Garante per la protezione dei dati personali (Italy) - 9556958
| Garante per la protezione dei dati personali - 9556958 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(2) GDPR Article 25 GDPR Article 35 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 25.02.2021 |
| Published: | 09.03.2021 |
| Fine: | 300000 EUR |
| Parties: | INPS |
| National Case Number/Name: | 9556958 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | n/a |
The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of €300,000 on the national social security institute (INPS) for violating Articles 5(1)(a)(c)(d), 2, 25 and 35 GDPR.
English Summary
Facts
The Italian national social security institute (INPS) has provided financial aids to Italian citizens in order to face the Covid crisis. To access this aids, citizens were required to satisfy certain criteria. The INPS, in order to speed up the process to obtain the aid, first assessed the request only on the basis of the documentation provided in the request by the applicant, and just in a second moment, after the dispensing of the aid, carried out a more specific investigation for every applicant.
During the second phase assessment, the INPS checked whether between the requests there were parliamentarians or holders of offices in public administrations. To do so, INPS collected some personal data from open source registers and generated from this open data the personal tax code of the applicants and compared it with the one in the application. This way of calculation of the tax code can entail some mistakes. The secondary examination was carried on also for the subjects to which the aid was already been refused under the first examination. Only afterwards, the Labour ministry declared that parliamentarians and holders of administrative office would be excluded from this financial aid.
Dispute
Were these activities contrary to the GDPR?
Holding
The DPA found that the fact that the second examination on parliamentarians and holders of administrative offices has been carried out before the note of Labour ministry on the exclusion of these categories from the financial aid, comported a violation of the principles of lawfulness, fairness and transparency as per Article 5(1)(a) GDPR.
The fact that the processing was not limited to who received the aid but included who had already been refused, was in violation of the principle of adequacy and minimisation as per Artcle 5(1)(c) GDPR.
The fact that the tax code has been generated from open data and not obtain by official sources and thus potentially erroneous, was violating the principle of adequacy as per Article 5(1)(d) GDPR.
The DPA also considered that all the previous violations constituted together the violation of privacy by default and by design as per Article 25 GDPR and the liability principle of 5(2) GDPR.
The DPA finally found out that the provision on impact assessment, as per Article 35 GDPR was also violated because the INPS has not adequately weighed the existence of a high risk, such as to require the conduct of a preliminary impact assessment on data protection, and has not adequately involved the DPO.
For these reasons and on the basis of Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of € 300 000 on INPS.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
