Garante per la protezione dei dati personali (Italy) - 10050145

Garante per la protezione dei dati personali - 10050145

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 12(3) GDPR Article 17 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	04.07.2024
Published:
Fine:	4,000 EUR
Parties:	Comune di Villasimius
National Case Number/Name:	10050145
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a municipality €4,000 after it unlawfully published on its website the names and evaluations of the applicants for a job selection.

English Summary

Facts

The controller, a municipality, organised a public selection procedure to hire the head of one of its units.

The data subject took part in this procedure and shared personal data with the controller, such as her CV, her birth date and her graduation mark.

The controller published on its website the minute of the board meeting evaluating the candidates. This document contained the abovementioned personal data.

Therefore, the data subject filed a complaint with the DPA.

The controller pointed out that after the DPA’s notice it removed the document from the website.

Moreover, it noted that the data subject sent the erasure request not to the DPO email address, but to the personal email of the general secretary of the municipality in a time when that role was vacant.

Finally, the controller argued that it published the document in order to comply with its transparency obligations.

Holding

First of all, the DPA pointed out that a public authority may only process personal data under Article 6(1)(c) or 6(1)(e) GDPR. In the case at hand, the controller argued that it was under a legal obligation to publish the evaluation of the data subject in order to comply with the transparency obligations set by national administrative law.

However, the DPA noted that, while a previous version of the applicable law prescribed the publication of the document at hand, the one in force at the moment of the violation sets an obligation to publish only the final ranking, i.e. only the name of the person which was successfully selected. Therefore, the DPA found a violation of Article 5(1)(a) and 6 GDPR.

Finally, the DPA noted that the controller did not timely answer the data subject’s erasure request and did so only when the DPA initiated the proceeding. Therefore, it found a violation of Article 17 GDPR in combination with Article 12(3) GDPR.

On these grounds, it issued a fine of €4,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. n. 10050145]

Provision of 4 July 2024

Register of provisions
n. 404 of 4 July 2024

GUARANTEE FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur: lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Ms. XX complained about the failure of the Municipality of Villasimius to respond, within the terms set out in the Regulation, to the request to exercise the right to cancel from the institutional website of the Municipality of Villasimius and de-index from search engines an internal act of a selection procedure announced by the Municipality itself, namely, specifically, the report no. 1 of 19 December 2019, containing personal data, such as date of birth, degree grade and assessments obtained in the context of this procedure as well as, moreover, the names of the members of the commission and the person in charge of the verbalization (see “Minutes no. 1 of the examining commission of the public selection for the assignment of the position of Head of the General and Social Affairs Sector – Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree 18.08.2000 no. 267, announced by the Municipality of Villasimius”).

2. The preliminary investigation activity.

Having ascertained, on 24 August 2022, that the aforementioned report, containing in particular the personal data of the interested party, was published on the institutional website of the Municipality of Villasimius, as well as indexed on search engines, on 5 September 2022 the Authority first invited the Municipality to provide timely and exhaustive feedback to the requests formulated by the complainant within the term of 20 days.

Following the aforementioned invitation, with a note dated 23 September 2023, the Municipality represented to the Authority, in particular, that:

- “following the appropriate checks […], the report received was ascertained” and, in particular, “the existence of personal data in the document concerning “MINUTES NO. 1 OF THE EXAMINING COMMISSION OF THE PUBLIC SELECTION FOR THE ASSIGNMENT OF THE POSITION OF MANAGER OF THE GENERAL AND SOCIAL AFFAIRS SECTOR – MUNICIPAL DEPUTY SECRETARY PURSUANT TO ART. 110, PARAGRAPH 1, OF LEGISLATIVE DECREE NO. 267 OF 18.08.2000, CALLED BY THE MUNICIPALITY OF VILLASIMIUS”, containing the personal data of the [complainant]”;
- “therefore, in the “Transparent Administration” section under the “Competition Notices” section, the personal data (date of birth, degree grade and evaluation achieved) in the reported documentation were deleted”;
- “a further check was also carried out regarding the web indexing of the same information, which, once identified via a web search engine, were also deleted from the search cache.”;
- “also following a reorganization of the procedures of the Institution, the occasion was useful to verify the management systems of the rights of the interested parties and to avoid, in the future, similar episodes from happening again”.

