Garante per la protezione dei dati personali (Italy) - 10021491

From GDPRhub
Garante per la protezione dei dati personali - 10021491
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 88 GDPR
Article 2-sexies d.lgs. 196/2003
Article 113 d.lgs. 196/2003
Article 2-ter d.lgs. 196/2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.04.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 10021491
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Carloc

The DPA issued a warning against the Ministry of Justice for processing personal data uploaded on a dating website by an employee. Although data was processed in the context of disciplinary proceedings, the controller did not have a legal basis.

English Summary

Facts

An employee (the data subject) of the Ministry of Justice (the controller) offered paid sex on a dating website. His colleagues found his ads, which included pictures, contact information, and a pseudonym. They informed their superiors who, in turn, informed the Ministry. The Ministry carried out a disciplinary investigation and found that the worker committed no disciplinary infringement.

The worker filed a complaint with the Italian DPA and claimed that the Ministry unlawfully processed data concerning his sex life and sexual orientation during the investigation.

The Ministry claimed that the processing was lawful under Italian labor law and that it was based on a legal obligation[1] for public administrations to investigate potential disciplinary infractions. The Ministry also observed that the data were made publicly available on the Internet by the worker himself.

Holding

Under Italian labor law[2] an employer may only investigate an employee's personal life if the information is relevant to the job. The authority held that the Ministry violated the law because the data subject's sex life was not relevant to his tasks as an employee.

The authority also rejected the other arguments from the Ministry. The authority considered it irrelevant that the data were made publicly available on the Internet by the data subject himself and held that the Ministry still needed a legal basis to process them. The authority also observed that the law invoked by the Ministry as a legal basis did not apply to the case at hand. So, the Ministry was not under a legal obligation to process personal data.

The authority concluded that the worker's data were processed unlawfully and issued a warning against the Ministry for violating Articles 5(1)(a), 6, 9, and 88 GDPR as well as Articles 2-ter, 2-sexies, and 113 of the Italian Privacy Code.

The authority decided not to issue a fine. Among other factors, the authority noted that the Ministry was careful to keep its investigation strictly confidential and collaborated with the authority during the investigation of the complaint.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10021491]

Provision of 24 April 2024

Register of measures
n. 268 of 24 April 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Guarantor Regulation no. 1/2019");

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

PREMISE

1. The complaint.

With a complaint presented pursuant to art. 77 of the Regulation Mr. XX, administrative operator at XX (hereinafter "XX"), represented that the Ministry of Justice - Department of Penitentiary Administration (hereinafter "Ministry") has implemented processing of personal data that does not comply with the data protection regulations personal data through its central and peripheral offices. In particular, it was complained that the Ministry initiated disciplinary proceedings against the complainant on the assumption that he had engaged in "disciplinarily relevant conduct [...] consisting in having spread his image online - and more specifically on a website meetings [...] offering sexual services for a reward" (see disciplinary complaint note from the XX of the Department - General Directorate of Personnel and Human Resources, in documents). This disciplinary proceeding would have been initiated following an investigation carried out against the complainant by XX by accessing the aforementioned dating site and acquiring images of online advertisements relating to the services offered and containing, in addition to photographs of the interested party, also identified through a pseudonym, also information relating to his age and telephone numbers.

Furthermore, it emerges from the documentation in the documents that already in the phase of contesting the charge against the complainant (see the aforementioned note from the Department of XX, in the documents) it was noted that the behavior of the same had not "been carried out during the 'hours of service'. Subsequently, on XX (following the start of the investigation by the Guarantor), the Ministry closed the disciplinary proceedings in question on the assumption that "the contested infraction does not pertain to service activities and was carried out outside of working hours of service" expressly confirming that it "did not cause damage to the prestige of the administration as no elements emerged that would allow the connection between it and the accused".

2. The preliminary investigation activity.

With note dated XX (prot. n. XX), the Department - General Directorate of Personnel and Human Resources of the Ministry, in response to a request for information from the Guarantor, declared, in particular, that:

- "the XX of XX sent [...] the note reporting a disciplinary infraction accompanied by attachments, by registered mail in a double sealed envelope [...] which contained documents with sensitive data and recommendations for data processing";

- “the correspondence in a sealed envelope was delivered to the Regent Director of the Office and assigned to the Official responsible for proceeding with the investigation of the case. Said documentation has not been reproduced or registered with an IT protocol system in order to best protect the sensitive data contained therein and specifically kept in the latter's office";

- “the confidential documentation was subsequently processed by the UPD [of] the General Directorate composed of the Director of the Office, the F.O.R. Responsible for the Procedure, by the Recording Penitentiary Police Inspector, for the handling of the disciplinary hearing held on XX";

- "finally the correspondence was handled by the General Director of Personnel and Resources for the adoption of the final measure dismissing the disciplinary proceedings";

- information was also given to the employee concerned of the sending of documentation relating to disciplinaryly relevant behavior pursuant to art. 12 of the Regulation [...]".

With a note of the XX (prot. n. XX), the XX sent further elements, from which it emerges, in particular, that:

- "the management of the penitentiary institution [...] became aware of the announcement published by the [complainant] following a service report produced by a member of the role of Inspectors of the Penitentiary Police Force, who in turn was informed by some colleagues who, by accessing the dating site [...], had viewed the advertisement offering sexual services, also in exchange for gifts and financial compensation, inserted by the aforementioned employee. This report was accompanied by images relating to the advertisement itself";

- "on the basis of what has been reported and documented, without having carried out any investigation into the habits and relating to the private and sexual life of today's complainant [XX] having nevertheless detected behavior susceptible to disciplinary relevance due to the duty incumbent on public employees , even free from service, to maintain integrity and correct conduct, avoiding any conduct that could damage the Administration and its image, deemed it necessary to transmit the documents to the Central Discipline Office, for the relevant evaluations and determinations" ;

- “so much so that the aforementioned Central Office initiated disciplinary action by noting the violation of the 3 of the Code of Conduct for public employees referred to in the Presidential Decree. 16 April 2013, n. 62 in the part in which it provides that the public employee '“(...) avoids situations and behaviors that could...harm the interests or image of the public administration...” and art. 42, paragraph 1, CCNL of the central functions sector in the part in which it provides that [...] the employee also adapts his behavior to the principles regarding the employment relationship, contained in the code of conduct referred to in art. 54 of Legislative Decree 165/2001 and in the code of conduct adopted by each administration" and considering the infringement referred to in the art. 43, paragraph 3, letter. b) "conduct not compliant with the principles of correctness ... of the aforementioned CCNL, absorbed in the provision referred to in letter 1) "violations of duties and obligations of behavior not specifically included in the previous letters from which a disservice, damage or danger has arisen to the administration...";

- "the Management in the header, in reporting to the competent superior central office the conduct considered disciplinary relevant carried out [by the complainant], acted in compliance with the legal obligation established by the art. 55 sexies of Legislative Decree 165/2001 and subsequent amendments. which imposes on the manager of the structure referred to in the art. 55 bis of the same law to detect and report conduct carried out by employees which is subject to disciplinary sanctions, under penalty of administrative, civil and managerial liability for the same in the event of omissions or delays";

- "with regard to the methods of access to the employee's personal data, it cannot fail to be highlighted that these were acquired on the basis of the information that the [complainant] himself published on an open notice board and, therefore, consultable and usable by anyone had connected to the site”;

- "this Directorate, precisely in order to protect the privacy and protect the fundamental rights of the [complainant], has forwarded the report containing personal data to the departmental disciplinary office under its jurisdiction, adopting all the necessary precautions, that is, inserting the correspondence in an envelope closed and clearly indicating in the letter of transmission the following wording: "We also inform you that the documentation transmitted contains so-called. “sensitive data” provided for by art. 9 of the EU data protection regulation 2016/679 […]”.

