Garante per la protezione dei dati personali (Italy) - 10064226: Difference between revisions

Garante per la protezione dei dati personali - 10064226
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(7) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 15 GDPR Article 26 GDPR
Type:	Complaint
Outcome:	Partly Upheld
Started:
Decided:	12.09.2024
Published:
Fine:	8,000 EUR
Parties:	Ordine delle Professioni Infermieristiche di Udine
National Case Number/Name:	10064226
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a professional association of nurses €8,000 after it shared the data subject’s personal data with his employer in order to make him cease sending access to documents requests.

English Summary

Facts

The data subject is a member of Arma dei Carabinieri, one of the police forces of Italy. He submitted several access to document requests and other inquires to the controller, the professional association of nurses of Udine (Ordine delle Professioni Infermieristiche – OPI). His wife is a nurse and had submitted similar requests as well.

Furthermore, the data subject also filed an access request under Article 15 GDPR with the controller.

The controller believed that these requests were excessive and were impairing the ability of the controller to deal with other administrative tasks.

Moreover, it noted that the data subject submitted similar requests also to other nurses’ associations in the same region. Therefore, it coordinated with the latter and sent a joint letter to the data subject’s employer, in order to ask it to take some measures and make the data subject stop overloading the controller with excessive requests.

The data subject filed a complaint with the DPA. He complained that the controller shared with his employer personal data, for example concerning the fact that he had visited the controller’s office. Moreover, the data subject argued that the controller unlawfully shared his personal data with the Commission for the access to documents, which was examining a complaint filed by his wife.

The controller argued that it shared this data with Carabinieri in order to ensure a proper cooperation between public authorities.

Moreover, it pointed out that it is a really small public entity with only two employees, and therefore cannot process so many inquiries by the same person.

Holding

First, the DPA pointed out that the collection of some personal data of the data subject, namely his job, by searching him on a public search engine was not necessary to process the data subject’s access to document request. Therefore, the DPA held that this processing activity was lacking a legal basis and found a violation of Articles 5(1)(a) and 6(1) GDPR.

Second, the DPA noted that the controller shared the data with the other nurses’ associations of the region. The DPA could not find any legal basis justifying this sharing and, therefore, found a violation of Articles 5(1)(a) and 6(1) GDPR.

Third, the DPA held that the controller and the other nurses’ associations jointly determined the purposes and means when drafting and sending the letter to Carabinieri. Therefore, they are to be considered joint controllers under Article 4(7) GDPR. However, the DPA noted that they have not entered into an arrangement between each other. Therefore, it found a violation of Article 26 GDPR.

Fourth, the DPA pointed out that the controller shared several personal data of the data subject with his employer, such as his civil status and the fact that he and his wife filed access to document requests.

On this point, the DPA dismissed the controller’s claim that this processing activity could rely on the legitimate interest of ensuring the good performance of the public administration. The DPA recalled that, according to Article 6(1) GDPR, the legal basis provided for by Article 6(1)(f) GDPR does not apply to a public authority in the performance of their tasks (see also C-180/21, Inspektor v Inspektorata kam Visshia sadeben savet, para. 85). Therefore, it found a violation of Articles 5(1)(a) and 6(1) GDPR.

Fifth, the DPA noted that the controller did not provide the data subject with the information set by Article 13 GDPR and, therefore, found a violation of this article.

Sixth, the DPA pointed out that the controller had not replied to the data subject’s access request and held that the controller violated Article 15 GDPR in combination with Article 12(1) GDPR.

Finally, the DPA held that the controller unlawfully shared the data subject’s personal data with the Commission for the access to documents. The reason was that the proceedings before this Commission were only concerning his wife and not him personally.

On these grounds, the DPA fined the controller €8,000.

