Garante per la protezione dei dati personali (Italy) - 10039471

Garante per la protezione dei dati personali - 10039471

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1) GDPR Article 6(1) GDPR Article 6(1)(c) GDPR Article 28(3) GDPR Art. 19(1) d.lgs. 33/2013 Art. 8(3) d.lgs. 33/2013
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	20.06.2024
Published:
Fine:	20,000 EUR
Parties:	Comune di Nepi
National Case Number/Name:	10039471
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a municipality €20,000 after it unlawfully published the names of the participant to a public competition. Moreover, it did not enter in a binding agreement with its processor, thus violating Article 28(3) GDPR.

English Summary

Facts

The controller, a municipality, organised a competition to hire public servants. The data subject participated in this competition. The controller published on its website a list of candidates, both the ones whose application was successful and also the ones whose application was unsuccessful.

The data subject's application was unsuccessful. Therefore, she asked the controller to remove her name from the website.

The controller pointed out that its website is managed by an external company and that it had contact this company to have the name removed.

Moreover, it argued that it had a legal obligation to publish this data, since Article 19(1) of the law governing access to information kept by the public administration foresees that the final rankings of this type of competition must be published online.

However, Article 8(3) of the same law sets a time limit of 5 years after the publication. After this time, the document should be removed from the website. On this point, the controller pointed out that it remained published even after this time limit because, in the meantime, it had changed the company providing the website management services.

Holding

First, the DPA pointed out that the controller, a public administration, can normally process personal data if it can rely on the legal basis provided for by Article 6(1)(c) and (e) GDPR. The DPA noted that, on the one hand, it is true that national law sets an obligation to publish the rankings of a competition. On the other hand, this obligation concerns only the final ranking, i.e. the ranking containing the names of the hired applicants. Therefore, the controller was not obliged to publish this sort of ranking including also the unsuccessful applicants.

In the case at hand, the controller published the names of all candidates. The DPA held that the publication of the names of the candidates that were not hired cannot be based on a legal obligation under Article 6(1)(c) GDPR. Therefore, the controller processed this data without a legal basis violating Article 5(1)(a) and 6(1) GDPR.

Secondly, the DPA focused on the fact the website was not managed by the controller directly, but by an external company acting as processor. The DPA noted that for a long time the relationship between the controller and the processor had not been governed by a binding agreement. Therefore, the DPA found a violation of Article 28(3) GDPR.

Moreover, the DPA recalled that – according to both national case law and the EPDB Guidelines 07/2020 on the concepts of controller and processor in the GDPR – when such an agreement is lacking, the alleged processor is actually processing data without a legal basis. Therefore, the DPA held that the transferral of personal data to the processor was unlawful and found a violation of Article 5(1)(a) and 6(1) GDPR.

On these grounds, the DPA issued a fine of €20,000.

Comment

With a separate decision, the DPA also fined the processor €12,000 for the violation of Article 5(1)(a) and 6(1) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10039471]

Provision of 20 June 2024

Register of measures
n. 372 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. Introduction.

With a complaint presented pursuant to art. 77 of the Regulation, Ms. XX complained about the online publication, at the address "https://...", as well as the indexing on search engines of a ranking formed following the pre-selection test of a public competition announced from the Municipality of Nepi, containing the list of admitted and not admitted candidates.

The complainant also complained that, despite multiple requests to remove the aforementioned ranking addressed to the aforementioned Municipality, it continued to be available online - a circumstance which was ascertained by the Authority on 10 February 2022.

During the investigation, the Authority also noted the failure to regulate, pursuant to art. 28 of the Regulation, of the relationship with the company Grafiche E. Gaspari S.r.l. (hereinafter, also "Company"), responsible for many years of managing the institutional website and related contents on behalf and in the interest of the Municipality.

2. The preliminary investigation activity.

In response to a request for information formulated by the Authority pursuant to art. 157 of the Code, the Municipality of Nepi, with a note dated 2 March 2022, declared, in particular, that:

he “promptly took action to resolve the problem” and “immediately contacted [his] external supplier. Gaspari srl [...] for the removal of the above-mentioned page;

"the assistance [... has] taken steps to definitively delete the data indicated, which also concerns an obsolete address that can no longer be reached from the official portal of the Municipality";

the Municipality itself has "therefore verified that the page no longer appears at the link indicated" and therefore believes "it has definitively resolved the problem".