Subsequently, in providing feedback to a request for information sent pursuant to art. 157 of the Code, with a note dated 17 January 2024 the Municipality declared, in particular, that:

- the publication of the aforementioned report derives from an “error of an absolutely negligent nature, in the form that is considered to be minor negligence, […] determined not by a lack of knowledge of the relevant legislation, nor by the desire to cause any harm in any form to the participant in the insolvency procedure, but by the excessive workload during the pandemic period which, together with the concurrent scarcity of human resources, meant that the Authority committed an error of analysis such as that which occurred regarding what was to be published”;
- furthermore, “there is an absence of communication of categories of particular or judicial data; no prejudicial consequences have occurred, at least to the […] knowledge of [this Municipality], for the complainant”;
- the “document and the data reported by the complainant were immediately deleted, including the related de-indexing from search engines. Furthermore, the Authority subsequently provided specific courses on the relationship between transparency and privacy, to better raise awareness among employees so that further episodes such as the one in question do not occur. Finally, […] the Authority modified its procedures prior to the publication of data and information, subjecting the documents to more careful internal control”;
- “the original request to exercise the rights of the interested party [did] not arrive at the certified email address of the protocol or of the DPO nor, with a view to fully facilitating the rights of the interested party, at the respective ordinary emails but at the ordinary email address of the Municipal Secretary in a period in which the Municipal Secretariat was also vacant and the address was not permanently manned, with the consequent problems of notification (and proof of the relative notification) determined by the means chosen by the complainant”.

With a note dated 10 April 2023, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation, notified the Municipality of Villasimius, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having the aforementioned Municipality:

- found the request to exercise the right of cancellation and de-indexing formulated by the complainant, on 23 September 2022, only following the invitation to join sent by this Authority on 5 September 2022 and, therefore, in violation of art. 12 of the Regulation;
- disseminated online the personal data of the complainant as well as, moreover, the names of the members of the examining commission and the reporter, contained within the aforementioned report no. 1 drawn up by the same commission, appointed as part of the selection procedure announced by the Municipality itself for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree no. 267 of 18 August 2000, in the absence of a suitable regulatory basis, in violation of arts. 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law 24 November 1981, no. 689).

With a note dated 7 May 2024, the Municipality of Villasimius, which did not request to be heard, submitted a defensive brief, declaring, in particular, that:

- "the episode appears to be isolated and was determined [...] by a mere error in the application of the legislation on public competitions contained in Presidential Decree 487/1994 in force at the time with particular reference to art. 12, paragraph 2 and art. 15, paragraphs 4 and 5"; - “the purpose pursued through the publication was to ensure the transparency of the competitive procedure and to allow the appellant, the only suitable candidate, to know the outcome of all the assessments carried out by the judging panel with respect to her and the winner, and to be able to act, if necessary, without delay, to protect her rights with the competent administrative and/or judicial authorities”;
- “nor was the error determined by the desire to cause any harm in any form to the participant in the competitive procedure, but by the excessive workload during the pandemic period which, together with the concurrent insufficiency of human resources, meant that the Entity committed an error in the analysis of the applicable legislation […]”;
- “the Entity […] proceeded to immediately delete the document and the data reported by the appellant, including the related de-indexing from search engines as soon as it was notified by this Authority on 05.09.2022”;
- “subsequent to this episode, the Authority took steps […] to have its employees take specific courses on the relationship between transparency legislation and privacy, also to prevent similar episodes from happening in the future. Furthermore, the Authority modified its internal procedures regarding the publication of data and information, subjecting the published documents to more careful internal control”;
- “there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation”;
- “the data controller is a small Authority (with approximately 3,700 inhabitants), with limited organizational and professional resources”;
- “the conduct was carried out in the context of the SARS-CoV-2 epidemiological emergency, which was particularly heated and critical also in terms of the organization and management of institutional activities”.

3. Result of the investigation. Applicable legislation.

The personal data protection legislation provides that public bodies, even when they operate in the performance of competitive, selective or in any case evaluative procedures, preliminary to the establishment of the employment relationship, can process the personal data of the interested parties (art. 4, no. 1, of the Regulation) if the processing is necessary "to comply with a legal obligation to which the data controller is subject" (think of specific obligations provided for by national legislation "for recruitment purposes", art. 6, par. 1, letter c), 9, parr. 2, letter b) and 4; 88 of the Regulation) or "for the performance of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letter c) and e) of the Regulation and art. 2-ter of the Code).

Such processing must, however, be based on European Union or Member State law, which must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the performance of a task carried out in the public interest or connected to the exercise of public authority vested in the data controller (see art. 6, par. 3, of the Regulation and 2-ter of the Code).

National legislation has introduced more specific provisions to adapt the application of the provisions of the Regulation, determining more precisely specific requirements for processing, as well as other measures to ensure lawful and correct processing (art. 6, par. 2 of the Regulation) and, in this context, has provided that the legal basis provided for by art. 6, par. 3, letter b), of the Regulation, is constituted exclusively by the regulatory sources indicated in art. 2-ter of the Code. (2-ter of the Code).

The data controller is required to comply with the principles of data protection, including “lawfulness, fairness and transparency” as well as “minimization”, according to which personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject” and must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5, paragraph 1, letters a) and c) of the Regulation).