Comment

The DPA also fined the other joint controllers. See decisions 10064103 (€4,000); 10065732 (€5,000); 10064766 (€6,000).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10064226]
Provision of 12 September 2024
Register of provisions
no. 544 of 12 September 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;
SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);
HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter the “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);
Having seen the documentation in the files;
Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;
Rapporteur: lawyer Guido Scorza;
WHEREAS
1. Introduction.
With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX, a soldier belonging to the Carabinieri, complained of certain alleged violations of the regulations on the protection of personal data by the Order of Nursing Professions (OPI) of Udine (hereinafter, the “Order”).
In particular, the complainant stated that he had learned that, on XX, at the Legion Command where he serves (hereinafter, the “Legion Command”), a certified email message was received, containing an attached note, with the subject “Report of conduct [name and surname of the complainant]”, signed by the President of the Order, the President of the OPI of Pordenone (also in his capacity as President of the Coordination of the OPI of Friuli Venezia Giulia – hereinafter, the “Coordination”) and the Presidents of the OPI of Gorizia and Trieste. With this note, the Legion Command was made aware of the "series of requests for generalized civic access" and of the "multiple reports" that the complainant and his wife had addressed to the aforementioned OPIs, as well as information relating to the complainant's wife (profession; membership in the Order) and the assessments expressed by such OPIs regarding the deemed inappropriateness of such requests and reports, considered "largely unfounded and which also from the point of view of the ordinary citizen, have no purpose or utility", having as their "sole purpose [...] that of having required a great deal of effort from the administrative offices, the dependent staff, the institutional positions of the Bodies and the consultants and professionals who assist them, diverting precious time and also significant economic resources from the ordinary activities of the Orders". The OPIs therefore “deemed it appropriate to submit to the [Commander of the Legion Command] the conduct of the [complainant], [in service with] the Carabinieri, which he always and in any case represents, to avoid the determination of an obstacle to the institutional activity of the aforementioned professional Orders for mere personal interests […]”, asking the same “to want to take into consideration what […] was exposed, for the sole purpose of improving relations between State Bodies, which should collaborate mutually for the good of the citizen and the institutions they represent”.
In the opinion of the complainant, the communication of the aforementioned personal data to the Legion Command, as well as the exchange of such data between the various OPIs forming part of the Coordination, including the Order, would have occurred in the absence of a legal basis.
Furthermore, the complainant complained of the circumstance that the Order and the other OPIs forming part of the Coordination would have unlawfully processed the personal data relating to his profession and employer, which had never been disclosed by the complainant to them.
The complainant also complained that he had not received from the Order, when submitting the aforementioned requests for civic access and reports, any information regarding the processing of his personal data, including with regard to the possibility of exercising the rights under Articles 15-22 of the Regulation.
A further ground for complaint concerns the circumstance that the Order had not responded to a request to exercise the right of access to personal data, addressed by the complainant to the Order pursuant to Articles 12 and 15 of the Regulation.
With subsequent additions to his initial complaint, the complainant then complained:
that the Order had communicated to the Legion Command further personal data relating to him, with particular regard to the circumstance that the complainant had gone to the headquarters of the Order together with his wife, who had submitted a request for civic access, and that in that context a tense situation had occurred, which had required the intervention of a patrol of the Carabinieri;
that the Order would have communicated personal data relating to him to the Commission for access to the Presidency of the Council of Ministers, in the absence of a legal basis, given that the access procedure to the attention of said Commission related to an application for access presented to the Order not by the complainant but by his wife;
that the Order would not have followed up on a decision of the Commission for access to the Presidency of the Council of Ministers.
2. The investigative activity.
In response to three requests for information from the Authority (see notes prot. nos. XX of XX, XX of XX and XX of XX), the Order, with notes of XX and XX, through its lawyer, declared, in particular, that:
“[…] the [OPIs] are very small non-economic public bodies: the Order […] is made up of two permanent and part-time units. There are no management figures and most of the duties are carried out by the President, the Treasurer and the Secretary, who, in addition to carrying out their profession, provide their services free of charge”;
“[…] the complainant has sent countless requests for [civic] access to the Order […]”;
“the management of such a quantity of requests, appeals, complaints, warnings and reports from the [complainant] has historically overlapped not only with the normal activity of the Order […], but, above all, with the management of the enormous amount of work resulting from the pandemic crisis and the administrative procedures for the suspension of unvaccinated nurses, pursuant to Legislative Decree 44/21”;
“the situation had become unmanageable and the risk of blocking the operations of the Order […] was becoming real, with serious legal risks for the Presidents, including crimes such as failure to perform official duties”;