In response to a subsequent request from the Authority, aimed at acquiring both the information already requested, but not received, and certain further information, with a note dated 13 June 2022 the aforementioned Municipality declared, in particular, that:

the managers [of the competent Municipality offices] were "urgently asked for maximum collaboration in providing a detailed report on all the activities undertaken [...]";

the "Municipality identified the legal basis of the processing, which would have justified the online dissemination of the ranking of the public competition in which the [complainant] participated, in the art. 19 of the legislative decree lgs. 33/2013, as well as in the art. 15, Presidential Decree 9 May 1994, n. 487. The Organization was inspired, in good faith, by the principle of total accessibility of documents held by public administrations referred to in art. 1 of the aforementioned decree. In the organisation's belief, the legislation regarding the obligations of publicity, transparency and dissemination of information by public administrations would have allowed it to publish the ranking in question for a period of 5 years, starting from 1 January of the following year to the one from which the presumed obligation of publication began";

“the ranking in question was published in the “Transparent Administration” section [of] the Municipality on 28 September 2016, and was intended for publication on the institutional website until 31 December 2021, pursuant to art. 8 of the legislative decree lgs. 33/2013 […]. The indexing of the site took place in application of the art. 9 of the legislative decree lgs. 33/2013 […]”;

the "previous institutional site, on which the ranking was originally published, was eliminated from the Internet by the supplier, Gaspari S.r.l., and replaced with a new site [...]";

"following the publication of the new site, the ranking in question was distributed, by mistake, on the site https://.., no longer accessible from the new portal of the Institution";

“having received the [complainant's] request, the Municipality erroneously assumed that the publication of the ranking was necessary until 31 December 2021”;

“following the request for information, notified by the Guarantor […] last 14 February [2022], the Municipality contacted, without delay, the supplier's assistance service to request the removal of the ranking and has, therefore, verified that at link indicated can no longer be linked to any web page";

“the Municipality took action to subsequently transmit the copy of the agreement on the protection of personal data stipulated by the Institution and the company Gaspari S.r.l. pursuant to art. 28 of the Regulation […]”;

the Municipality "will promptly inform the authority as soon as it has obtained all the documentation and has been aware of the removal of the ranking formed following the pre-selective test of a public competition announced by the Municipality of Nepi".

Subsequently, with a note dated 11 November 2022, following a further request for elements from the Authority, the Municipality declared, in particular, that:

"following the publication of the new site, the ranking in question was still distributed, by mistake, on the site https://..., no longer accessible from the new portal of the Institution";

after contacting the supplier's assistance service, "the Institution has therefore verified that the indicated link can no longer be linked to any web page";

“the aforementioned article (content) was published on the institutional website on 3 February 2015, in the “News” section (albeit with a different nomenclature and respective access link), and subsequently migrated to the new version of the platform, without undergoing any modification substantial (with the exception of the links through which the contents were accessible in 2015) until 18 February 2022, when the .pdf document attached to the content was deleted from the Internet following the removal request";

“upon the expiry of the publication deadline in the Transparent Administration section, identified pursuant to the art. 19 of Legislative Decree 33/2013 [...] the ranking was removed from this section of the institutional website, without it also being eliminated from the "News" section of the same";

“the factor that misled [the] Municipality when providing the previous feedback to the Guarantor [...] is the presence of the “compass” portion of the text in the link address of the document in question. In fact, the previous platform used by the organization had the commercial name "Bussola" (subsequently changed to MyCity), therefore the links to the documents in PDF. and jpg images. uploaded onto the platform they automatically took on the aforementioned name. This nomenclature meant that the Municipality assumed that the document was a residue left on the internet after the transition from the old to the new version of the platform, the management of which was entrusted to the company Grafiche E. Gaspari S.r.l.”;

"the publication of the ranking in question in the "News" section of the institutional website, accessible via the link: https://..., and the simultaneous indexing on search engines, took place from 3 February 2015 to 18 February 2022, without an appropriate legal basis for such processing of personal data".

With the same note, the Municipality produced a copy of an agreement stipulated on 3 November 2022 with the aforementioned Company pursuant to art. 28 of the Regulation.