3.1. Delayed response to the request to exercise the right under Article 17 of the Regulation.

From the elements acquired in the context of the preliminary investigation, it is established that the Municipality of Villasimius responded to the request to exercise the right of cancellation and de-indexing formulated by the complainant, by removing the aforementioned report from its institutional website and de-indexing it from search engines, only on 23 September 2022, i.e. following the invitation to join sent by this Authority on 5 September 2022, without therefore ensuring compliance with the terms set out in the Regulation for responding to the interested party.

In this regard, it is generally stated that the data controller is required to facilitate the exercise of the rights by the interested party and, in any case, to provide explicit feedback to the request formulated by the interested party, regardless of whether or not it is well-founded, without unjustified delay and, in any case, no later than one month after its receipt, in the context of a direct relationship between the interested party and the data controller. The aforementioned deadline may be extended by the controller by two months, if necessary, taking into account the complexity and number of requests, without prejudice to the data subject's right to be informed of such extension and of the reasons for the delay within one month of receiving the request (Article 12, paragraphs 2 and 3 of the Regulation).

Furthermore, if the controller does not comply with the request of the data subject, he or she shall inform him or her without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy (Article 12, paragraph 4 of the Regulation).

In light of the above, it must be concluded that the late response provided by the Municipality of Villasimius to the request formulated by the data subject pursuant to Article 17 of the Regulation has led to the violation of Article 12 of the Regulation.

3.2. The unlawful dissemination of the complainant's personal data as well as the names of the members of the commission and the person in charge of the minutes.

From the elements acquired and the facts that emerged during the investigation, it is established that the Municipality of Villasimius published on its institutional website the minutes no. 1 of 19 December 2019, relating to a selection procedure announced by the Municipality itself and containing the complainant's personal data - such as her date of birth, degree grade and evaluation in the context of this procedure - as well as the names of the members of the commission and the person in charge of the minutes (see "Minutes no. 1 of the examination committee of the public selection for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree 18.08.2000 no. 267, announced by the Municipality of Villasimius").

The document in question, as ascertained in the investigation and confirmed by the Municipality, was also indexed by general search engines. In this regard, the regulatory provisions that establish, in general, the publicity of the rankings of competitions and selective tests (see, in particular, Presidential Decree 10 January 1957, no. 3; as well as art. 15 et seq. of Presidential Decree 9 May 1994, no. 487 "Regulation containing rules on access to employment in public administrations and the procedures for conducting competitions, single competitions and other forms of hiring in public employment", also following the amendments introduced by Presidential Decree 16 June 2023, no. 82 and, more generally, on the publicity of recruitment procedures for public administration personnel, art. 35 Legislative Decree 30 March 2001, no. 165) perform the function of allowing interested parties, participating in competitive or selective procedures, to activate forms of protection of their rights and of control of the legitimacy of the administrative action. In fact, based on the aforementioned regulatory framework, the publication of the ranking in the official bulletins of the respective bodies (and on their institutional websites) was notified by means of a notice in the Official Journal of the Republic and the deadline for any appeals ran from the date of the aforementioned publication (see art. 15, paragraph 6 of Presidential Decree no. 487 of 9 May 1994, in the text prior to the amendments made by Presidential Decree no. 82/2023 applicable to the case in question, which currently provides that the publication takes place on the Single Recruitment Portal referred to in art. 35-ter of Legislative Decree no. 165 of 30 March 2001, and on the website of the administration concerned and that the terms for appeals run from the date of such publication).

The provisions on administrative transparency also provide for specific publication obligations in the "Transparent Administration" section of the institutional website of the administrations. In fact, pursuant to the provisions of Legislative Decree 14 March 2013, no. 33, “without prejudice to other legal advertising obligations, public administrations publish competition notices for the recruitment, in any capacity, of personnel for the administration, as well as the evaluation criteria of the Commission, the test outlines and the final rankings, updated with the possible scrolling of eligible non-winners. Public administrations publish and constantly update the data referred to in paragraph 1” (art. 19, paragraphs 1 and 2; see Memorandum of the President of the Authority for the Protection of Personal Data on the 2020 budget bill, 5th Committee, Budget, of the Senate of the Republic, dated 12 November 2019, web doc. 9184376; see, lastly, provision of 11 April 2024 no. 235, web doc. no. 10019523 as well as provisions of 23 March 2023, no. 83, web doc. no. 9888096, and of 28 April 2022, no. 151, web doc. no. 9778996, and the previous provisions referred to therein, including, in particular, the provision of 25 November 2021 n. 407, web doc. n. 9732406).

These provisions define, from the point of view of data protection, the scope of permitted processing and constitute its legal basis by establishing limits, conditions and prerequisites for the online publication of personal data in the context of competitive procedures. However, they provide that only the final rankings of the competition winners are published and not also the intermediate or intra-procedural documents relating to the overall competitive procedure (see art. 15, paragraph 6, of the Presidential Decree cited), as instead occurred in the case in question with the publication of the aforementioned report n. 1 of 19 December 2019.