With note dated XX (prot. no. XX, the Office, on the basis of the elements acquired, the checks carried out and the facts emerging following the preliminary investigation, notified the Ministry, pursuant to art. 166, paragraph 5 , of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, concerning the alleged violations of articles 5, paragraph 1, letter a), 6 , 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of legislative decree 10 September 2003, no. 276), regarding the collection and subsequent processing of personal data also attributable to the "sexual life" and "sexual orientation" of the complainant, which occurred in the absence of an appropriate legal basis and in conflict with the national provisions that prohibit the employer from acquiring and processing information relating to the employee's private sphere. With the same note, the owner was also invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1 , from law 24 November 1981, n.

With note dated XX (prot. n. XX), the Ministry presented a defense statement, declaring, in particular, that:

- “as can be seen from note no. XX — S.P.P. of the XX the Management of the penitentiary institute of [...] "became aware of the announcement published by the [complainant] following a service report produced by a member of the role of Inspectors of the Penitentiary Police Force, in turn informed by some colleagues who, by accessing the dating site [...], had viewed the advertisement offering sexual services, also in exchange for gifts and financial compensation, inserted by the aforementioned employee. This report was accompanied by images relating to the announcement";

- "the Regent Director of the XX [...] sent in a sealed envelope to the Discipline Office of the Department of Penitentiary Administration - Registered letter with return receipt no. 13189667514-4 […] with note prot. n. XX - S.P.P. of the XX [...] - the request to activate disciplinary proceedings against the Administrative Operator in question accompanied by the documentation acquired";

- “the Management “acted in compliance with the legal obligation established by the art. 55 sexies of the Legislative Decree 165/2001 and subsequent amendments. which imposes on the manager of the structure referred to in the art. 55 bis of the same law to detect and report conduct carried out by employees liable to disciplinary sanctions, under penalty of incurring administrative, civil and managerial liability for the same in the event of omissions or delays";

- "no data collection activity concerning the sexual life of the [complainant] was carried out by this management which limited itself to taking note of the activity of offering sexual services advertised by the employee, also in exchange for gifts and compensation economic nature with possible profiles of criminal relevance";

- "with regard to the activity carried out by Office VII - Discipline of the General Directorate of Personnel [...] the staff assigned to the Office received the correspondence in question in the manner explained above from the management of XX of XX, and forwarded it to the Regent Director of the Office which in turn instructed the responsible officer to proceed with the investigation of the case. It is specified that said confidential documentation received by registered letter dated XX, was neither reproduced nor registered with an IT protocol system in order to best protect the sensitive data contained therein, and was specifically kept in the Office of the Official above”;

- "considering that from the examination of the correspondence produced by the XX penitentiary office, a conduct emerged which, although carried out by the employee outside working hours, appeared contrary to the principles of correctness to which the public employee is subjected as expressly specified in the 'art 3 of the code of conduct Presidential Decree 16 April 2013 n. 62 and therefore relevant from an ethical point of view, given that the public employee is required to always maintain intact and correct conduct, avoiding any situation that could damage the Administration and its image, in compliance with the principle of mandatory disciplinary action in the face of conduct that appears to be in violation of the law, disciplinary proceedings were initiated against the [complainant] with a notice of complaint dated XX";

- "and in fact the initiation of disciplinary proceedings complies with the principle of mandatory disciplinary action envisaged for employment at the Public Administration. sanctioned by the art. 55 of Legislative Decree 165/2001 and following. mm., as also confirmed by the Supreme Court (Cass. Sez. lav., 2 March 2017 n. 5317) in compliance with the constitutional principles of good performance of the Public Administration, of impartiality and legality-legitimacy of the administrative action (art. 97 of the Constitution .), the dutiful pursuit of which is impeded by the unpunished tolerance of illegal phenomena within the public apparatus" […] as established in paragraph 3 of the art. 55 - sexies of Legislative Decree 165/2001";

- "for this reason, once the disciplinary procedure has been activated against the [complainant], at the conclusion of the preliminary investigation, having ascertained that the employee's conduct had not occurred during working hours and that no elements that could lead the employee's image back to the Administration, the disciplinary proceedings in question were closed with decree of the Director General of Personnel and Resources no. XX of the XX”;

- "with regard therefore to the entire phase of the disciplinary procedure, it is specified that, as already explained in the note sent to this Authority on XX, the treatment of the correspondence received from the management of exclusively by the personnel of the Disciplinary Procedures Office who have the duty of absolute confidentiality of all elements and documentation which they come into possession of for reasons of their Office";

Furthermore, during the hearing pursuant to art. 166, paragraph 6, of the Code, represented that (see minutes prot.n. XX of the XX):

- "the employee has raised an issue by submitting a complaint to the Guarantor which we believe to be unfounded because it is based on a disciplinary procedure which has its own precise rules and which imposes specific obligations on the administration";

- “behavior was reported which prima facie seemed inconsistent with the behavior of an employee and we had the obligation to take action due to the mandatory nature of initiating disciplinary action, regardless of its outcome; this is because the behavior was not completely inconsistent with the conditions that require the initiation of disciplinary proceedings (art. 55 of Legislative Decree no. 165/2001) as there was a risk of criminal relevance of the conduct";

- "the Ministry has a wide range of cases regarding the processing of even sensitive data (for example, mistreatment of third parties, corruption and other behaviors that have criminal relevance or are likely to put the administration in a bad light [...]); in such cases, although they are sometimes behaviors relating to the extra-work sphere, they must necessarily be known to the administration which will then evaluate whether or not to initiate disciplinary action" [...] "in any case the management of the data takes place, and has also taken place in this case, as part of a supply chain that provides access by authorized personnel only";

- "the data in question arrived personally to the Director of the disciplinary office in a double sealed envelope, the file was kept by the competent official who kept it without registering it in the document registration management system in order to carry out initial checks regarding the relevance of the conduct in disciplinary proceedings";

- "it was therefore considered that the case presumably had relevance on a disciplinary level and the procedure was started with disciplinary charges against the interested party also due to the fact that the website was used and frequented by other personnel of the same administration or by people who they could know the interested party; it was considered that there was a concrete possibility of violation of the code of conduct that led to the act of contesting the charges; the only staff units who processed the data were: the acting director of the disciplinary office in office at the time, the official responsible for the procedure for the preliminary investigation, the general director who signed the document contesting the charges and then once the archiving measure has been adopted, the director of office VII, the person taking the minutes in the context of the disciplinary hearing, subjects who, having specific tasks and roles in this area, are authorized to process, having been duly instructed regarding the confidentiality of the overall processing;

- in this regard, art. 71 lett. p) of the CCNL of 16 November 2022, considering that the interested party requested remuneration for specific services".

3. Outcome of the preliminary investigation. The regulatory framework applicable to employment relationships

Within the framework of the Regulation and the Code, the employer can process the personal data of workers (art. 4, n. 1, of the Regulation), also relating to "particular categories", if the processing is necessary "to fulfill an obligation legal to which the data controller is subject" (art. 6, par. 1, letter c), and 2 and 3, and art. 9, par. 2, letter. b) and 4; 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letter e), 2 and 3 , and art. 9, par. 2, letter. g), of the Regulation; articles 2-ter and 2-sexies of the Code).

With reference to data relating to particular categories, which expressly includes data relating to "sexual life or sexual orientation [...]" (art. 9, paragraph 1 of the Regulation), please note that the related processing is, in general, prohibited unless one of the specific conditions indicated by par. 2 of the art. 9 of the Regulation.

In the workplace this implies that the processing of these categories of data can be legitimately carried out only when it is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor and safety law". social protection and social protection, to the extent authorized by Union or Member State law or by a collective agreement under Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject" ( art. 9, par. 2, letter. b), of the Regulation; v. well, art. 88, and cons. 51-53 of the Regulation; see, “Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1, of Legislative Decree 10 August 2018, n. 101”, web doc n. 9124510) as well as, in some cases, the occurrence of "reasons of significant public interest" (art. 9, par. 2, letter g) of the Regulation and art. 2-sexies, spec. lit. dd) of the Code). 