As can be seen from the technical report drawn up by Grafiche E. Gaspari S.r.l., which the Municipality had entrusted with the general management of the institutional website, the "Transparent Administration" portal was instead entrusted to "a different company than to Gaspari”. In this regard, the Authority therefore asked the Municipality to produce a copy of the service contract stipulated with Grafiche E. Gaspari S.r.l., to which the aforementioned data protection agreement referred, as well as the details of the supplier to whom the Municipality had entrusted the management of the "Transparent Administration" portal section of its institutional website, attaching a copy of the relevant service contract, as well as a copy of the data protection agreement stipulated pursuant to art. 28 of the Regulation with this supplier.

Subsequently, the Municipality, with a note dated 30 March 2023, as subsequently integrated on 16 May 2023, specified that, in any case, "the publications in the "Transparent Administration" section of the institutional website, pursuant to Legislative Decree. lgs. 22/2013, are carried out directly by the Municipality's staff, while [the aforementioned Company] mainly deals with any assistance relating to the operation of the software", and has attached a copy of the requested documentation.

With a note dated 13 October 2023, the Office, based on the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality of Nepi, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, to have the aforementioned Municipality:

- disseminated online the personal data of the complainant and of the interested parties indicated in the ranking, in the absence of a suitable regulatory requirement, in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time in which the dissemination of the personal data in question began, and in the current text) ;

- processed the personal data of website users and other interested parties whose data was published on the same website, without having regulated the relationship with Grafiche E. Gaspari S.r.l., entrusted with the instrumental service aimed at managing the institutional website of the Municipality , in violation of the art. 28 of the Regulation and, as a result, making personal data available to the aforementioned Company in the absence of a suitable regulatory requirement, in violation of the articles. 5, par. 1, letter. a), and 6 of the Regulation and art. 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021 and in the text currently in force).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l. 24 November 1981, n. 689).

With a note dated 14 November 2023, the Municipality of Nepi, which did not request to be heard, presented a defense statement, declaring, in particular, that:

- "the dissemination concerned only the common data, i.e. the name and surname of the participant in the competition, with the indication of the score obtained and the outcome of the test ("admitted" or "not admitted") and involved a limited number of interested parties, equal to 33 participants admitted to the next test, and 178 not admitted";

- “it was an isolated and non-systematic episode, following which no legal action was taken by the interested parties against the Municipality, not even by the complainant herself, Mrs XX. The Municipality therefore believes that the dissemination of the data on the institutional website has not caused damage to the interested parties";

- the "Municipality, by publishing the pre-selective ranking of the public competition, in which Mrs. XX participated, was inspired, in good faith, by the principle of total accessibility of the documents held by the public administrations referred to in the art. 1 of Legislative Decree 33/2013 and the provisions of the art. 10 of Legislative Decree 267/2000, which provides, in general, that all documents of the municipal administration are public";

- “the Municipality of Nepi is a small entity (just over 9,000 inhabitants), which is in a constant state of staff shortage; the latter, not integrated, is overloaded with tasks.

Furthermore, at the time of the incident, the Head of the Transparency, Anti-Corruption and Privacy Sector had been transferred to another body and his position was vacant for a considerable period of time";

- "as regards the dispute that the aforementioned documents are "without contractual references in existence between this Municipality and the company Grafiche E. Gaspari S.r.l.", it is noted that the contract for the management of the website of the Municipality of Nepi is the only contract in place with the company Grafiche E. Gaspari S.r.l.”;

- "following the complaint presented by Mrs. XX, the undersigned Municipality, with the assistance of the Data Protection Officer, organized a series of meetings, held on 3 November 2022, 23, 24 and 28 February 2023, 24 March 2023 and 17 April 2023, with the managers of each service aimed at raising awareness and increasing awareness of compliance with the rules regarding the protection of personal data";

- the "Municipality maintained a high degree of cooperation with the Guarantor, to remedy the violation and mitigate its possible negative effects".

It should also be noted that, as part of the same investigation, specific elements were also acquired from Grafiche E. Gaspari S.r.l., against which independent and separate proceedings were initiated for the profiles attributable to its responsibility.

3. Outcome of the preliminary investigation. The applicable legislation.

As a preliminary point, it is stated that this provision concerns exclusively the treatments carried out by the Municipality of Nepi and, on its behalf, by the Company and not distinct treatments possibly carried out on behalf of the Municipality or the Company itself, also in the context of the provision , by other subjects, of additional services, even if connected, to those covered by this investigation, without prejudice in any case to any assessment regarding the occurrence of the conditions for initiating separate proceedings.