“on these premises, the [four] Presidents institutionally united in the Coordination […], found themselves forced by the urgent need to find a “joint” solution in relations with the [complainant], agreeing to find an amicable compromise solution”;
“all of the above prefigures a legitimate interest of the owner to process the personal data of the [complainant], outside the execution of professional duties proper to public authorities, in the public interest of ensuring the proper functioning of the entity pursuant to art. 97 of the Constitution”;
“the [complainant], on […] […] 2022, accompanied his wife to the offices of the OPI of Udine, the Order to which she is registered, where she had been summoned again to respond to a further request for access to the documents. The situation that arose forced the President to call the Carabinieri, who drew up the relevant report, a copy of which was then requested and acquired […] As can be read, the reporters acknowledged the statements of the [complainant], who identified himself as the spouse of the member”;
“the Force, despite its territorial articulations, is evidently a single entity and, therefore, the information on the marital relationship between the [complainant] and the member and on the reason why they had gone to the headquarters were acquired by the Corps in this way”;
“with regard to the complained-of transmission of correspondence between the [Order] and the [complainant] to the Command of the Force […], it is easy to verify that the same does not contain personal data”;
“the communication of data processed by the Order to the Coordination […] finds its legal basis in the Regulation, adopted by the National Federation in 2016, which provides for the establishment of regional coordination and regulates its operation […], published on the institutional website https://www.fnopi.it/Amministrazione-trasparente/disposizioni-generali/atti-generali/”;
“in relation to the additional personal data of the complainant and, in particular, to membership in the Carabinieri, it is highlighted that in compliance with the principles of lawfulness, correctness and transparency, the Presidents searched the web for information on the complainant with a simple search on [a search engine]”;
“the membership of the complainant in the Carabinieri is public data, resulting from documents, including official ones, available and consultable by anyone online, with a simple search on the name and without entering any other identifying data, including personal data, provided by the complainant himself”;
“[…] the request addressed to the Command […] had the sole purpose of informing the superiors of the conduct of the [complainant], so that they could jointly intervene by making him aware of the inappropriateness of his initiatives, thus avoiding formal steps against him”;
“[…] also in light of the Code of Conduct of the employees of the Ministry of Defense, on which the Carabinieri Corps depends […]”;
“no personal data of which it was not already aware was communicated to the Command”;
“the access procedures pursuant to Legislative Decree no.Legislative Decree 33/2013 […] are published by the recipient bodies and are available online, as public data, with the applicant's name identification”;
“the information on the processing of personal data is published on the Order's institutional website on the page […] https://opiudine.it/ […]”;
“the OPI responded to the requests for [civic] access, despite the considerable difficulty caused by the modest human resources available and the enormous workload determined by the obligations imposed by Legislative Decree 44/2021 and subsequent amendments and additions”;
“with [Legislative Decree C.p.S.] 13 September 1946, no. 233 […] the Professional Health Orders were reconstituted, including that of the nursing professions”;
“the Legislator, since 1946, has attributed to the National Federations the task of “coordinating and promoting the activity of the respective Orders or Colleges”;
“with Law 29 October 1954, n. 1049 […] the IPASVI Colleges were established, to which art. 2 extends the applicability of the provisions of Legislative Decree 233/1946”;
“Law 1 February 2006, n. 43, had already provided for the establishment of the [OPIs] in art. 3, but, lastly, it is […] Law 11 January 2018, n. 3 […], art. 4, which established the Order of Nursing Professions, in place of the previous College, modifying Chapter I of Legislative Decree 233/46, of which it left some essential principles unchanged”;
art. 7, paragraph 2, of the aforementioned law 3/2018 provides that “the national Federations are assigned tasks of direction and coordination and administrative support to the Orders and regional Federations, where established, in the performance of institutional tasks and functions”;
“when the OPI of Udine found itself facing the complex situation caused by the continuous requests, warnings and requests of the complainant, it legitimately involved the relevant Federation”;
“for both, the legal basis of the processing is to be found in the aforementioned article art. 7”.
With note of XX (prot. no. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigative activity, notified the Order, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, par. 2, of the Regulation, for the Order having:
- processed the personal data relating to the profession and employer of the complainant in a manner not compliant with the principle of “lawfulness, correctness and transparency” and in the absence of a legal basis, in violation of Articles 5, par. 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code;
- communicated the personal data of the complainant and his spouse to the other OPIs in a manner not compliant with the principle of “lawfulness, correctness and transparency” and in the absence of a legal basis, in violation of Articles 5, par. 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code;
- communicated to the Legion Command the personal data of the complainant and his spouse, contained in the joint note of the Presidents of the OPIs of XX (prot. no. XX), in a manner not compliant with the principle of “lawfulness, correctness and transparency” and in the absence of a legal basis, in violation of Articles 5, par. 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code;