In any case, the employer must comply with the more specific national rules regarding the processing of data in the context of employment relationships (art. 88 and cons. 155 of the Regulation), and, in particular, the provisions that prohibit the employer to acquire, even through third parties, and process information on the worker's political, religious or trade union opinions, as well as on facts not relevant for the purposes of evaluating the worker's professional aptitude (see art. 113 of the Code, which recalls art. 8 of law 20 May 1970, n. 10 of legislative decree 10 September 2003, n. As a result of this postponement, and taking into account the art. 88, par. 2 of the Regulation, compliance with the art. 8 of the law. 20 May 1970, n. 300 and art. 10 of Legislative Decree 10 September 2003, n.276 (in cases where the conditions are met) constitutes a condition of lawfulness of the processing. These rules constitute in the internal legal system those more specific and greater guarantee provisions referred to in the art. 88 of the Regulation - for this purpose subject to specific notification by the Guarantor to the European Commission, pursuant to art. 88, par. 3, of the Regulation - whose observance constitutes a condition of lawfulness of the processing and whose violation - similarly to the specific processing situations of chapter IX of the Regulation - determines, in addition to criminal liability (see art. 171 of the Code) , also the application of administrative pecuniary sanctions pursuant to art. 83, par. 5, letter. d), of the Regulation (see, with regard to the public sector of work, most recently, Court of Justice of the European Union, ruling of 30 March 2023, case C-34/21; see also the jurisprudence of the European Court of Rights of man, in the case Antovic and Mirković v. Montenegro, application no. 70838/13 of 28 November 2017, which established that respect for "private life" must also be extended to public workplaces, highlighting the necessary respect for guarantees provided for by applicable national law).

The employer is, however, required to respect the principles regarding data protection (art. 5 of the Regulation) and must be able to demonstrate that the processing is carried out in compliance with the Regulation (art. 5, par. 2 , and 24 of the Regulation).

3.1. The processing of the complainant's personal data

On the basis of the elements acquired and the facts that emerged following the preliminary investigation, as well as subsequent assessments, it is ascertained that the Ministry processed personal data relating to the interested party with regard to the "advertisement of the offer of sexual services" and the related images , present on a dating website.

In particular, as shown in the documents and as confirmed by the declarations made by the data controller, such data would have been acquired by XX, following a report from some employees and, subsequently, transmitted to the competent central office of the Ministry which, while noting that the reported behaviors had occurred outside of working hours, initiated disciplinary action against the complainant (note of the XX, cit.). Subsequently, after the start of this investigation, the disciplinary proceedings were closed considering that the behavior complained of to the complainant was not likely to prejudice the Ministry in any way, as it had not "caused damage to the prestige" of the same and no "elements such as to allow the connection between it and the accused" (see decree of XX, cit.).

3.2. Disciplinary action and protection of the extra-work sphere

In the work context, the exercise of disciplinary action - which in general can be traced back to the context of a "legal obligation to which the data controller is subject" as well as the "specific rights of the data controller" and the "fulfilment of the obligations established by law or by collective agreements” (see articles 6.par. 1, letter c), 9, par. 2, letter. b) of the Regulation and articles. 55-bis et seq. of Legislative Decree 165/2001) - concerns the violation by the employee of the obligations of diligence, loyalty and impartiality which qualify the correct fulfillment of the work performance (see articles 1339 and 1419, second paragraph, of the civil code and, with specific regard to the public employment relationship, articles 55 to 55-octies of Legislative Decree 165/2001; art. 1 Code of conduct for public administration employees adopted by Presidential Decree no. 62 of 16 April subject to "the minimum duties of diligence, loyalty, impartiality and good conduct that public employees are required to observe", applicable to the specific case; see also the new Code of Conduct for public employees adopted by Presidential Decree 13 June 2023, no . 81).

In compliance with the constitutional principles of good performance of public administration, impartiality and legality-legitimacy of administrative action (art. 97 of the Constitution), the duties of diligence of public employees concern, more specifically, the correct performance of "their tasks in compliance with the law, pursuing the public interest without abusing the position or powers it holds" with a view to ensuring "the quality of services, the prevention of corruption, compliance with the constitutional duties of diligence, loyalty, impartiality and exclusive service to the care of the public interest" (see art. 54 of Legislative Decree 165/2001). In this framework, public employees are expressly required to respect the "principles of integrity, correctness, good faith, proportionality, objectivity, transparency, fairness and reasonableness" in carrying out their work activities and to "abstain in the event of a conflict of interest". ", as well as to avoid "situations and behaviors that may hinder the correct fulfillment of tasks or harm the interests or image of the public administration" (see art. 3 of the aforementioned Code of Conduct, expressly the subject of the disciplinary complaint to the complainant).

Otherwise, the information relating to the activities and behaviors undertaken by the employee, outside the performance of their duties and responsibilities, and not interfering, even indirectly, with the execution of the work performance, pertains to the private life of the worker, the whose protection is guaranteed by the regulatory framework at a supranational level (see art. 8, par. 2, of the European Convention on Human Rights and art. 7 of the Charter of Fundamental Rights of the European Union and, for the protection profiles of data, cons. 1 of the Regulation) as well as by national and European provisions, stratified over time, which aim to prevent penalizing differentiations in the delicate working and professional context (see, for example, art. 15, law of 20 May 1970, no. 300; art. 6 of law 5 June 1990, which prohibits employers from carrying out investigations to ascertain the existence of HIV status; European Union, ruling of 12 January 2023, case C 356/21; v. also Cass. civil section I – 15 December 2020, n. 28646, spec. p. 5.5.). In this context, the rules protecting the privacy and dignity of the interested worker are also placed, with guarantees that translate into limitations on managerial power, and in particular, those which, since 1970, have prohibited the employer, public and private, to collect and in any case "process" data that are not relevant to the job performed or information "on facts that are not relevant for the purposes of evaluating the professional aptitude of the worker" unless "they are characteristics that affect the methods of carrying out the work activity or which constitute an essential and decisive requirement for the purposes of carrying out the same (see combined provisions of art. 8 of law no. 300 of 20 May 1970 and art. 10 of legislative decree 10 September 2003, n. 276, referred to in art. 113 of the Code, “Data collection and relevance”).

This framework - strengthened by its roots at the level of the Regulation and the Code as a result of the references contained in the art. 88 of the Regulation and in art. 113 of the Code - aims to stem the acquisition of information relating to the worker's private life by preventing facts and information that are not relevant to the execution of the contract from becoming available to the employer. This is in order to minimize the opportunities for possible prejudicial effects, even indirect, deriving from the mere knowledge of such information and regardless of the actual use of the information and the circumstance that the same is confidential or in the public domain (see in this regard, Cass. section I of 19 September 2016, in relation to the confirmed violation of art 300/1970 and 113 of the Code).

In this context, life choices, habits and personal beliefs, not being, by their very nature, relevant to the work activity, cannot, as a rule, constitute facts or circumstances likely to be detected in the work environment, nor can they normally constitute the reasons from which different consequences arise towards the worker compared to other workers. This is unless such circumstances are concretely relevant for the purposes of carrying out the service, taking into account the "nature" of the activities in question and the "context" in which the specific tasks are carried out, with the consequence, in terms of the protection of data, that the lawfulness of the processing of information relating to the private life and personal beliefs of the worker is subordinated to the existence, on a regulatory level, of a specific requirement for carrying out the work activity (see, in this sense, ruling of the 17 April 2018, Egenberger, C-414/16, EU:C:2018:257, paragraphs 56 to 58, referred to by the Guarantor in numerous decisions, see in particular provision no. web no. 9683814). The international framework has also long provided indications regarding the fact that the data collected by the employer must "be relevant and not excessive taking into account the type of work", also in reference to information "shared online with other subjects, in particular through networks of socialization" (see, par. 5 of Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context of 1 April 2015; see on this point also Opinion 2/2017 on the Processing of the workplace data of 8 June 2017 of the "Article 29 Working Group", spec. par.5).