The personal data protection regulations provide that public entities, even when they are carrying out competitive, selective or in any case evaluation procedures, preparatory to the establishment of the employment relationship, can process the personal data of the interested parties (art. 4, n. 1, of the Regulation) if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" (think of specific obligations established by national legislation "for recruitment purposes", articles 6, paragraph 1, letter c), 9, par. 2, letter. b) and 4; 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letters c) and e), of the Regulation and art. 2-ter of the Code).

Such processing must, however, be based on the law of the Union or of the Member State which must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the execution of a task carried out in the public interest or connected to the exercise of public powers vested in the data controller (see art. 6, par. 3, of the Regulation and 2- ter of the Code).

The national legislation has introduced more specific provisions to adapt the application of the rules of the Regulation, determining with greater precision specific requirements for the processing, as well as other measures aimed at guaranteeing lawful and correct processing (art. 6, par. 2, of the Regulation ) and, in this context, provided that the legal basis provided for by art. 6, par. 3, letter. b), of the Regulation, is made up exclusively of the regulatory sources indicated by the art. 2-ter of the Code.

The data controller is required to respect the principles of data protection in any case (art. 5 of the Regulation).

In general, although the data controller, who determines the purposes and methods of data processing, bears a "general responsibility" for the processing carried out (see art. 5, par. 2, so-called "accountability", and 24 of the Regulation), even when these are carried out by other subjects "on its behalf" (cons. 81, articles 4, point 8), and 28 of the Regulation), the Regulation has regulated the obligations and other forms of cooperation to which the data controller and the scope of the related responsibilities are responsible (see articles 30, 32, 33, par. 2, 82 and 83 of the Regulation).

The data controller is entitled to process the data of interested parties "only upon documented instructions from the owner" (art. 28, par. 3, letter a), of the Regulation) and the relationship between owner and manager is regulated by a contract or by another legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to give instructions to the manager also in terms of data security and provides, in detail, what the subject matter is regulated, the duration, the nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner and manager. Furthermore, the data controller must assist the data controller in ensuring compliance with the obligations deriving from data protection regulations, "taking into account the nature of the processing" and the specific regime applicable to the same (art. 28, par. 3, letter f ), of the Regulation).

3.1. The illicit dissemination of personal data of participants in the pre-selection test

From the elements acquired and the facts that emerged during the preliminary investigation, it is established that the Municipality of Nepi has published the note prot. on its institutional website. n. 1983 of 2 February 2015, with which, in the context of a public competition to fill two positions for the profile of supervisory instructor, the ranking of the pre-selective test was approved, with the list of admitted candidates (n. 33 ) and not admitted (n. 178) to the written test, including, as she was not admitted, also the complainant.

The document in question, as ascertained in the investigation and confirmed by the Municipality, was published both in the "Transparent Administration" section of its institutional website from 28 September 2016 until 31 December 2021 and in the "News" section of its website institutional from 3 February 2015 until 18 February 2022 (first on the old version of the site and then on the current version of the same).

In this regard, the regulatory provisions which establish, in general, the publicity of the rankings of competitions and selective tests (see, in particular, Presidential Decree 10 January 1957, n. 3; as well as art. 15 et seq. of Presidential Decree 9 May 1994, n. 487 "Regulation containing rules on access to jobs in public administrations and the methods of carrying out competitions, single competitions and other forms of recruitment in public jobs", also following the changes introduced by Presidential Decree 16 June 2023, n and, more generally, on the publicity of public administration personnel recruitment procedures, art. 35 of Legislative Decree 30 March 2001, n. activation of forms of protection of one's rights and control of the legitimacy of administrative action. On the basis of the aforementioned regulatory framework, in fact, the publication of the ranking in the official bulletins of the respective bodies (and on their institutional websites) was given notice by means of a notice in the Official Gazette of the Republic and the deadline for any appeals began from the date of the aforementioned publication. (see art. 15, paragraph 6 of Presidential Decree 9 May 1994, no. 487, in the text prior to the amendments made by Presidential Decree 82/2023 applicable to the case in question, which currently instead provides for publication to take place on the Single Recruitment Portal referred to to art. 35-ter of Legislative Decree no. 165 of 30 March 2001, and on the website of the administration concerned and that the deadline for appeal begins.