- communicated to the Legion Command the personal data of the complainant and his spouse, contained in the note prot. no. XX of XX and the email of XX, in a manner not compliant with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of art. 5, par. 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code;
- communicated the personal data of the complainant to the National Federation of the Orders of Nursing Professions (FNOPI) in a manner not compliant with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of art. 5, par. 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code;
- failed to enter into a joint controllership agreement with the other OPIs, in violation of art. 26, par. 1 and 2, of the Regulation;
- failed to provide the complainant and his spouse with information on the processing of personal data, in a manner that does not comply with the principle of “lawfulness, fairness and transparency” and in violation of Articles 5, paragraph 1, letter a), 13 (in relation to data acquired directly from the data subjects) and 14 (in relation to data not acquired directly from the data subjects) of the Regulation;
- failed to provide feedback to a request from the complainant to exercise the right of access to personal data and information relating to the processing, in violation of Articles 12 and 15, paragraph 1, of the Regulation.
With the same note, the aforementioned owner was invited to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).
With note of XX, the Order, through its lawyer, submitted a defense brief, declaring, in particular, that:
“in compliance with what [found] by the Office [of the Guarantor], the OPI [, with note prot. no. XX of XX,] has provided the complainant with information on data processing”, as well as providing the complainant with feedback on the request to exercise the right to access personal data;
“the seriousness of the violation does not appear to be high, since the processing concerns public data or, in any case, not such that their processing or communication to the complainant’s employer could, in itself, cause harm”;
“art. 748, c. 5, of Presidential Decree 90/2010 (consolidated regulatory text of the military system)” provides that “the soldier must also promptly notify his/her command or body: a) of any change in marital and family status” and, therefore, “the recipient of the communication was, therefore, already informed of the marital status of the interested party”;
“the OPI acted exclusively in order to guarantee its own operations, in a moment of particular difficulty arising from the burdens connected to the supervision of the vaccination obligation imposed on members. There was no attempt to cause any harm to the complainant or the spouse […]”;
“the data processed does not fall into the category of “special” data, nor do they relate to criminal records”.
During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on XX (see minutes prot. no. XX of the same date), the Order declared, in particular, that:
“[…] the Order acted in the belief that it was operating in the exclusive interest of citizens, including the complainant”;
“the matter that is the subject of the complaint occurred in the difficult context of the SARS-CoV-2 epidemic, in which the Order had to deal with numerous and burdensome obligations required by the emergency legislation, having had to make delicate decisions, in a very rapid time frame, in a regulatory framework characterized by high legal complexity. In particular, the Order had to initiate numerous proceedings, which involved approximately 10% of members, aimed at ascertaining the possession of the vaccination requirement by professionals registered pursuant to art. 4 of Legislative Decree 44/2021”.
3. Outcome of the investigation
3.1 Processing of personal data relating to the profession and employer of the complainant.
Public bodies, in accordance with the principle of “lawfulness, fairness and transparency” (Article 5, paragraph 1, letter a), of the Regulation), may, as a rule, process personal data if the processing is necessary to comply with a legal obligation or for the performance of a task carried out in the public interest or in connection with the exercise of public powers (see Articles 6, paragraph 1, letter c) and e), and paragraphs 2 and 3 of the Regulation, as well as 2-ter of the Code).
In this case, the Order acquired information relating to the profession carried out by the complainant by querying a search engine and consulting documents publicly available on the Internet.
Such online search, consultation and recording of information relating to the complainant's profession and employer constitute processing of personal data (see art. 4, no. 1 and 2), of the Regulation), which, however, cannot be considered necessary for the purposes of administrative proceedings relating to requests for civic access and reports submitted by the complainant to the Order, regardless of whether such information was available on the Internet as a result of its publication by the interested party or by third parties for other purposes, not connected to the institutional functions of the Order (see provisions of 24 November 2022, no. 385, web doc. no. 9839018; 10 March 2022, no. 82, web doc. no. 9761383; 13 January 2022, no. 7, web doc. no. 9745807; 2 July 2020, no. 118, web doc. no. 9440025; 13 February 2020, no. 35, web doc. no. 9285411).
The Order has, therefore, processed the personal data relating to the profession and employer of the complainant in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code.
3.2 The communication of personal data to other PIOs in Friuli-Venezia Giulia.
From the documentation in the files and from the statements made during the investigation, it is also established that the Order shared with the other OPIs of Friuli-Venezia Giulia the information relating to the requests for civic access and the reports presented by the complainant and his spouse, as well as the registration of the spouse of the complainant in the Order, thus implementing a processing of personal data that cannot be considered necessary for the purposes of the proceedings initiated in relation to the aforementioned requests for access and reports.