This guarantee framework has been applied by the Guarantor on numerous occasions, for example also in the presence of relevant public health and workplace safety reasons in the period of the epidemiological emergency from SARS-CoV-2, recalling that, even in this context, the employer was not entitled to process personal data relating to private life, in particular, those relating to the vaccination choices of its employees, but that the aforementioned limit did not apply with respect to those categories of workers for whom, given the greater exposure to contagion, the legislator had established that vaccination constituted a specific professional requirement, considered essential to carry out certain work activities or tasks (a hypothesis without prejudice to the combined provisions of the aforementioned articles 8 of law 20 May 1970, n. 300, and 10 of Legislative Decree no. 276 of 10 September 2003), and the same legislator had also regulated the disciplinary consequences deriving from the lack of the aforementioned professional requirement (see Prov. of 13 December 2021 doc. web no. 9727220 and, subsequently, Provv. of 18 February 2022 and guidance documents referred to therein).

3.3 Illegality of the processing of data relating to the worker's "sexual life" and "sexual orientation".

The scope of the private sphere of the person also includes information relating to the "sexual life" and "sexual orientation" of the interested party, personal data to which the data protection regulations grant strengthened protection both on a general level, with regard to all possible processing contexts (being expressly considered among the particular categories of personal data referred to in art. 9 of the Regulation, the processing of which is generally prohibited unless an express exception exists among those indicated in par. 2) is, particularly in the specific working and professional context, considering the greater risks for the rights and freedoms of the interested parties and the "vulnerability" of the same in the relationship with the owner (cons. 43 of the Regulation; see 88 of the Regulation and art. 113 of the Code).

In this framework, in fact, the applicable national legislation includes the sexual life and sexual orientation of the worker or aspiring worker - precisely as information which, by accessing the intimate dimension of the person, is considered irrelevant with respect to the execution of the service - among the information which the employer is prohibited from processing (see, in particular, art.10 of Legislative Decree no. 276 of 10 September 2003, there are "personal beliefs [...i]sex, [...] sexual orientation […]” referred to in art. 113 of the Code).

With regard to the processing of data carried out in the context of an employment relationship to ascertain disciplinary responsibility, the Court of Cassation recalled that public entities can also process personal data, including those relating to particular categories of data, provided that there is "a significant purpose of public interest" envisaged by "an express provision of authorizing law" and has specified, with regard to the exercise of disciplinary power in the public sphere, that "[...] the express inclusion of this purpose among those of public interest is not in itself sufficient" to legitimize the processing of data relating to the sexual life and sexual orientation of the worker; this in consideration of the "particular nature of sensitive data, and in particular those concerning the health and sexual life of people [...] (which belong to the category of so-called supersensitive data, which affect the most intimate part of the person, in his corporeality and in his most reserved psychological beliefs), and which requires, due to the constitutional values placed under their protection (articles 2 and 3 of the Constitution), strengthened protection" (see, in this regard, Cass. Civ. 7 October 2014, no. 21107, which confirmed the provision of 6 December 2011, web document no.
In the system of the Regulation and the Code it is therefore not only required that the processing is based on a legal basis that has the characteristics required by the data protection regulations, both in terms of quality of the source, necessary contents and appropriate measures and, both in terms of proportionality of the regulatory intervention with respect to the objectives that are intended to be pursued (art. 6, par. 2 and 3, letter b), of the Regulation).  It is in fact essential, as mentioned, that the data controller who operates as an employer also acts in full compliance with the regulatory framework of the sector which aims to protect the dignity, freedom and private sphere of the worker (see 88 of the Regulation and art. 113 of the Code). However, these conditions do not apply in this case.

During the investigation, the Ministry invoked, in its defense, the "obligatory nature of the disciplinary action envisaged for employment at the Public Administration. sanctioned by the art. 55 of Legislative Decree 165/2001” and an alleged responsibility for the holders of disciplinary action in the event of any inaction. However, these arguments cannot be considered relevant to the specific case considering that the typology of disciplinary infringements and related sanctions applicable to the public context is defined by the law and the applicable collective agreements (see art. 55 et seq., spec. 55- quater and 55-sexies of Legislative Decree no. 165/2001) and that any omissive liability on the part of the personnel in charge of the disciplinary action is provided for by law, in particular, in the presence of "manifestly unreasonable assessments of the non-existence of the illicit in relation to conduct having objective and clear disciplinary relevance" (see 55-sexies, paragraphs 3 and 4, cit.). In this regard, it is noted that the Ministry itself was able to point out, from the first assessments carried out on the facts in question, the criminal non-relevance (see annex no. 3 note of the XX, containing service report and related correspondence) and the the behavior of the interested party is extraneous to his/her work activity (as shown by the documentation in documents which shows, for example, the times of the employee's online activity, see also annexes to notes dated XX and XX). Nonetheless, despite lacking "objective and clear disciplinary relevance", the procedure was nevertheless initiated against the employee, using information that already appeared irrelevant with respect to the employment relationship. So much so that, as mentioned, even in the disciplinary complaint it was made clear that the behavior had not "been carried out during service hours" (see disciplinary complaint of XX, cit.), a circumstance later confirmed in the provision dismissal of the disciplinary proceedings. Nor, for the same reasons, can what is declared regarding the fact that the "constitutional principles of good performance of the Public Administration" be considered relevant for the purposes of excluding the owner's liability. […], the dutiful pursuit of which is hindered by the unpunished tolerance of illegal phenomena within the public apparatus” […]”, as the private nature of the matter and its conduct outside the working hours and places. The Ministry then declared, during the investigation, that it had activated the procedure due to the complainant's behavior deemed "not in keeping with the behavior of an employee" (see minutes of the hearing, in documents).

Furthermore, to justify the processing of the data in question by initiating disciplinary proceedings, reference to art. 71 lett. p) of the National Collective Labor Agreement of 16 November 2022 (formerly art. 42 letter p) of the "National Collective Labor Agreement for Central Functions Sector Staff", three-year period XX) as the conduct that public employees must observe - in relation to "abstaining from participating in the adoption of decisions or activities that may directly or indirectly involve one's own financial or non-financial interests, that of one's spouse, cohabitants, relatives, in-laws up to the second degree" - refers to any situations of potential conflict of interest upon use of which the public employee has the obligation to abstain, in the exercise of his duties, from adopting acts that could lead to the realization of an interest that is opposed to the public interest of the administration.

In relation to what was then declared regarding the need to initiate disciplinary proceedings in the face of "possible profiles of criminal relevance", the following is observed. The sector provisions regulate the relationship between disciplinary proceedings and criminal proceedings (in particular, the hypotheses of suspension of the disciplinary proceedings when criminal action has been carried out for the facts charged) and the cases in which there are specific communication obligations between the offices of the administration and between these and the competent judicial authority (art. 55-ter of legislative decree no. 165/2001, as well as art. 154-ter, legislative decree no. 271/1989; on this point, Presidency of the Council of the Ministers - Circular of 23 December 2010, n. 14, Discipline on disciplinary infringements and sanctions and disciplinary proceedings). This, when the disciplinary proceedings concern, in whole or in part, facts in relation to which the judicial authority is already proceeding, a circumstance which however does not occur in the present case, having, moreover, only been feared by the administration alleged criminal relevance of the behavior to justify the censure carried out on a disciplinary level (see, on the subject of disciplinary proceedings for public employees, Civil Cassation labor section, 17 November 2022, n.33979; see also Court of Appeal Potenza labor section ., 25 October 2022, n.79). On the other hand, it appears necessary to highlight that disciplinary action against the public employee is instead provided for by law (which in this regard provides for the imposition of the sanction of disciplinary dismissal) in the presence of a "definitive criminal conviction, in relation to which perpetual disqualification from holding public offices or the extinction, however named, of the employment relationship is provided for" (see art. 54-quater, letter f), Legislative Decree 165/2001), a provision which therefore gives relevance on a disciplinary level exclusively to those definitive criminal convictions which, due to the legal good offended, have ordered the application of the aforementioned accessory penalties which affect the employment relationship with the administration.