The above-mentioned rules, however, provide that only the definitive rankings of the competition winners are published and not also the results of the intermediate tests or the personal data of the non-winning or non-admitted competitors (see art. 15, paragraph 6, of the Presidential Decree cit.).

The provisions on administrative transparency also provide for specific publication obligations in the "Transparent Administration" section of the administrations' institutional website. In fact, based on the provisions of Legislative Decree 14 March 2013, n. 33, "without prejudice to other legal advertising obligations, public administrations publish competition notices for the recruitment, in any capacity, of personnel within the administration, as well as the Commission's evaluation criteria, the test tracks and the rankings finals, updated with the possible scrolling of eligible non-winners. The public administrations publish and constantly update the data referred to in paragraph 1" (art. 19, paragraphs 1 and 2; see Memorandum of the President of the Authority for the Protection of Personal Data on the 2020 budget bill commission 5 °, Budget, of the Senate of the Republic, of 12 November 2019, web doc. 9184376; see, lastly, provisions of 11 April 2024, web doc. no. 10019523, no. 83, web document no. 9888096, and 28 April 2022, no. 407 web document no. 9732406).

These provisions define, from a data protection perspective, the scope of permitted processing and constitute its legal basis by establishing limits, conditions and conditions for the online publication of personal data in the context of insolvency proceedings.

In this context, the Guarantor has, over time, provided specific indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of the administrative action, in particular, in 2014, with the " Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for advertising and transparency purposes on the web by public entities and other obliged bodies" (provision no. 243 of 15 May 2014, web doc. no. 3134436, part I and II, spec.

For what is represented above, the publication by the Municipality of Nepi, on its institutional website, of the note prot. n. 1983 of 2 February 2015, with which, as part of the aforementioned competition procedure, the ranking of the pre-selective test was approved, with the list of candidates admitted (n. 33) and not admitted (n. 178) to the written test, among which, since it was not admitted, the complainant also gave rise to the dissemination of personal data in the absence of an appropriate legal basis, in violation of the articles. 5, 6 of the Regulation, as well as 2-ter of the Code, as confirmed by the Municipality itself during the investigation (see "without suitable legal basis for such processing of personal data", note dated 11 November 2022 cit.).

3.2. Failure to regulate the relationship with the service provider pursuant to art. 28 of the Regulation

In order to comply with the legislation on the protection of personal data, it is necessary, first of all, to precisely identify the subjects who, in different capacities, can process personal data and clearly define their respective roles, in particular that of owner and manager of the processing and of the subjects who operate under their direct responsibility (art. 4, points 7 and 8, 28 and 29 of the Regulation).

In this framework, the data controller, as part of the preparation of the technical and organizational measures that satisfy the requirements established by the Regulation, also from a security point of view (articles 24 and 32 of the Regulation), may make use of a person responsible for the carrying out certain processing activities, to which it gives specific instructions (see recital 81 of the Regulation).

In this case, the owner "uses only data controllers who present sufficient guarantees to implement adequate [the aforementioned measures] in such a way that the processing meets the requirements of the Regulation and guarantees the protection of the rights of the interested parties" (art. 28 , par. 1, of the Regulation), regulating the relevant relationship with a contract or other legal act, in written form, and giving documented instructions regarding the processing (art. 28, par. 3 and 9, of the Regulation). This is also in order to avoid processing (communication to third parties) in the absence of a suitable lawfulness requirement (given the notion of "third party" referred to in art. 4, point 10, of the Regulation; see art. 2-ter, paragraphs 1 and 4, letter a), of the Code, with regard to the definition of "communication").

The data controller is, in any case, entitled to process the data of the interested parties "only upon documented instructions from the owner" (art. 28, par. 3, letter a), of the Regulation; in this regard see Cass., Section. I Civ., ordinance n. 21234 of 23 July 2021, which confirmed a provision of the Guarantor, albeit with reference to a different processing context and the previous regulatory framework), having to assist the latter in guaranteeing compliance with the obligations deriving from data protection regulations (art. 28, par. 3, letter), of the Regulation). These principles have also been confirmed by the Court of Cassation, which, among other aspects, recently stated that the processing of personal data carried out by the person delegated by the owner in the absence of formal investiture in the role of manager is unlawful (see Cass., Section I Civ., sentence no. 35256 of 18 December 2023, which confirmed the provision of 22 July 2021, no.