In this context, the Guarantor has, over time, provided specific general indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action, in particular, in 2014, with the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for publicity and transparency purposes on the web by public bodies and other obliged entities" (provision no. 243 of 15 May 2014, web doc. no. 3134436, part I and II, spec. par. 3.b) and, with decisions on individual cases, has deemed the publication, in the context of selection procedures and competitions, of acts and documents other than the final merit rankings to be unlawful (see provision no. 195 of 17 May 2023, web doc. no. 9908484; November 25, 2021, no. 407, web doc. no. 9732406; March 11, 2021, no. 89, web doc. no. 9581028).

In light of the above, the publication by the Municipality of Villasimius on its institutional website of minutes no. 1 of 19 December 2019, relating to a selection procedure announced by the Municipality itself and containing personal data of the complainant - such as date of birth, degree grade and evaluation in the context of this procedure - as well as the names of the members of the commission and the person in charge of the verbalization, has given rise to the dissemination of personal data in the absence of an appropriate legal basis, in violation of Articles 5, 6 of the Regulation, as well as 2-ter of the Code.

4. Conclusions.

In light of the above-mentioned assessments, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which can be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

In order to determine the applicable rule, from a temporal perspective, it is necessary to recall, in particular, the principle of legality referred to in art. 1, paragraph 2, of law no. 689/1981, pursuant to which the laws that provide for administrative sanctions apply only in the cases and times considered therein. This determines the obligation to take into consideration the provisions in force at the time of the violation, which – given the permanent nature of the contested offences – must be identified at the time of cessation of the conduct. It is believed that the Regulation and the Code constitute the legislation in light of which to evaluate the treatments in question.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality of Villasimius is noted, for the aforementioned Municipality:

- found the request to exercise the right of cancellation and de-indexing formulated by the complainant, dated 23 September 2022, only following the invitation to join sent by this Authority on 5 September 2022 and, therefore, in violation of art. 12 of the Regulation;
- disseminated online the personal data of the complainant as well as, moreover, the names of the members of the examining commission and the person in charge of the minutes, contained in the aforementioned minutes no. 1 drawn up by the commission, appointed within the selection procedure announced by the same Municipality for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree no. 18 August 2000. 267, in the absence of a suitable regulatory basis, in violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (Articles 58, paragraph 2, letter i and 83 of the Regulation; Article 166, paragraph 7, of the Code).

The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, two distinct conducts are identified (one in relation to the delayed response to the request to exercise the right under Article 17 of the Regulation and the other relating to the dissemination of the complainant's personal data) attributable to the Municipality of Villasimius, which must therefore be considered separately for the purposes of quantifying the administrative sanctions to be applied.

In any case, considering that the conducts have exhausted their effects, the conditions for the adoption of corrective measures, pursuant to Article 58, paragraph 2, of the Regulation, do not exist.

5.1. The conduct referred to in paragraph 3.1 of this provision.

Taking into account that the violation of the provisions cited in the previous paragraph 3.1 of this provision, due to the delayed response to the request to exercise the right under Article 17 of the Regulation, occurred as a result of a single conduct, Article 83, paragraph 2, of the Regulation applies. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious infringement. Considering that, in the case in question, the most serious infringement concerns art. 12 of the Regulation, subject to the administrative sanction provided for by 83, par. 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

With specific regard to the subjective profile of the violation (art. 83, par. 2, letter b), of the Regulation), it is important to first consider the circumstance that the delay in responding to the request to exercise the data subject's rights by the data controller was, at least in part, dependent on the fact that "the original request to exercise the data subject's rights [had been sent by the complainant] not to the certified email address of the protocol or of the DPO [... or] to the respective ordinary emails but to the ordinary email address of the Municipal Secretary in a period in which the Municipal Secretariat was vacant and the address was not permanently manned, with the consequent problems of notification (and proof of the relevant notification) determined by the means chosen by the complainant" (see note of 17 January 2024).

In light of this specific circumstance, it is believed that, in this case, the level of severity of this violation committed by the data controller is low (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60).

That said, the following mitigating circumstances must be considered, in favour of the data controller:

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having also provided immediate feedback to the complainant following the invitation to join formulated by the Guarantor (art. 83, par. 2, letter f), of the Regulation);

- the Municipality of Villasimius is a small territorial entity (about 3,700 inhabitants); furthermore, the violation occurred in a context characterized by numerous organizational difficulties as well as by the additional problems connected to the emergency period due to the spread of the Covid-19 virus (art. 83, par. 2, letter k), of the Regulation).