Nor, in conclusion, even from the perspective of legal certainty and the principle of non-discrimination, can the disciplinary function be invoked by the employer to justify initiatives allegedly connected to possible judicial investigations or to legitimize a general action of prevention, investigation, assessment and prosecution of crimes (which, however, is the responsibility of the competent authorities) or, again, in order to exercise preventive control over the actions of employees, even more so if, as declared in the present case, it is intended to extend such control to "conduct relating to the extra-work sphere [on the assumption that] they must necessarily be known by the administration which will then evaluate whether or not to initiate disciplinary action". On this point, it is useful to recall the aforementioned ruling of the Court of Cassation which highlighted, in reference to the protection of the private sphere of the public employee, that "the public significance of the tasks entrusted [to the owner] is not suitable to justify the violation of the current legislation which intends to ensure a guarantee of the rights constitutionally recognized to workers, first and foremost the right to privacy" (Cass. section I civ. 19 Sept. 2016, n. 18302, which confirmed the Provision of the Guarantor n. 308 of 21 July 2011, web document no. 1829641; see also European Court of Human Rights, Antovic and Mirković v. Montenegro, application no. 70838/13 of 28.11.2017.

The data controller, the employer, must therefore always operate within the scope and limits established by the applicable legislation, which constitutes the legal basis of the relevant processing (articles 5, 6, 9, par. 2, letter b ) and g) and 88 of the Regulation), avoiding implementing initiatives not provided for by law which, in certain circumstances, may also conflict with the aforementioned national provisions which prohibit the employer from processing information not relating to the work activity , with possible harmful effects for those concerned in the work and professional context.

Nor, for the reasons set out above, can the fact that the interested party voluntarily inserted the aforementioned advertisement on a website accessible by anyone be sufficient to justify the data processing carried out by the Ministry. Also from this point of view, "the entry of some of one's personal data online, while allowing one to presume the interested party's willingness to allow its use in view of the objectives for which it was made available to the public, does not, however, allow consider that that consent was implicitly given also in relation to any other processing. The use of the data disclosed for purposes other than that for which disclosure was permitted constitutes an eventuality already taken into consideration by this Court, which stated in this regard that the protection provided by Legislative Decree no. . 196 of 2003 also extends to data already public or published, since the person who carries out processing operations on such information can obtain further information from their comparison, comparison, examination, analysis, conjunction, relationship or cross-referencing, therefore an «added value information", cannot be extracted from data considered in isolation, potentially harmful to the dignity of the interested party, supreme value (protected by art. 3, first paragraph, first part, and art. 2 of the Constitution) which inspires the legislation in matter of processing of personal data" (see Cass. Civ. 7 October 2014, n. 21107, cit., as well as Cass., Section I, 8 August 2013, n. 18981).

In this regard, albeit in relation to different contexts (see, for example, provision of 12 March 2020, no. 56, web doc. no. 9429218; provision no. 367 of 10 November 2022, web doc. no. 9835095 and provision no. 45, 10 February 2022, web doc. 9751549), the Guarantor has declared the collection and use by public administrations of personal data or information already disclosed to be non-compliant with data protection regulations, or in any case available, even online, given that such personal data, although knowable by anyone, can be processed and used by third parties within the limits and when the conditions of the applicable sector laws are met and, therefore, also in compliance with the more specific and more protection without prejudice to art. 88 of the Regulation with regard to the working context (see, most recently, Court of Justice of the European Union, ruling of 30 March 2023, case C-34/21).

It is also believed that the circumstance on the basis of which the disciplinary proceedings were subsequently archived cannot be considered sufficient to exclude the responsibility of the data controller, given that the data relating to the private and sexual sphere of the employee were in any case used to formally initiate the aforementioned disciplinary proceedings and processed within the same (see, on this point, in particular, provision dated 13 May 2021, no. 190, web doc. no. 9669974).

Having therefore used the personal data also relating to the sexual sphere of the complainant in the exercise of employer functions - in the alleged belief that the processing was necessary in compliance with the legal obligation and even though this occurred in the presence of precautions adopted to limit knowledge of the facts to a limited number of authorized persons - cannot be considered sufficient to fill the lack of legal basis and to overcome the conflict with the aforementioned provisions which prohibit the employer from processing information not relating to the work activity (for similar considerations in relation to the use of data collected in the absence of a legal basis for the exercise of disciplinary power in a different context, see provision 10 November 2022 n.

For all of the above, given the unusability of "personal data processed in violation of the relevant regulations on data processing" (see art. 2-decies of the Code), it is therefore believed that the Ministry, once it has come to knowledge by the interested party's colleagues of information relating to aspects relating to the employee's sexual life and sexual orientation, he should have refrained from using it.

For the reasons highlighted above, it must be concluded, given the provisions of the art. 113 of the Code, that the acquisition and subsequent processing of personal data also attributable to the "sexual life" and "sexual orientation" of the complainant, even if found online as previously made available there by the interested party, took place in the absence of a suitable legal basis and in contrast with national provisions which prohibit the employer from acquiring and processing information relating to the employee's private sphere, in violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276).

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and it is noted, given the provisions of the art. 113 of the Code, the illegality of the collection and subsequent processing of personal data carried out by the Ministry, also attributable to the "sexual life" and sexual orientation of the complainant, even if found online as previously made available there by the interested party, in the absence of an appropriate legal basis and in contrast with national provisions which prohibit the employer from acquiring and processing information relating to the employee's private sphere, in violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276).

Having said this, it is necessary, however, to take into consideration certain elements, including contextual ones, which emerged during the investigation, which are indispensable for the purposes of concretely evaluating the extent of the violations found and the harmfulness of the overall conduct (see cons. 148 of the Regulation).

In particular, taking into account that:

- the violation, in the present case, concerned the personal data relating to a single interested party (see art. 83, par. 2, letter a), of the Regulation);

- XX, having received the report, upon initial examination and by mistake, did not recognize that it related to conduct unrelated to the work activity and pertaining to the employee's private sphere (see art. 83, par. 2, letter b), of the Regulation); the same, also as a result of the aforementioned error of assessment, sent the documentation collected to the Central Management in the belief of having to comply with a legal obligation (art.55 sexies of Legislative Decree 165/2001 et seq.);

- in this context the administration, aware of the sensitivity of the personal data in question, has nevertheless adopted measures aimed at ensuring that only personnel deemed authorized on the basis of the owner's organizational choices had access to the documentation relating to the aforementioned report, ensuring in any case its circulation confidential (in particular, by transmitting the package in a sealed envelope and "clearly indicating in the letter of transmission the following wording: "We also inform you that the documentation transmitted contains so-called “sensitive data” provided for by art. 9 of the EU data protection regulation 2016/679") and also avoiding any form of reproduction or electronic recording of the same, also guaranteeing that it is kept at the competent Office (see art. 83, par. 2, letter d) , of the Regulation);

- at the end of the preliminary investigation, the Ministry proceeded, taking note of the irrelevance of the matter from a work perspective, to dismiss the disciplinary proceedings against the interested party, expressly confirming in the dismissal provision that the conduct had not occurred during the working hours and that there were no elements that could damage the image of the Administration (see art. 83, par. 2, letter k), of the Regulation);

- therefore, given the dismissal of the proceedings against him, the interested party did not in any case suffer specific repercussions on a disciplinary level (see art. 83, par. 2, letter c), of the Regulation);

- the processing of the aforementioned documentation was carried out exclusively by the staff of the Disciplinary Procedures Office who have the duty of absolute confidentiality of all the elements and documentation of which they come into possession for reasons of their Office" (see art. 83, par. 2, letter), of the Regulation);

- there are no previous violations committed by the data controller or previous measures referred to in the art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Ministry offered a good level of cooperation with the Authority during the investigation (art. 83, par. 2, letter f), of the Regulation);

The circumstances of the specific case, pursuant to the cons. 148 of the Regulation and the “Guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018 (see, in similar sense, provision dated 17 May 2023, n. 194), allow us to consider it sufficient to warn the Ministry for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, letter. b), of the Regulation (see also paragraph 148 of the Regulation).

