of the same person containing the health data. It should be clarified that the event occurred at a particularly critical moment for the emergency of the second COVID19 wave. In fact, the Cesena-based disability secretariat was working with reduced resources due to quarantine measures due to COVID positivity, requiring the support of other operators not specifically assigned to the secretarial support of the Disability Commissions, as occurred in this case in context";

- "with Law 102/2009, from 1.1.2010, the administrative process for the recognition of civil invalidity, handicap, blindness and deafness is the responsibility of INPS, including the sending of the reports of the visits, acting also as a verification body while the organization of the health part (establishment of the Commissions and organization of sessions) remained in charge of the Local Health Authorities".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described in the complaint and in the notification of violation, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). This, as it was deemed that the Company processed health data, including those relating to HIV infection, in violation of the basic principles of processing pursuant to art. 5 par. 1, letter. c) and f) of the Regulation, of the safety obligations provided for by the art. 32 of the same Regulation, as well as art. 75 of the Code, in relation to the specific sector provisions regarding urgent interventions for the prevention and fight against AIDS (art. 5, paragraph 4 and art. 1, paragraph 2, law 5 June 1990, n. 135).

With note dated XX, the Company sent its defense briefs, in which, in confirming what was already expressed in note dated XX, it highlighted, in particular, that:

- “on XX this Company received a request for compensation for damages from the lawyer of Messrs. XX and XX in relation to the erroneous communication of Ms.'s health data to the management of the Rimini prison. XX”;

- "following an internal investigation it was learned that: - on XX a request was received from the Management of the Rimini Prison to verify the authenticity of the report verifying Mrs. XX's handicap; - the Civil Invalids Secretariat of Cesena responded to this request on 13 November, informing of the existence of a report dated XX and communicating, at the same time, the assessment contained in the report itself; - followed by a further letter from the Management of the Rimini Prison of the XX, sent by email directly to the Invalids Secretariat of Cesena, with a request for transmission of the report relating to Law 104/92 of Mrs. XX drawn up on the XX, in order to allow the necessary investigations; - the Invalids Secretariat responded to the prison on XX by sending the requested report, which also contained, on the back, a clear medical history and objective examination";

- "it is considered appropriate to highlight that the erroneous sending of a full copy of the report occurred in an emergency context characterized by an exceptional and contingent shortage of personnel connected to the Covid pandemic. Examining the concrete case, it is noted that the erroneous sending of the double-sided report, a communication concerning the health data of an individual interested party, occurred following a reminder from the prison, following which the administrative operator, who he had to take on activities not falling within his competence, acting in place of colleagues absent due to quarantine measures, induced by the nature of the public administration of the requesting party to consider immediate feedback due, in a spirit of loyal collaboration between public administrations, and following a reminder, he sent the report containing, due to a mere material error in the reproduction (printing) thereof, also Mrs.'s health data. XX”;

- "with regard to the seriousness of the violation, analyzing it in light of the criteria set out in the Guidelines on the notification of personal data violations adopted by the Working Party article 29 on 3 October 2017 - amended version dated 6 February 2018 - it is deduced as in the case of loss of confidentiality due to incorrect communication of data to a third party, the circumstance that the recipient of the communication enjoys a certain "reliability" may become relevant. Indeed, in the same Guidelines it is made clear that "the fact that the recipient is reliable can neutralize the seriousness of the consequences of the violation" since "even if the data had been consulted, the data controller could still trust in the fact that the recipient does not will take further action regarding the same."

In the case in question, given the indisputable nature of public administration of the prison, recipient of the erroneous communication of health data with enhanced protection, it appears clear that the violation should not have entailed the risk of any prejudice for the interested party if the data had been processed by the receiving Administration in compliance with the principles of the EU Regulation, which it is obliged to do";

- "no malice is even conceivable, since it was an accidental sending, moreover isolated, and constituting an exceptional case, dependent on the mere material error of the operator, who replaced the actual holder of the functions, who found the request for the complete report coming from from the prison”;

- "in the ordinary context of operation - outside, therefore, of the emergency situation described - the operators of the Civil Invalids Secretariat of Cesena who are in charge of communications to INPS, duly authorized to process the data, carry out the communications by deactivating the function of "front/back" printing, producing a printout of the report for the interested party in such a way that the health data is omitted";

- "in this case the operator, not assigned to the task in question and therefore poorly accustomed to encountering this type of request, having taken charge of the feedback in place of colleagues absent due to quarantine due to Covid positivity, proceeded to send the prison the copy of the report with the health data omitted without realizing that on the back this reported part of the subsequent report with clear health data";

- "in light of the complexity of the contingent situation in which the operator of the Civil Invalids Secretariat finds himself, it is believed that the alleged prejudice suffered by the complainant should not be considered a source of liability for this Healthcare Company as it is an error that is excusable as it is not at fault and, since it did not depend on negligence but on the extreme complexity of the situation that arose, justified by good faith pursuant to art. 3 L. 681/1989”;

- "all the Company's employees, as well as all those who are in various capacities included within the organization carrying out data processing operations, have been appointed "Authorized" for the processing with the release of instructions relating to the correct processing of personal data. At the time of the circumstances described above, which occurred, as specified, due to a situation of a non-ordinary nature characterized by an exceptional and contingent shortage of personnel in the competent office, specific technical and organizational measures were also in place in the Company aimed at ensuring the protection of personal data with particular reference to the situation in context; however, these specific instructions were not known to the operator who encountered the request from the prison, who found himself, (...), having to replace in an emergency the operators ordinarily responsible for this activity, who were absent due to quarantine measures due to Covid positivity";

- "as soon as it became aware of the erroneous communication of the data to the prison, the Company promptly took action by implementing improvement actions to avoid the occurrence of further similar non-compliances";

- "it is also noted that the accidental sending occurred following the request for the full report by the District Court, an entity required to respect the same principles that govern the administrative action of each public administration and therefore also required to protect of personal data".