Having said this, in light of what emerged from the outcome of the preliminary investigation and the declarations made by the Municipality, also taking into account the elements acquired in the context of the separate investigation conducted against the Company, it is ascertained that the functions carried out for an extended period time by the Company, on behalf and in the interest of the Municipality (see municipal determination of assignment of the service no. 861 and declarations made by the Company), have involved the processing of personal data of a plurality of interested parties (users of the website and other interested parties whose data are published in specific sections of the website), with respect to which the Municipality is in any case the owner, processing them on the basis of legal obligations and for the pursuit of its institutional purposes, determining the means and methods of processing, as well as the main terms of the execution of the service on the basis of the contracts stipulated with the supplier. It appears, in this sense, that the Municipality, "having ascertained the unavailability [of the aforementioned deed, proceeded with] the drafting of the document" resulting in the relevant signature of the Company only on 3 November 2022 (see note dated 11 November 2022) . This means that, by not having regulated the relationship with the aforementioned supplier from a data protection perspective until the aforementioned date, the Municipality has operated in violation of the art. 28 of the Regulation.

Nor can these findings, however, be considered overcome in light of the documents subsequently sent by the Municipality, given that these are documents not signed by the parties, undated and without references to the contractual relationships existing between the Municipality and the Company (see notes of 30 March 2023 and 16 May 2023, in documents).

As previously clarified by the Guarantor with regard to similar cases (see provisions of 18 July 2023, nos. 313 and 314, web doc. nos. 9920645 and 9920664; provisions of 21 July 2022, nos. 268, 269 and 270, web doc. nos. 9813326 and 9461321; 562852, provision 17 December 2020, 281 and 282, web doc. 9525315 and 9525337, as well as “Guidelines”. 07/2020 on the concepts of data controller and data controller in the GDPR", adopted on 7 July 2021 by the European Committee for the Protection of Personal Data, spec. note 42) and, finally, confirmed by the jurisprudence of legitimacy referred to above, in the case of failure to sign an agreement pursuant to art. 28 of the Regulation (and if there are no other independent conditions that could legitimize the processing of personal data by a supplier), the processing must be considered carried out in the absence of a suitable legal basis and in violation of the principle of lawfulness (see Cass., Section I Civ., sentence 35256 of 18 December 2023, where we read that "in the absence of "designation" [... pursuant to art. 28 of the Regulation] with a specific contract or other equivalent act having identified other conditions that could legitimize the processing of personal data of users of the service in question, their processing by [...] must be considered carried out in the absence of a suitable legal basis and, therefore, in violation of articles 5 , par. 1, letter a), and 6 of the Regulation"; v. also Cass., Section. I Civ., ordinance n. 21234 of 23 July 2021).

In light of the preceding considerations, given the lack of regulation of the relationship with the Company in terms of data protection, it must be concluded that the Municipality has made available to the Company the personal data of the users of the website and of other interested parties whose data were published there in the absence of an appropriate legal basis, giving rise to illicit processing of personal data, in violation of articles. 5, par. 1, letter. a), and 6 of the Regulation and art. 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021 and in the current text).

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019.

To determine the applicable rule, from a temporal perspective, the principle of legality referred to in art. 1, paragraph 2, of the law. n. 689/1981, pursuant to which the laws providing for administrative sanctions apply only in the cases and times considered therein. This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which - given the permanent nature of the contested offenses - must be identified at the moment of cessation of the conduct. It is believed that the Regulation and the Code constitute the legislation in light of which to evaluate the treatments in question.

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Municipality of Nepi is noted, due to the aforementioned Municipality:

- disseminated online the personal data of the complainant and of the interested parties indicated in the ranking, in the absence of a suitable regulatory requirement, in violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time in which the dissemination of the personal data in question began, and in the current text) ;

- processed the personal data of the users of the website and of other interested parties whose data was published on the same website, without having regulated the relationship with Grafiche E. Gaspari S.r.l., entrusted with the instrumental service aimed at managing the institutional website of the Municipality , in violation of the art. 28 of the Regulation, making personal data available to the aforementioned Company, as a result, in the absence of a suitable regulatory requirement, in violation of the articles. 5, par. 1, letter. a), and 6 of the Regulation and art. 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021 and in the text currently in force).

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In the present case, two distinct behaviors can be identified (one in relation to the dissemination of the personal data of the participants in the pre-selection test and the other inherent to the failure to regulate relations with the aforementioned Company in terms of data protection) attributable to the Municipality of Nepi, which must, therefore, be considered separately for the purposes of quantifying the administrative sanctions to be applied.