Considering that the conduct has now exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Ministry of Justice - Department of Penitentiary Administration, in the person of the legal representative pro tempore, with registered office in Largo Luigi Daga, 2, 00164 Rome, C.F. 80252050580, for violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276);

b) pursuant to art. 58, par. 2, letter. b) of the Regulation, warns the Ministry, as owner of the processing in question, for having violated the articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276), as described above;

c) believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 April 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei

[doc. web no. 10021491]

Provision of 24 April 2024

Register of measures
n. 268 of 24 April 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Guarantor Regulation no. 1/2019");

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

PREMISE

1. The complaint.

With a complaint presented pursuant to art. 77 of the Regulation Mr. XX, administrative operator at XX (hereinafter "XX"), represented that the Ministry of Justice - Department of Penitentiary Administration (hereinafter "Ministry") has implemented processing of personal data that does not comply with the data protection regulations personal data through its central and peripheral offices. In particular, it was complained that the Ministry initiated disciplinary proceedings against the complainant on the assumption that he had engaged in "disciplinarily relevant conduct [...] consisting in having spread his image online - and more specifically on a website meetings [...] offering sexual services for a reward" (see disciplinary complaint note from the XX of the Department - General Directorate of Personnel and Human Resources, in documents). This disciplinary proceeding would have been initiated following an investigation carried out against the complainant by XX by accessing the aforementioned dating site and acquiring images of online advertisements relating to the services offered and containing, in addition to photographs of the interested party, also identified through a pseudonym, also information relating to his age and telephone numbers.

Furthermore, it emerges from the documentation in the documents that already in the phase of contesting the charge against the complainant (see the aforementioned note from the Department of XX, in the documents) it was noted that the behavior of the same had not "been carried out during the 'hours of service'. Subsequently, on XX (following the start of the investigation by the Guarantor), the Ministry closed the disciplinary proceedings in question on the assumption that "the contested infraction does not pertain to service activities and was carried out outside of working hours of service" expressly confirming that it "did not cause damage to the prestige of the administration as no elements emerged that would allow the connection between it and the accused".

2. The preliminary investigation activity.

With note dated XX (prot. n. XX), the Department - General Directorate of Personnel and Human Resources of the Ministry, in response to a request for information from the Guarantor, declared, in particular, that:

- "the XX of XX sent [...] the note reporting a disciplinary infraction accompanied by attachments, by registered mail in a double sealed envelope [...] which contained documents with sensitive data and recommendations for data processing";

- “the correspondence in a sealed envelope was delivered to the Regent Director of the Office and assigned to the Official responsible for proceeding with the investigation of the case. Said documentation has not been reproduced or registered with an IT protocol system in order to best protect the sensitive data contained therein and specifically kept in the latter's office";

- “the confidential documentation was subsequently processed by the UPD [of] the General Directorate composed of the Director of the Office, the F.O.R. Responsible for the Procedure, by the Recording Penitentiary Police Inspector, for the handling of the disciplinary hearing held on XX";

- "finally the correspondence was handled by the General Director of Personnel and Resources for the adoption of the final measure dismissing the disciplinary proceedings";

- information was also given to the employee concerned of the sending of documentation relating to disciplinaryly relevant behavior pursuant to art. 12 of the Regulation [...]".

With a note of the XX (prot. n. XX), the XX sent further elements, from which it emerges, in particular, that:

- "the management of the penitentiary institution [...] became aware of the announcement published by the [complainant] following a service report produced by a member of the role of Inspectors of the Penitentiary Police Force, who in turn was informed by some colleagues who, by accessing the dating site [...], had viewed the advertisement offering sexual services, also in exchange for gifts and financial compensation, inserted by the aforementioned employee. This report was accompanied by images relating to the advertisement itself”;

- "on the basis of what has been reported and documented, without having carried out any investigation into the habits and relating to the private and sexual life of today's complainant [XX] having nevertheless detected behavior susceptible to disciplinary relevance due to the duty incumbent on public employees , even free from service, to maintain integrity and correct conduct, avoiding any conduct that could damage the Administration and its image, deemed it necessary to transmit the documents to the Central Discipline Office, for the relevant evaluations and determinations" ;

- “so much so that the aforementioned Central Office initiated disciplinary action by noting the violation of the 3 of the Code of Conduct for public employees referred to in the Presidential Decree. 16 April 2013, n. 62 in the part in which it provides that the public employee '“(...) avoids situations and behaviors that could...harm the interests or image of the public administration...” and art. 42, paragraph 1, CCNL of the central functions sector in the part in which it provides that [...] the employee also adapts his behavior to the principles regarding the employment relationship, contained in the code of conduct referred to in art. 54 of Legislative Decree 165/2001 and in the code of conduct adopted by each administration" and considering the infringement referred to in the art. 43, paragraph 3, letter. b) "conduct not compliant with the principles of correctness ... of the aforementioned CCNL, absorbed in the provision referred to in letter 1) "violations of duties and obligations of behavior not specifically included in the previous letters from which a disservice, damage or danger has arisen to the administration...";

- "the Management in the header, in reporting to the competent superior central office the conduct considered disciplinary relevant carried out [by the complainant], acted in compliance with the legal obligation established by the art. 55 sexies of Legislative Decree 165/2001 and subsequent amendments. which imposes on the manager of the structure referred to in the art. 55 bis of the same law to detect and report conduct carried out by employees which is subject to disciplinary sanctions, under penalty of administrative, civil and managerial liability for the same in the event of omissions or delays";

- "with regard to the methods of access to the employee's personal data, it cannot fail to be highlighted that these were acquired on the basis of the information that the [complainant] himself published on an open notice board and, therefore, consultable and usable by anyone had connected to the site";

- "this Directorate, precisely in order to protect the privacy and protect the fundamental rights of the [complainant], has forwarded the report containing personal data to the departmental disciplinary office under its jurisdiction, adopting all the necessary precautions, that is, inserting the correspondence in an envelope closed and clearly indicating in the letter of transmission the following wording: "We also inform you that the documentation transmitted contains so-called. “sensitive data” provided for by art. 9 of the EU data protection regulation 2016/679 […]”.

With note dated XX (prot. no. XX, the Office, on the basis of the elements acquired, the checks carried out and the facts emerging following the preliminary investigation, notified the Ministry, pursuant to art. 166, paragraph 5 , of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, concerning the alleged violations of articles 5, paragraph 1, letter a), 6 , 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of legislative decree 10 September 2003, no. 276), regarding the collection and subsequent processing of personal data also attributable to the "sexual life" and "sexual orientation" of the complainant, which occurred in the absence of an appropriate legal basis and in conflict with the national provisions that prohibit the employer from acquiring and processing information relating to the employee's private sphere. With the same note, the owner was also invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1 , from law 24 November 1981, n.