In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of 1,000 (one thousand) euros for the violation of art. 12 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Furthermore, taking into account the extended period of time during which the aforementioned data were published online on the institutional website of the Municipality, it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

5.2. The conduct referred to in paragraph 3.2 of this provision.

Taking into account that the violation of the provisions cited in the previous paragraph 3.2 of this provision, due to the dissemination of the complainant's personal data, took place as a result of a single conduct (same processing or processing linked to each other), art. 83, paragraph 1 applies. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns articles 5 and 6 of the Regulation, as well as 2-ter of the Code, subject to the administrative sanction provided for by 83, par. 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to EUR 20,000,000.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

With specific regard to the nature, gravity and duration of the infringement (Article 83, paragraph 2, letter a), of the Regulation), it is necessary to consider, in particular, the limited number of interested parties involved (in addition to the complainant, the three members of the commission and the person responsible for recording the minutes) and yet, on the other hand, the circumstance that the ranking was published online for a particularly long period of time, until 5 September 2022 (see what was declared by the owner in the note of 7 May 2024 cited), the day on which the aforementioned content was definitively removed.

With regard to the subjective profile of the violation (art. 83, par. 2, letter b), of the Regulation), it must also be taken into account the circumstance that the Municipality operated in the mistaken belief that it could pursue the purpose of transparency of administrative action, without however taking into account the regulatory framework of the sector and the indications provided over time by the Guarantor to all public entities in this matter (both with the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for purposes of advertising and transparency on the web by public entities and other obliged entities" cited above, and with numerous decisions on individual cases), and that the publication of the report in question derives from an "error of an absolutely negligent nature, in the form considered to be minor negligence, [...] determined not by a lack of knowledge of the relevant legislation, nor by the desire to cause any harm in any form to the participant in the competition procedure, but by the excessive workload during the pandemic period which, together with the concurrent scarcity of human resources, meant that the Entity has committed an error of analysis such as that which occurred regarding what was to be published” (see note of 9 May 2024).

It is also believed that it should be considered that, in any case, the publication did not concern personal data belonging to the special categories referred to in art. 9 of the Regulation or data relating to criminal convictions or offences (art. 83, par. 2, letter g), of the Regulation).

In light of these circumstances, it is believed that, in the specific case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

That said, the following mitigating circumstances must be considered in favor of the data controller:

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having also represented that it had removed the aforementioned content, albeit following the invitation to adhere formulated by the Guarantor (art. 83, par. 2, letter f), of the Regulation);

- the Municipality of Villasimius is a territorial entity of modest size (approximately 3,700 inhabitants); furthermore, the violation occurred in a context characterized by numerous organizational difficulties as well as by the additional problems connected to the emergency period due to the spread of the Covid-19 virus (art. 83, par. 2, letter k), of the Regulation).

On the basis of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 3,000 (three thousand) for the violation of Articles 5, paragraph 1, letter a), 6 and 12 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account, in particular, the extended period of time during which the aforementioned data were published online on the institutional website of the Municipality, as well as the situation that was the subject of the complaint (failure of the Municipality to respond to the request made by the interested party to obtain the cancellation from the institutional website of the Entity and the de-indexing from search engines of an internal document of a selection procedure, containing a series of personal information also concerning third parties), it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, paragraph 1, letter. f), of the Regulation, the unlawfulness of the processing carried out by the Municipality of Villasimius for violation of articles 5, par. 1, letter a), 6 and 12 of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text), in the terms set out in the reasons;

ORDERS

the Municipality of Villasimius, in the person of its legal representative pro-tempore, with registered office in Piazza Gramsci 10 - 09049 Villasimius (SU), C.F. 80014170924, to pay the sum of 4,000 (four thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €4,000 (four thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor Regulation no. 1/2019);

- the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of the Regulation of the Guarantor n. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree n. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE SECRETARY GENERAL
Mattei

[web doc. n. 10050145]

Provision of 4 July 2024

Register of provisions
n. 404 of 4 July 2024

GUARANTEE FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur: lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Ms. XX complained about the failure of the Municipality of Villasimius to respond, within the terms set out in the Regulation, to the request to exercise the right to cancel from the institutional website of the Municipality of Villasimius and de-index from search engines an internal act of a selection procedure announced by the Municipality itself, namely, specifically, the report no. 1 of 19 December 2019, containing personal data, such as date of birth, degree grade and assessments obtained in the context of this procedure as well as, moreover, the names of the members of the commission and the person in charge of the verbalization (see “Minutes no. 1 of the examining commission of the public selection for the assignment of the position of Head of the General and Social Affairs Sector – Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree 18.08.2000 no. 267, announced by the Municipality of Villasimius”).

2. The preliminary investigation activity.

Having ascertained, on 24 August 2022, that the aforementioned report, containing in particular the personal data of the interested party, was published on the institutional website of the Municipality of Villasimius, as well as indexed on search engines, on 5 September 2022 the Authority first invited the Municipality to provide timely and exhaustive feedback to the requests formulated by the complainant within the term of 20 days.