In any case, considering that the conduct has exhausted its effects, the conditions for the adoption of corrective measures pursuant to art. 58, par. 2, of the Regulation.

5.1. The conduct referred to in paragraph 3.1 of this provision

Taking into account that the violation of the provisions cited in the previous paragraph 3.1 of this provision, as a result of the dissemination of the personal data of the participants in the pre-selection test, including the complainant herself, took place as a consequence of a single conduct (same treatment or treatments connected to each other), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the articles. 5, par. 1, letter. a), 6, par. 1, letter. c) and e), of the Regulation, as well as 2-ter of the Code, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the fine is to be quantified up to €20,000,000.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation.

With specific regard to the nature, severity and duration of the violation (art. 83, par. 2, letter a), of the Regulation), it is necessary to consider, in particular, the significant number of interested parties involved (over two hundred) and the circumstance that the ranking was published online for a particularly long period of time, i.e. from 3 February 2015 to 18 February 2022, the day on which the aforementioned content was definitively removed. On the other hand, with regard to the subjective profile of the violation (art. 83, par. 2, letter b), of the Regulation), the circumstance that it was "an isolated and non-systematic episode" must be taken into account, due to "a mere human error resulting from the erroneous belief in the need to disseminate the pre-selective ranking" (see note dated 14 November 2023), the Municipality having operated in the erroneous belief that it could pursue the aim of transparency of the administrative action, not taking However, I take into account the current regulatory framework and the indications provided over time by the Guarantor to all public entities on the matter (both with the "Guidelines on the processing of personal data, also contained in administrative documents and deeds, carried out for advertising and transparency on the web by public entities and other obliged bodies" mentioned above, and with numerous decisions on individual cases). It is also believed that it should be considered that, in any case, the publication did not concern personal data belonging to the particular categories referred to in the art. 9 of the Regulation or data relating to criminal convictions or crimes (art. 83, par. 2, letter g), of the Regulation).

In light of these circumstances, it is considered that, in the present case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, the following mitigating circumstances must be considered in favor of the owner:

- there are no previous relevant violations committed by the data controller, of the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in the art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having also represented that it had removed the aforementioned content, albeit following the start of the investigation by the Guarantor (art. 83, par. 2, letter), of the Regulation);

- the Municipality of Nepi is a territorial body of modest size (just over 9,000 inhabitants; art. 83, par. 2, letter k), of the Regulation).
On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 8,000 (eight thousand) euros for the violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. c) and e), of the Regulation, as well as 2-ter of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account, in particular, the extended period of time during which the aforementioned data were published online on the Municipality's institutional website, it is also believed that the additional sanction of publication of this provision on the Guarantor's website should be applied. , foreseen by the art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

5.2. The conduct referred to in paragraph 3.2 of this provision

Taking into account that the violation of the provisions cited in the previous paragraph 3.2 of this provision, as a result of the failure to regulate the relationship with Grafiche E. Gaspari S.r.l. from the point of view of data protection and the consequent making available of the data to the Company itself in the absence of a suitable assumption of lawfulness, took place in the context of a single conduct (same processing or related processing), the 'art. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns (in addition to art. 28 of the Regulation) articles. 5, par. 1, letter. a) and 6 of the Regulation, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation.

With specific regard to the nature, severity and duration of the violation (art. 83, par. 2, letter a), of the Regulation), it must be considered, in particular, that the processing in question concerned personal data of all users of the institutional website of the Municipality as well as of the other interested parties whose personal data were published there and that the Municipality, which had outsourced the management of the website for an extended period of time (see municipal determination of assignment of the service no. 861 and declarations made by the Company), has reached the stipulation of an agreement with the Company pursuant to art. 28 of the Regulation only on 3 November 2022. It is also considered necessary to consider that the violation did not concern personal data relating to particular categories of data (art. 9 of the Regulation) or to criminal convictions and crimes (art. 10 of the Regulation) (art. 83, par. 2, letter g), of the Regulation).