In this regard, it must be noted, with considerations that are valid in relation to the overall processing of the personal data that is the subject of the complaint, that the defense thesis of the Order according to which "the access procedures pursuant to Legislative Decree 33/2013 [...] are subject to publication by the recipient bodies and are available online, as public data, with the nominative identification of the applicant" cannot be accepted. As, in fact, clarified by the National Anti-Corruption Authority (ANAC) in its Guidelines adopted in agreement with the Guarantor, the «register [of access requests, where established,] contains the list of requests with the subject and date and the relative outcome with the date of the decision and is published, obscuring any personal data present […]» (paragraph 9 of Determination no. 1309 of 28/12/2016 containing the «Guidelines containing operational indications for the purposes of defining the exclusions and limits to civic access pursuant to art. 5 co. 2 of Legislative Decree 33/2013», in G.U. no. 7 of 10/1/2017 and in https://www.anticorruzione.it/-/determinazione-n.-1309-del-28/12/2016-rif.-1; see also para. 8.2.b. of the Circular of the Minister for Public Administration no. 1 of 2019, containing «Implementation of the rules on generalized civic access (so-called FOIA)», in http://www.funzionepubblica.gov.it/sites/funzionepubblica.gov.it/files/Circolare_FOIA_n_1_2019.pdf).
The Order has therefore communicated the personal data of the complainant and his spouse to the aforementioned OPIs in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code.
3.3 The communication to the Legion Command of the personal data of the complainant and his spouse contained in the joint note of the Presidents of the OPIs of Friuli Venezia Giulia.
With note prot. n. XX of XX, signed by the President of the Order, by the President of the OPI of Pordenone (also in his capacity as President of the Coordination) and by the Presidents of the OPI of Gorizia and Trieste, and addressed to the Legion Command, where the complainant carries out his work activity, the Order communicated to the Legion Command some personal data of the complainant, or information relating to requests for access to documents and reports submitted by the complainant to the aforementioned OPI and other public bodies, to the assessments of the OPI regarding the appropriateness of such requests and reports and to the overall conduct of the complainant, as well as information relating to the marital relationship in place between the complainant and a professional registered with the Order.
With the note in question, personal data relating to the complainant's spouse were also communicated to the Legion Command, with particular regard to the circumstance that she had also submitted requests for access and reports, as well as to the marital relationship in place with the complainant.
That said, it must be noted that the communication of the personal data in question to the Legion Command cannot be considered necessary to comply with legal obligations or to perform a task of public interest or connected to the exercise of public powers (see art. 6, par. 1, letter c) and e), and par. 2 and 3, of the Regulation, as well as 2-ter of the Code). The Order's argument that such processing of personal data would have been necessary for the pursuit of the Order's legitimate interest in ensuring the proper performance of its administrative action (see art. 97 of the Constitution) cannot be accepted. This is because the legal basis of the legitimate interest, pursuant to art. 6, par. 1, letter f), of the Regulation, "does not apply to the processing of data carried out by public authorities in the performance of their duties" (art. 6, par. 1, last sentence, of the Regulation). In this regard, the Court of Justice of the European Union has stated that “it is clear from the wording of the second subparagraph of Article 6(1) of [the Regulation] that the processing of personal data carried out by a public authority in the performance of its tasks cannot fall within the scope of Article 6(1), first subparagraph, point (f) of [the Regulation]; as, in fact, “results from recital 47 of the [Regulation] […], the latter provision cannot apply to such data processing, since their legal basis must be provided for by the legislator”, with the consequence that “where the processing carried out by a public authority is necessary for the performance of a task carried out in the public interest, and therefore falls within the tasks referred to in the second subparagraph of Article 6(1) of that regulation, the application of Article 6(1), first subparagraph, point (e) of the [Regulation] and that of Article 6(1), first subparagraph, point (f) of the latter are mutually exclusive” (judgment C-180/21, Inspektor v Inspektorata kam Visshia sadeben savet, of 8 December 2022, para. 85).
Nor is it relevant that, as the Order argued in its defense briefs, the military system requires the soldier to inform the Command to which he belongs of his marital status, given that, in this case, the Order, together with the other OPIs, communicated to the Legion Command additional information with respect to marital status alone, namely the spouse's profession, her registration with the Order and the fact that she had submitted requests for civic access and reports.
The communication of the complainant's and his spouse's personal data to the Legion Command therefore occurred in a manner that did not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation, as well as 2-ter of the Code.
3.4 The communication of additional personal data of the complainant to the Legion Command.
The complainant also complained that the Order sent a note to the Legion Command (ref. no. XX of XX, with the subject “Reporting of behavioral modalities [name and surname of the complainant]”), with which the aforementioned Command was informed of the circumstance that the complainant “went to the offices of the Order […], claiming the right to access them to accompany his wife in carrying out the procedure requested by her for civic access to the documents”, also reporting the intervention of a patrol of the Carabinieri to deal with a tense situation. The Command was also informed that the complainant “sent two other requests for civic access to the documents on the same date of XX and XX”. The note in question also specifies that it is sent “to highlight the repeated conduct of the [complainant] and to consider any possible moments of mediation”.