Following the aforementioned invitation, with a note dated 23 September 2023, the Municipality represented to the Authority, in particular, that:

- “following the appropriate checks […], the report received was ascertained” and, in particular, “the existence of personal data in the document concerning “MINUTES NO. 1 OF THE EXAMINING COMMISSION OF THE PUBLIC SELECTION FOR THE ASSIGNMENT OF THE POSITION OF MANAGER OF THE GENERAL AND SOCIAL AFFAIRS SECTOR – MUNICIPAL DEPUTY SECRETARY PURSUANT TO ART. 110, PARAGRAPH 1, OF LEGISLATIVE DECREE NO. 267 OF 18.08.2000, CALLED BY THE MUNICIPALITY OF VILLASIMIUS”, containing the personal data of the [complainant]”;
- “therefore, in the “Transparent Administration” section under the “Competition Notices” section, the personal data (date of birth, degree grade and evaluation achieved) in the reported documentation were deleted”;
- “a further check was also carried out regarding the web indexing of the same information, which, once identified via a web search engine, were also deleted from the search cache.”;
- “also following a reorganization of the procedures of the Institution, the occasion was useful to verify the management systems of the rights of the interested parties and to avoid, in the future, that similar episodes occur again”.

Subsequently, in providing feedback to a request for information sent pursuant to art. 157 of the Code, with a note dated 17 January 2024 the Municipality declared, in particular, that:

- the publication of the aforementioned report derives from an “error of an absolutely negligent nature, in the form that is considered to be minor negligence, […] determined not by a lack of knowledge of the relevant legislation, nor by the desire to cause any harm in any form to the participant in the insolvency procedure, but by the excessive workload during the pandemic period which, together with the concurrent scarcity of human resources, meant that the Authority committed an error of analysis such as that which occurred regarding what was to be published”;
- furthermore, “there is an absence of communication of categories of particular or judicial data; no prejudicial consequences occurred, at least to the […] knowledge of [this Municipality], for the complainant”;
- “the document and the data reported by the complainant were immediately deleted, including the related de-indexing from search engines. Furthermore, the Authority subsequently provided specific courses on the relationship between transparency and privacy, to better raise awareness among employees so that further episodes such as the one in question do not occur. Finally, […] the Authority modified its procedures prior to the publication of data and information, subjecting the documents to more careful internal control”;
- “the original request to exercise the rights of the interested party [was] sent not to the certified email address of the protocol or the DPO nor, with a view to fully facilitating the rights of the interested party, to the respective ordinary emails but to the ordinary email address of the Municipal Secretary in a period in which the Municipal Secretariat was vacant and the address was not permanently manned, with the consequent problems of notification (and proof of the relative notification) determined by the means chosen by the complainant”.

With a note dated 10 April 2023, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation, notified the Municipality of Villasimius, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having the aforementioned Municipality:

- found the request to exercise the right of cancellation and de-indexing formulated by the complainant, on 23 September 2022, only following the invitation to join sent by this Authority on 5 September 2022 and, therefore, in violation of art. 12 of the Regulation;
- disseminated online the personal data of the complainant as well as, moreover, the names of the members of the examining commission and the reporter, contained within the aforementioned report no. 1 drawn up by the same commission, appointed as part of the selection procedure announced by the Municipality itself for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree no. 267 of 18 August 2000, in the absence of a suitable regulatory basis, in violation of arts. 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law 24 November 1981, no. 689).

With a note dated 7 May 2024, the Municipality of Villasimius, which did not request to be heard, submitted a defensive brief, declaring, in particular, that:

- "the episode appears to be isolated and was determined [...] by a mere error in the application of the legislation on public competitions contained in Presidential Decree 487/1994 in force at the time with particular reference to art. 12, paragraph 2 and art. 15, paragraphs 4 and 5"; - “the purpose pursued through the publication was to ensure the transparency of the competitive procedure and to allow the appellant, the only suitable candidate, to know the outcome of all the assessments carried out by the judging panel with respect to her and the winner, and to be able to act, if necessary, without delay, to protect her rights with the competent administrative and/or judicial authorities”;
- “nor was the error determined by the desire to cause any harm in any form to the participant in the competitive procedure, but by the excessive workload during the pandemic period which, together with the concurrent insufficiency of human resources, meant that the Entity committed an error in the analysis of the applicable legislation […]”;
- “the Entity […] proceeded to immediately delete the document and the data reported by the appellant, including the related de-indexing from search engines as soon as it was notified by this Authority on 05.09.2022”;
- “subsequent to this episode, the Authority took steps […] to have its employees take specific courses on the relationship between transparency legislation and privacy, also to prevent similar episodes from happening in the future. Furthermore, the Authority modified its internal procedures regarding the publication of data and information, subjecting the published documents to more careful internal control”;
- “there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation”;
- “the data controller is a small Authority (with approximately 3,700 inhabitants), with limited organizational and professional resources”;
- “the conduct was carried out in the context of the SARS-CoV-2 epidemiological emergency, which was particularly heated and critical also in terms of the organization and management of institutional activities”.