With note dated XX (prot. n. XX), the Ministry presented a defense statement, declaring, in particular, that:

- “as can be seen from note no. XX — S.P.P. of the XX the Management of the penitentiary institute of [...] "became aware of the announcement published by the [complainant] following a service report produced by a member of the role of Inspectors of the Penitentiary Police Force, in turn informed by some colleagues who, accessing the dating site [...], had viewed the advertisement offering sexual services, also in exchange for gifts and financial compensation, inserted by the aforementioned employee. This report was accompanied by images relating to the announcement";

- "the Regent Director of the XX [...] sent in a sealed envelope to the Discipline Office of the Department of Penitentiary Administration - Registered letter with return receipt no. 13189667514-4 […] with note prot. n. XX - S.P.P. of the XX [...] - the request to activate disciplinary proceedings against the Administrative Operator in question accompanied by the documentation acquired";

- “the Management “acted in compliance with the legal obligation established by the art. 55 sexies of the Legislative Decree 165/2001 and subsequent amendments. which imposes on the manager of the structure referred to in the art. 55 bis of the same law to detect and report conduct carried out by employees liable to disciplinary sanctions, under penalty of incurring administrative, civil and managerial liability for the same in the event of omissions or delays";

- "no data collection activity concerning the sexual life of the [complainant] was carried out by this management which limited itself to taking note of the activity of offering sexual services advertised by the employee, also in exchange for gifts and compensation economic nature with possible profiles of criminal relevance";

- "with regard to the activity carried out by Office VII - Discipline of the General Directorate of Personnel [...] the staff assigned to the Office received the correspondence in question in the manner explained above from the management of XX of XX, and forwarded it to the Regent Director of the Office which in turn instructed the responsible officer to proceed with the investigation of the case. It is specified that said confidential documentation received by registered letter dated XX, was neither reproduced nor registered with an IT protocol system in order to best protect the sensitive data contained therein, and was specifically kept in the Office of the Official above”;

- "considering that from the examination of the correspondence produced by the XX penitentiary office, a conduct emerged which, although carried out by the employee outside working hours, appeared contrary to the principles of correctness to which the public employee is subjected as expressly specified in the 'art 3 of the code of conduct Presidential Decree 16 April 2013 n. 62 and therefore relevant from an ethical point of view, given that the public employee is required to always maintain intact and correct conduct, avoiding any situation that could damage the Administration and its image, in compliance with the principle of mandatory disciplinary action in the face of conduct that appears to be in violation of the law, disciplinary proceedings were initiated against the [complainant] with a notice of complaint dated XX";

- "and in fact the initiation of disciplinary proceedings complies with the principle of mandatory disciplinary action envisaged for employment at the Public Administration. sanctioned by the art. 55 of Legislative Decree 165/2001 and following. mm., as also confirmed by the Supreme Court (Cass. Sez. lav., 2 March 2017 n. 5317) in compliance with the constitutional principles of good performance of the Public Administration, of impartiality and legality-legitimacy of the administrative action (art. 97 of the Constitution .), the dutiful pursuit of which is impeded by the unpunished tolerance of illegal phenomena within the public apparatus" […] as established in paragraph 3 of the art. 55 - sexies of Legislative Decree 165/2001";

- "for this reason, once the disciplinary procedure has been activated against the [complainant], at the conclusion of the preliminary investigation, having ascertained that the employee's conduct had not occurred during working hours and that no elements that could lead the employee's image back to the Administration, the disciplinary proceedings in question were closed with decree of the Director General of Personnel and Resources no. XX of the XX”;

- "with regard therefore to the entire phase of the disciplinary procedure, it is specified that, as already explained in the note sent to this Authority on XX, the treatment of the correspondence received from the management of exclusively by the personnel of the Disciplinary Procedures Office who have the duty of absolute confidentiality of all elements and documentation which they come into possession of for reasons of their Office";

Furthermore, during the hearing pursuant to art. 166, paragraph 6, of the Code, represented that (see minutes prot.n. XX of the XX):

- "the employee has raised an issue by submitting a complaint to the Guarantor which we believe to be unfounded because it is based on a disciplinary procedure which has its own precise rules and which imposes specific obligations on the administration";

- “behavior was reported which prima facie seemed inconsistent with the behavior of an employee and we had the obligation to take action due to the mandatory nature of initiating disciplinary action, regardless of its outcome; this is because the behavior was not completely inconsistent with the conditions that require the initiation of disciplinary proceedings (art. 55 of Legislative Decree no. 165/2001) as there was a risk of criminal relevance of the conduct";

- "the Ministry has a wide range of cases regarding the processing of even sensitive data (for example, mistreatment of third parties, corruption and other behaviors that have criminal relevance or are likely to put the administration in a bad light [...]); in such cases, although they are sometimes behaviors relating to the extra-work sphere, they must necessarily be known to the administration which will then evaluate whether or not to initiate disciplinary action" [...] "in any case the management of the data takes place, and has also taken place in this case, as part of a supply chain that provides access by authorized personnel only";

- "the data in question arrived personally to the Director of the disciplinary office in a double sealed envelope, the file was kept by the competent official who kept it without registering it in the document registration management system in order to carry out initial checks regarding the relevance of the conduct in disciplinary proceedings";

- "it was therefore considered that the case presumably had relevance on a disciplinary level and the procedure was started with disciplinary charges against the interested party also due to the fact that the website was used and frequented by other personnel of the same administration or by people who they could know the interested party; it was considered that there was a concrete possibility of violation of the code of conduct that led to the notification of the charges; the only staff units who processed the data were: the acting director of the disciplinary office in office at the time, the official responsible for the procedure for the preliminary investigation, the general director who signed the document contesting the charges and then once the archiving measure has been adopted, the director of office VII, the person taking the minutes in the context of the disciplinary hearing, subjects who, having specific tasks and roles in this area, are authorized to process, having been duly instructed regarding the confidentiality of the overall processing;

- in this regard, art. 71 lett. p) of the CCNL of 16 November 2022, considering that the interested party requested remuneration for specific services".

3. Outcome of the preliminary investigation. The regulatory framework applicable to employment relationships

Within the framework of the Regulation and the Code, the employer can process the personal data of workers (art. 4, n. 1, of the Regulation), also relating to "particular categories", if the processing is necessary "to fulfill an obligation legal to which the data controller is subject" (art. 6, par. 1, letter c), and 2 and 3, and art. 9, par. 2, letter. b) and 4; 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letter e), 2 and 3 , and art. 9, par. 2, letter. g), of the Regulation; articles 2-ter and 2-sexies of the Code).

With reference to data relating to particular categories, which expressly includes data relating to "sexual life or sexual orientation [...]" (art. 9, paragraph 1 of the Regulation), please note that the related processing is, in general, prohibited unless one of the specific conditions indicated in par. 2 of the art. 9 of the Regulation.

In the workplace this implies that the processing of these categories of data can be legitimately carried out only when it is "necessary to fulfill the obligations and exercise the specific rights of the data controller or the interested party in matters of labor and safety law". social protection and social protection, to the extent authorized by Union or Member State law or by a collective agreement under Member State law, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject" ( art. 9, par. 2, letter) of the Regulation; v. well, art. 88, and cons. 51-53 of the Regulation; see, “Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1, of Legislative Decree 10 August 2018, n. 101”, web doc n. 9124510) as well as, in some cases, the occurrence of "reasons of significant public interest" (art. 9, par. 2, letter g) of the Regulation and art. 2-sexies, spec. lit. dd) of the Code). 