The complainant also complained that, in order to obtain an appointment with the Commander of the Legion Command, the Order, by email of XX, sent to the Legion Command a copy of correspondence between the Order and the complainant, containing the latter's personal data. In particular, a copy of the note prot. no. XX of XX, sent by the Order to the complainant and containing communications relating to certain requests submitted by the complainant, was sent.
Contrary to what the Order claims, the information in question, relating to the circumstance that the complainant had submitted the aforementioned requests, must be considered as personal data, as information relating to an identified natural person (see the definition of "personal data" in art. 4, par. 1, n. 1, of the Regulation).
Therefore, in relation to the processing of such data (i.e. the information relating to the facts that occurred at the headquarters of the Order and to the requests submitted by the complainant), the same considerations illustrated in the previous par. 3.4, given that the communication of the same to the Legion Command cannot be considered necessary to fulfill legal obligations or to perform a task of public interest or connected to the exercise of public powers (see art. 6, par. 1, letter c) and e), and par. 2 and 3, of the Regulation, as well as 2-ter of the Code), with the consequence that, even in this circumstance, the Order acted in a manner not compliant with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of art. 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code.
3.5 Failure to stipulate a joint controllership agreement.
Pursuant to art. 4, par. 1, n. 7), of the Regulation, the controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
When two or more controllers jointly determine the purposes and means of processing, “they shall be joint controllers” and must “determine in a transparent manner, by means of an internal agreement, their respective responsibilities for compliance with the obligations arising from […] the Regulation, in particular as regards the exercise of the rights of the data subject, and their respective duties to provide the information referred to in Articles 13 and 14, unless and insofar as their respective responsibilities are determined by Union or Member State law to which the controllers are subject. Such an agreement may designate a contact point for the data subjects” (Article 26, paragraph 1, of the Regulation). The agreement between the joint controllers “adequately reflects the respective roles and the relationship of the joint controllers with the data subjects” and the “essential content of the agreement [must be] made available to the data subject” (Article 26, paragraph 2, of the Regulation).
As clarified by the European Data Protection Board, “the general criterion for the existence of joint controllership is the joint participation of two or more entities in defining the purposes and means of a processing operation. Joint participation may take the form of a joint decision, taken by two or more entities […]” (“Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, adopted on 7 July 2021, paragraph 53).
That said, it should be noted that, as illustrated above, the note prot. n. XX of XX was signed by the President of the Order, by the President of the OPI of Pordenone (also in the role of President of the Coordination) and by the Presidents of the OPI of Gorizia and Trieste. Since the OPIs jointly determined the purposes and means of the processing of the personal data of the complainant and his spouse, for the purpose of sending the note in question to the Legion Command, they acted, even in the absence of a valid legal basis, as joint controllers of the processing (see art. 4, par. 1, no. 7), of the Regulation), having exercised a “decisive influence on the implementation and methods of the processing, through a joint decision or convergent decisions that complement each other and are necessary for the processing because they have a tangible impact on the determination of the purposes and means” (“Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, cit., annex 1, which takes up the contents of section 3, relating to the “definition of joint controllers of the processing”).
However, the Order and the other OPIs of Friuli Venezia Giulia have not entered into an internal agreement, before starting the processing, in order to regulate in a transparent manner the respective responsibilities regarding compliance with the obligations arising from the Regulation, therefore the Order has acted in violation of art. 26, paragraphs 1 and 2, of the same.
3.6 Failure to provide information on the processing of personal data.
In compliance with the aforementioned principle of "lawfulness, fairness and transparency", the data controller must adopt appropriate measures to provide the data subject, before starting the processing, with all the information required by the Regulation, in a concise, transparent, intelligible and easily accessible form, with clear and plain language (see art. 5, paragraph 1, letter a), 12, 13 and 14 of the Regulation; cf. Article 29 Working Party, “Transparency Guidelines under Regulation 2016/679”, WP260 rev.01, adopted on 11 April 2018 and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018).
In this case, the Order, however, failed to inform the complainant and his spouse about the processing of personal data illustrated above.
In this regard, it must be noted that the information on the processing of personal data published on the institutional website of the Order (https://opiudine.it/), to which the Order referred during the investigation, refers to the processing of personal data of users of that website, and is therefore irrelevant to the processing that is the subject of the complaint. Furthermore, the Order did not declare on which date the information in question would have been published, the same being modified on the date XX (“Last modified: XX”). Nor does it appear that the Order had published on its website a general information notice regarding the processing of personal data carried out in the context of the performance of its institutional tasks and its administrative activity, to which the complainant could have referred.