3. Outcome of the investigation. The applicable legislation.

The personal data protection regulation provides that public bodies, even when they operate in the performance of competitive, selective or in any case evaluative procedures, preliminary to the establishment of the employment relationship, can process the personal data of the interested parties (art. 4, no. 1, of the Regulation) if the processing is necessary "to comply with a legal obligation to which the data controller is subject" (think of specific obligations provided for by national legislation "for recruitment purposes", art. 6, par. 1, letter c), 9, parr. 2, letter b) and 4; 88 of the Regulation) or "for the performance of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letter c) and e) of the Regulation and art. 2-ter of the Code).

Such processing must, however, be based on European Union or Member State law, which must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the performance of a task carried out in the public interest or connected to the exercise of public authority vested in the data controller (see art. 6, par. 3, of the Regulation and 2-ter of the Code).

National legislation has introduced more specific provisions to adapt the application of the provisions of the Regulation, determining more precisely specific requirements for processing, as well as other measures to ensure lawful and correct processing (art. 6, par. 2 of the Regulation) and, in this context, has provided that the legal basis provided for by art. 6, par. 3, letter b), of the Regulation, is constituted exclusively by the regulatory sources indicated in art. 2-ter of the Code. (2-ter of the Code).

The data controller is required to comply with the principles of data protection, including “lawfulness, fairness and transparency” as well as “minimization”, according to which personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject” and must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5, paragraph 1, letters a) and c) of the Regulation).

3.1. Delayed response to the request to exercise the right under Article 17 of the Regulation.

From the elements acquired in the context of the preliminary investigation, it is established that the Municipality of Villasimius responded to the request to exercise the right of cancellation and de-indexing formulated by the complainant, by removing the aforementioned report from its institutional website and de-indexing it from search engines, only on 23 September 2022, i.e. following the invitation to join sent by this Authority on 5 September 2022, without therefore ensuring compliance with the terms set out in the Regulation for responding to the interested party.

In this regard, it is generally stated that the data controller is required to facilitate the exercise of the rights by the interested party and, in any case, to provide explicit feedback to the request formulated by the interested party, regardless of whether or not it is well-founded, without unjustified delay and, in any case, no later than one month after its receipt, in the context of a direct relationship between the interested party and the data controller. The aforementioned deadline may be extended by two months by the controller, if necessary, taking into account the complexity and number of the requests, without prejudice to the data subject's right to be informed of such extension and of the reasons for the delay within one month of receiving the request (Article 12, paragraphs 2 and 3 of the Regulation).

Furthermore, if the controller does not act on the request of the data subject, he or she shall inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for the non-compliance and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy (Article 12, paragraph 4 of the Regulation).

From the above, it must be concluded that the late response provided by the Municipality of Villasimius to the request formulated by the interested party pursuant to art. 17 of the Regulation has entailed the violation of art. 12 of the Regulation.

3.2. The unlawful dissemination of the complainant's personal data as well as the names of the members of the commission and the person drawing up the minutes.

From the elements acquired and the facts that emerged during the investigation, it is established that the Municipality of Villasimius published the minutes no. on its institutional website. 1 of 19 December 2019, relating to a selection procedure announced by the Municipality itself and containing personal data of the complainant - such as date of birth, degree grade and evaluation within the scope of this procedure - as well as the names of the members of the commission and the person in charge of the minutes (see "Minutes no. 1 of the examining commission of the public selection for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree 18.08.2000 no. 267, announced by the Municipality of Villasimius").

The document in question, according to what was ascertained in the investigation and confirmed by the Municipality, was also indexed by generalist search engines.

In this regard, the regulatory provisions that establish, in general, the publicity of the rankings of competitions and selective tests (see, in particular, Presidential Decree 10 January 1957, no. 3; as well as art. 15 et seq. of Presidential Decree 9 May 1994, no. 487 "Regulation containing rules on access to employment in public administrations and the procedures for conducting competitions, single competitions and other forms of hiring in public employment", also following the amendments introduced by Presidential Decree 16 June 2023, no. 82 and, more generally, on the publicity of recruitment procedures for public administration personnel, art. 35 Legislative Decree 30 March 2001, no. 165) perform the function of allowing interested parties, participating in competitive or selective procedures, to activate forms of protection of their rights and of control of the legitimacy of the administrative action. In fact, based on the aforementioned regulatory framework, the publication of the ranking in the official bulletins of the respective bodies (and on their institutional websites) was notified by means of a notice in the Official Journal of the Republic and the deadline for any appeals ran from the date of the aforementioned publication (see art. 15, paragraph 6 of Presidential Decree no. 487 of 9 May 1994, in the text prior to the amendments made by Presidential Decree no. 82/2023 applicable to the case in question, which currently provides that the publication takes place on the Single Recruitment Portal referred to in art. 35-ter of Legislative Decree no. 165 of 30 March 2001, and on the website of the administration concerned and that the terms for appeals run from the date of such publication).