In light of these circumstances, it is considered that, in the present case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, the following mitigating circumstances must be considered in favor of the owner:

- there are no previous relevant violations committed by the data controller, of the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in the art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having reached, during the investigation, the stipulation of an agreement pursuant to art. 28 of the Regulation with the Company (art. 83, par. 2, letter f), of the Regulation);

- the Municipality of Nepi is a territorial body of modest size (just over 9,000 inhabitants; art. 83, par. 2, letter k), of the Regulation).
On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 12,000 (twelve thousand) euros for the violation of the articles. 55, par. 1, letter. to),

6, par. 1, letter. c) and e), of the Regulation, as well as 2-ter of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account, in particular, the extended period of time during which the relationship between the Municipality and the Company remained without adequate regulation in terms of data protection, it is also believed that the accessory sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the illegality of the processing carried out by the Municipality of Nepi due to violation of the articles. 5, par. 1, letter. a), 6, and 28 of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time in which the dissemination of the personal data in question began, and in the current text ), in the terms set out in the motivation;

ORDER

to the Municipality of Nepi, in the person of the legal representative pro tempore, with registered office in Piazza Comune 20 - 01036 Nepi (VT), C.F. 00088940564, to pay the sum of 20,000 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Municipality, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000 (twenty thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981;

HAS

- the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

- the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2 of the Regulation (see art. 17 of the Guarantor's Regulation no. 1/2019).

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 June 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

[doc. web no. 10039471]

Provision of 20 June 2024

Register of measures
n. 372 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: the lawyer. Guido Scorza;

PREMISE

1. Introduction.

With a complaint presented pursuant to art. 77 of the Regulation, Ms. XX complained about the online publication, at the address "https://...", as well as the indexing on search engines of a ranking formed following the pre-selection test of a public competition announced from the Municipality of Nepi, containing the list of admitted and not admitted candidates.

The complainant also complained that, despite multiple requests to remove the aforementioned ranking addressed to the aforementioned Municipality, it continued to be available online - a circumstance which was ascertained by the Authority on 10 February 2022.

During the investigation, the Authority also noted the failure to regulate, pursuant to art. 28 of the Regulation, of the relationship with the company Grafiche E. Gaspari S.r.l. (hereinafter, also "Company"), responsible for many years of managing the institutional website and related contents on behalf and in the interest of the Municipality.

2. The preliminary investigation activity.

In response to a request for information formulated by the Authority pursuant to art. 157 of the Code, the Municipality of Nepi, with a note dated 2 March 2022, declared, in particular, that:

he “promptly took action to resolve the problem” and “immediately contacted [his] external supplier. Gaspari srl [...] for the removal of the above-mentioned page;

"the assistance [... has] taken steps to definitively delete the data indicated, which also concerns an obsolete address that can no longer be reached from the official portal of the Municipality";

the Municipality itself has "therefore verified that the page no longer appears at the link indicated" and therefore believes "it has definitively resolved the problem".

In response to a subsequent request from the Authority, aimed at acquiring both the information already requested, but not received, and certain further information, with a note dated 13 June 2022 the aforementioned Municipality declared, in particular, that:

the managers [of the competent Municipality offices] were "urgently asked for maximum collaboration in providing a detailed report on all the activities undertaken [...]";

the “Municipality identified the legal basis of the processing, which would have justified the online dissemination of the ranking of the public competition in which the [complainant] participated, in the art. 19 of the legislative decree lgs. 33/2013, as well as in the art. 15, Presidential Decree 9 May 1994, n. 487. The Organization was inspired, in good faith, by the principle of total accessibility of documents held by public administrations referred to in art. 1 of the aforementioned decree. In the organisation's belief, the legislation regarding the obligations of publicity, transparency and dissemination of information by public administrations would have allowed it to publish the ranking in question for a period of 5 years, starting from 1 January of the following year to the one from which the presumed obligation of publication began";

“the ranking in question was published in the “Transparent Administration” section [of] the Municipality on 28 September 2016, and was intended for publication on the institutional website until 31 December 2021, pursuant to art. 8 of the legislative decree lgs. 33/2013 […]. The indexing of the site took place in application of the art. 9 of the legislative decree lgs. 33/2013 […]”;

the "previous institutional site, on which the ranking was originally published, has been eliminated from the Internet by the supplier, Gaspari S.r.l., and replaced with a new site [...]";

"following the publication of the new site, the ranking in question was distributed, by mistake, on the site https://.., no longer accessible from the new portal of the Institution";

“having received the request from the [complainant], the Municipality erroneously assumed that the publication of the ranking was necessary until 31 December 2021”;