The Order consequently acted in a manner not compliant with the principle of “lawfulness, fairness and transparency” and in violation of Articles 5, paragraph 1, letter a), 13 (in relation to data acquired directly from the data subjects) and 14 (in relation to data not acquired directly from the data subjects) of the Regulation.
3.7 Response to the data subject’s request to exercise the right of access to personal data.
Article 12 of the Regulation provides that the data controller must provide the data subject with information relating to the action taken regarding a request pursuant to Articles 15 to 22 of the Regulation without undue delay and, in any case, no later than one month after receipt of the request (paragraph 3).
If the data controller does not comply with the request of the data subject, it must inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of bringing a judicial remedy (paragraph 4).
From the complaint and the documentation attached to it, it emerges that, in this case, the complainant, on XX, addressed to the Order a request for access to personal data and information relating to processing, pursuant to art. 15 of the Regulation.
The complainant complained that he had not received any response to the aforementioned request and, in this regard, the Order did not produce any element in the documents aimed at proving its timely response. Nor has the Order demonstrated that it informed the interested party without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of filing a complaint with a supervisory authority and of filing a judicial appeal (see art. 12, par. 4, of the Regulation).
The Order, in fact, provided feedback to the interested party on XX (see note prot. no. XX), or after receiving the administrative infringement notification from the Authority, having therefore acted in violation of arts. 12 and 15, par. 1, of the Regulation.
3.8 The communication from the Order to FNOPI of personal data relating to the complainant.
The complainant complained that, on XX, the Order sent a note to the National Federation of Nursing Professions Orders (FNOPI), informing the latter of the events which are the subject of the aforementioned note no. XX of XX, sent by the Presidents of the OPI of Friuli Venezia Giulia to the Legion Command.
In relation to the legal basis that would have justified the communication of the personal data in question, the Order invoked art. 7, paragraph 2, of the Legislative Decree C.p.S. 13 September 1946, n. 233, pursuant to which "the national Federations are assigned tasks of direction and coordination and administrative support to the Regional Orders and Federations".
In this regard, it must first be noted that the tasks of direction and coordination, as well as administrative support, attributed by this provision to FNOPI, must be understood as referring to the institutional functions exercised by the territorial Orders (see art. 1, par. 3, of the legislative decree of the Public Security Code of 13 September 1946, no. 233, which regulates their tasks) and not also to their administrative activity in a broad sense, as in the case of administrative proceedings activated following requests for civic access.
On the other hand, also in compliance with the principle of data minimization (art. 5, par. 1, letter c), of the Regulation), the Order could have acquired the possible support of FNOPI, even if not provided for by the aforementioned sector legislation, by presenting the issue in an abstract manner, without revealing the identity of the complainant and without communicating to FNOPI personal data relating to him and his spouse.
It must then be noted, however, that, in any case, the Order sent the documentation in question to FNOPI "for appropriate knowledge", not having, therefore, formulated any specific request for support (see note of the Order acquired in the FNOPI protocol no. XX of XX).
Therefore, the Order communicated to FNOPI personal data relating to the complainant and his spouse in a manner not compliant with the principle of lawfulness, correctness and transparency and in violation of art. 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code.
3.9 The communication of the complainant's personal data by the Order to the Commission for access to administrative documents and the non-compliance by the Order with a decision of that Commission.
The complainant, finally, complained that, with note prot. no. XX, the Order communicated its personal data to the Commission for access to administrative documents, established at the Presidency of the Council of Ministers, in the context of a proceeding to which it was not a party, given that the request to the Commission had been submitted by its wife in reference to her own request for access.
In this regard, it must be noted that, with reference to the proceedings under the jurisdiction of the aforementioned Commission, it is not, as a rule, up to the Guarantor to examine the relevance of acts and documents that the Administration party to the proceeding has deemed to deposit within the same in order to defend its own determinations regarding the requests for access received and protect its position in the proceedings before the Commission.
The complainant, with note of XX, also requested that "the work of the OPI of Udine be evaluated also in relation to the decisions taken by the Commission for access to administrative documents represented in the provision of 27 April 2023 [...]".
With this provision (prot. no. XX of XX), the Commission stated that it had accepted an appeal by the appellant against the denial of access ordered by the Order and that "in the face of the renewed tacit or express denial of access to the requested documents, there are no further administrative remedies through which the Access Commission can induce the resisting Administration to comply with the provisions of its decision", the interested party being able only to propose "an appeal to the TAR or [...] a complaint to the Public Prosecutor's Office for failure to perform official duties, if the conditions exist". In this regard, it should be noted that it is up to the Administration, and not the Guarantor, in the case of requests for access to documents presented pursuant to Law no. 241/1990, ascertain the interest and the reasons underlying the request, as well as verify the existence of one of the reasons for which the requested document can be removed from the knowledge of the applicant, also based on the types of non-accessible documents identified in the specific regulation of the individual administration. The assessments regarding the decisions adopted by the administration on the specific request for access, even in the form of silence, are outside the scope of the Guarantor's competence and remain subject to review by the competent authorities (art. 25, Law no. 241/1990).