The provisions on administrative transparency also provide for specific publication obligations in the "Transparent Administration" section of the institutional website of the administrations. In fact, pursuant to the provisions of Legislative Decree 14 March 2013, no. 33, “without prejudice to other legal advertising obligations, public administrations publish competition notices for the recruitment, in any capacity, of personnel for the administration, as well as the evaluation criteria of the Commission, the test outlines and the final rankings, updated with the possible scrolling of eligible non-winners. Public administrations publish and constantly update the data referred to in paragraph 1” (art. 19, paragraphs 1 and 2; see Memorandum of the President of the Authority for the Protection of Personal Data on the 2020 budget bill, 5th Committee, Budget, of the Senate of the Republic, dated 12 November 2019, web doc. 9184376; see, lastly, provision of 11 April 2024 no. 235, web doc. no. 10019523 as well as provisions of 23 March 2023, no. 83, web doc. no. 9888096, and of 28 April 2022, no. 151, web doc. no. 9778996, and the previous provisions referred to therein, including, in particular, the provision of 25 November 2021 n. 407, web doc. n. 9732406).

These provisions define, from the point of view of data protection, the scope of permitted processing and constitute its legal basis by establishing limits, conditions and prerequisites for the online publication of personal data in the context of competitive procedures. However, they provide that only the final rankings of the competition winners are published and not also the intermediate or intra-procedural documents relating to the overall competitive procedure (see art. 15, paragraph 6, of the Presidential Decree cited), as instead occurred in the case in question with the publication of the aforementioned report n. 1 of 19 December 2019.

In this context, the Guarantor has, over time, provided specific general indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action, in particular, in 2014, with the "Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for publicity and transparency purposes on the web by public bodies and other obliged entities" (provision no. 243 of 15 May 2014, web doc. no. 3134436, part I and II, spec. par. 3.b) and, with decisions on individual cases, has deemed the publication, in the context of selection procedures and competitions, of acts and documents other than the final merit rankings to be unlawful (see provision no. 195 of 17 May 2023, web doc. no. 9908484; 25 November 2021, no. 407, web doc. no. 9732406; 11 March 2021, no. 89, web doc. no. 9581028).

In light of the above, the publication by the Municipality of Villasimius on its institutional website of minutes no. 1 of 19 December 2019, relating to a selection procedure announced by the Municipality itself and containing personal data of the complainant - such as date of birth, degree grade and evaluation within the procedure - as well as the names of the members of the commission and the person drawing up the minutes, gave rise to the dissemination of personal data in the absence of an appropriate legal basis, in violation of Articles 5, 6 of the Regulation, as well as 2-ter of the Code.

4. Conclusions.

In light of the above assessments, it is noted that the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

In order to determine the applicable rule, from a temporal perspective, reference must be made, in particular, to the principle of legality referred to in art. 1, paragraph 2, of Law no. 689/1981, pursuant to which the laws that provide for administrative sanctions apply only in the cases and within the timeframes considered therein. This determines the obligation to take into consideration the provisions in force at the time of the violation, which – given the permanent nature of the contested offences – must be identified at the time of cessation of the conduct. It is believed that the Regulation and the Code constitute the legislation in light of which to evaluate the treatments in question.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality of Villasimius is noted, for the aforementioned Municipality:

- found the request to exercise the right of cancellation and de-indexing formulated by the complainant, dated 23 September 2022, only following the invitation to adhere sent by this Authority on 5 September 2022 and, therefore, in violation of art. 12 of the Regulation;
- disseminated online the personal data of the complainant as well as, moreover, the names of the members of the examining commission and the person taking the minutes, contained within the aforementioned minutes no. 1 drawn up by the commission, appointed within the selection procedure announced by the Municipality itself for the assignment of the position of Head of the General and Social Affairs Sector - Deputy Municipal Secretary pursuant to art. 110, paragraph 1, of Legislative Decree no. 267 of 18 August 2000, in the absence of a suitable regulatory basis, in violation of arts. 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, two distinct conducts can be identified (one in relation to the delayed response to the request to exercise the right under Article 17 of the Regulation and the other relating to the dissemination of the complainant's personal data) attributable to the Municipality of Villasimius, which must therefore be considered separately for the purposes of quantifying the administrative sanctions to be applied.

In any case, considering that the conducts have exhausted their effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation, do not apply.

5.1. The conduct referred to in paragraph 3.1 of this provision.

Considering that the violation of the provisions cited in the previous paragraph 3.1 of this provision, due to the delayed response to the request to exercise the right pursuant to art. 17 of the Regulation, occurred as a result of a single conduct, art. 83, par. 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns art. 12 of the Regulation, subject to the administrative sanction provided for by 83, par. 5, of the Regulation, the total amount of the sanction is to be quantified up to € 20,000,000.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in art. 83, par. 2, of the Regulation.