It is therefore believed that, in relation to this reason for complaint, the archiving of the proceeding should be ordered, given that the issue raised with the complaint does not appear to be attributable to the protection of personal data or to the tasks assigned to the Guarantor (see art. 14 of the Guarantor's Regulation no. 1/2019).
4. Conclusions.
In light of the above-mentioned assessments, it is noted that the declarations made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Guarantor Regulation no. 1/2019 apply.
Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Order is noted, as the latter acted in violation of Articles 5, par. 1, letter a), 6, 12, 13, 14, 15, par. 1, 26, parr. 1 and 2, of the Regulation, as well as 2-ter of the Code.
Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct (the same processing or processing linked to each other), Article 83, par. 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, which are also multiple, relating to Articles 5, par. 1, letter a), 6, 12, 13, 14, 15 par. 1, of the Regulation, as well as 2-ter of the Code, are subject to the sanction provided for by art. 83, par. 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to € 20,000,000.
In this context, considering, in any case, that the conduct has exhausted its effects, given that the Order has declared that it has provided the interested party with feedback on the request to exercise the right of access to personal data and information pursuant to art. 15 of the Regulation, even after the notification by the Authority of the administrative violation, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist.
5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).
Violation of the provisions cited is subject to the application of an administrative pecuniary sanction pursuant to the combined provisions of articles 58, paragraph 2, letters i), and 83, paragraph 5, of the Regulation.
The administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in article 83, paragraph 2, of the Regulation.
Considering that:
the violation relating to the unlawful communication of the complainant's personal data to the Legion Command, where the complainant carries out his/her work activity, is particularly serious, considering the possible repercussions for the interested party in the workplace (see art. 83, par. 2, letter a), of the Regulation);
although for the purpose of preserving the effectiveness and efficiency of the administrative action, deemed to be compromised by the repeated requests for civic access and the reports submitted by the complainant and his wife, moreover in a period in which the Order was particularly burdened by the obligations related to the verification of the vaccination requirement for those practicing health professions (no longer required following the enactment of Legislative Decree no. 162 of 31 October 2022 and starting from 1 November 2022), the Order exceeded its institutional competences (see art. 83, paragraph 2, letter b), of the Regulation);
the processing did not, however, concern data belonging to particular categories pursuant to art. 9 of the Regulation or data relating to crimes pursuant to art. 10 of the Regulation (see art. 83, par. 2, letter g), of the Regulation),
it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60).
That said, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into account:
the Order has offered good cooperation with the Authority during the investigation (art. 83, par. 2, letter f), of the Regulation);
there are no previous relevant violations committed by the Order (art. 83, par. 2, letter e), of the Regulation).
In light of the above elements, assessed as a whole, and taking into account that the Order is a small public body, with limited financial and organizational resources, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 8,000 (eight thousand) for the violation of Articles 5, paragraph 1, letter a), 6, 12, 13, 14, 15, paragraph 1, 26, paragraphs 1 and 2, of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive.
Taking into account that, as highlighted above, the Order communicated the personal data in question to the employer of the complainant, with potential repercussions for the latter in the workplace, and that, therefore, the processing involved a vulnerable subject in this context (see recital 75 and art. 88 of the Regulation and “Guidelines concerning the data protection impact assessment and the criteria for establishing whether a processing "is likely to present a high risk" pursuant to Regulation 2016/679”, WP 248 of 4 April 2017), it is also believed that the accessory sanction of publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.
Finally, it should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.
NOW, CONSIDERING ALL THE ABOVE, THE GUARANTOR
declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Order of Nursing Professions of Udine for violation of art. 5, par. 1, letter a), 6, 12, 13, 14, 15, par. 1, 26, parr. 1 and 2, of the Regulation, as well as 2-ter of the Code, within the terms set out in the reasons;
ORDERS
the Order of Nursing Professions of Udine, in the person of its legal representative pro-tempore, with registered office in Viale Tricesimo, 206 - 33100 Udine (UD), C.F. 00491270302, to pay the sum of 8,000 (eight thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ORDERS
the aforementioned Order, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000 (eight thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law no. 689/1981;
ORDERS
- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor Regulation no. 1/2019);
- the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of the Regulation of the Guarantor no. 1/2019).
Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 12 September 2024
THE PRESIDENT
Stanzione
THE REPORTER
Scorza
THE GENERAL SECRETARY
Mattei