In any case, the employer must comply with the more specific national rules regarding the processing of data in the context of employment relationships (art. 88 and cons. 155 of the Regulation), and, in particular, the provisions that prohibit the employer to acquire, even through third parties, and process information on the worker's political, religious or trade union opinions, as well as on facts not relevant for the purposes of evaluating the worker's professional aptitude (see art. 113 of the Code, which recalls art. 8 of law 20 May 1970, n. 10 of legislative decree 10 September 2003, n. As a result of this postponement, and taking into account the art. 88, par. 2 of the Regulation, compliance with the art. 8 of the law. 20 May 1970, n. 300 and art. 10 of Legislative Decree 10 September 2003, n.276 (in cases where the conditions are met) constitutes a condition of lawfulness of the processing. These rules constitute in the internal legal system those more specific and greater guarantee provisions referred to in the art. 88 of the Regulation - for this purpose subject to specific notification by the Guarantor to the European Commission, pursuant to art. 88, par. 3, of the Regulation - whose observance constitutes a condition of lawfulness of the processing and whose violation - similarly to the specific processing situations of chapter IX of the Regulation - determines, in addition to criminal liability (see art. 171 of the Code) , also the application of administrative pecuniary sanctions pursuant to art. 83, par. 5, letter. d), of the Regulation (see, with regard to the public sector of work, most recently, Court of Justice of the European Union, ruling of 30 March 2023, case C-34/21; see also the jurisprudence of the European Court of Rights of man, in the case Antovic and Mirković v. Montenegro, application no. 70838/13 of 28 November 2017, which established that respect for "private life" must also be extended to public workplaces, highlighting the necessary respect for guarantees provided for by applicable national law).

The employer is, however, required to respect the principles of data protection (art. 5 of the Regulation) and must be able to demonstrate that the processing is carried out in compliance with the Regulation (art. 5, par. 2 , and 24 of the Regulation).

3.1. The processing of the complainant's personal data

On the basis of the elements acquired and the facts that emerged following the preliminary investigation, as well as subsequent assessments, it is established that the Ministry processed personal data relating to the interested party with regard to the "advertisement of the offer of sexual services" and the related images , present on a dating website.

In particular, as shown in the documents and as confirmed by the declarations made by the data controller, such data would have been acquired by XX, following a report from some employees and, subsequently, transmitted to the competent central office of the Ministry which, while noting that the reported behaviors had occurred outside of working hours, initiated disciplinary action against the complainant (note of the XX, cit.). Subsequently, after the start of the present investigation, the disciplinary proceedings were closed considering that the behavior complained of to the complainant was not likely to prejudice the Ministry in any way, having not "caused damage to the prestige" of the same and no "elements" having emerged such as to allow the connection between it and the accused" (see decree of XX, cit.).

3.2. Disciplinary action and protection of the extra-work sphere

In the work context, the exercise of disciplinary action - which in general can be traced back to the context of a "legal obligation to which the data controller is subject" as well as the "specific rights of the data controller" and the "fulfilment of the obligations established by law or by collective agreements” (see articles 6.par. 1, letter c), 9, par. 2, letter. b) of the Regulation and articles. 55-bis et seq. of Legislative Decree 165/2001) - concerns the violation by the employee of the obligations of diligence, loyalty and impartiality which qualify the correct fulfillment of the work performance (see articles 1339 and 1419, second paragraph, of the civil code and, with specific regard to the public employment relationship, articles 55 to 55-octies of Legislative Decree 165/2001; art. 1 Code of conduct for public administration employees adopted by Presidential Decree no. 62 of 16 April subject to "the minimum duties of diligence, loyalty, impartiality and good conduct that public employees are required to observe", applicable to the specific case; see also the new Code of Conduct for public employees adopted by Presidential Decree 13 June 2023, no . 81).

In compliance with the constitutional principles of good performance of public administration, impartiality and legality-legitimacy of administrative action (art. 97 of the Constitution), the duties of diligence of public employees concern, more specifically, the correct performance of "their tasks in compliance with the law, pursuing the public interest without abusing the position or powers it holds" with a view to ensuring "the quality of services, the prevention of corruption, compliance with the constitutional duties of diligence, loyalty, impartiality and exclusive service to the care of the public interest" (see art. 54 Legislative Decree 165/2001). In this framework, public employees are expressly required to respect the "principles of integrity, correctness, good faith, proportionality, objectivity, transparency, fairness and reasonableness" in carrying out their work activities and to "abstain in the event of a conflict of interest". ", as well as to avoid "situations and behaviors that may hinder the correct fulfillment of tasks or harm the interests or image of the public administration" (see art. 3 of the aforementioned Code of Conduct, expressly the subject of the disciplinary complaint to the complainant).

Otherwise, the information relating to the activities and behaviors undertaken by the employee, outside the performance of their duties and responsibilities, and not interfering, even indirectly, with the execution of the work performance, pertains to the private life of the worker, the whose protection is guaranteed by the regulatory framework at a supranational level (see art. 8, par. 2, of the European Convention on Human Rights and art. 7 of the Charter of Fundamental Rights of the European Union and, for the protection profiles of data, cons. 1 of the Regulation) as well as by national and European provisions, stratified over time, which aim to prevent penalizing differentiations in the delicate working and professional context (see, for example, art. 15, law of 20 May 1970, no. 300; art. 6 of law no. 135 of 5 June, which prohibits employers from carrying out investigations to ascertain the existence of HIV status; European Union, ruling of 12 January 2023, case C 356/21; v. also Cass. civil section I – 15 December 2020, n. 28646, spec. p. 5.5.). In this context, the rules protecting the privacy and dignity of the interested worker are also placed, with guarantees that translate into limitations on managerial power, and in particular, those which, since 1970, have prohibited the employer, public and private, to collect and in any case "process" data that are not relevant to the job performed or information "on facts that are not relevant for the purposes of evaluating the professional aptitude of the worker" unless "they are characteristics that affect the methods of carrying out the work activity or which constitute an essential and decisive requirement for the purposes of carrying out the same (see combined provisions of art. 8 of law no. 300 of 20 May 1970 and art. 10 of legislative decree 10 September 2003, n. 276, referred to in art. 113 of the Code, “Data collection and relevance”).

This framework - strengthened by its roots at the level of the Regulation and the Code as a result of the references contained in the art. 88 of the Regulation and in art. 113 of the Code - aims to stem the acquisition of information relating to the worker's private life by preventing facts and information that are not relevant to the execution of the contract from becoming available to the employer. This is in order to minimize the opportunities for possible prejudicial effects, even indirect, deriving from the mere knowledge of such information and regardless of the actual use of the information and the circumstance that the same is confidential or in the public domain (see in this regard, Cass. section I of 19 September 2016, in relation to the confirmed violation of art 300/1970 and 113 of the Code).

In this context, life choices, habits and personal beliefs, not being, by their very nature, relevant to the work activity, cannot, as a rule, constitute facts or circumstances likely to be detected in the work environment, nor can they normally constitute the reasons from which different consequences arise towards the worker compared to other workers. This is unless such circumstances are concretely relevant for the purposes of carrying out the service, taking into account the "nature" of the activities in question and the "context" in which the specific tasks are carried out, with the consequence, in terms of the protection of data, that the lawfulness of the processing of information relating to the private life and personal beliefs of the worker is subordinated to the existence, on a regulatory level, of a specific requirement for carrying out the work activity (see, in this sense, ruling of the 17 April 2018, Egenberger, C-414/16, EU:C:2018:257, paragraphs 56 to 58, referred to by the Guarantor in numerous decisions, see in particular provision no. web no. 9683814). The international framework has also long provided indications regarding the fact that the data collected by the employer must "be relevant and not excessive taking into account the type of work", also in reference to information "shared online with other subjects, in particular through networks of socialization" (see, par. 5 of Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context of 1 April 2015; see on this point also Opinion 2/2017 on the Processing of the workplace data of 8 June 2017 of the "Article 29 Working Group", spec. par.5).

This guarantee framework has been applied by the Guarantor on numerous occasions, for example also in the presence of relevant public health and workplace safety reasons in the period of the epidemiological emergency from SARS-CoV-2, recalling that, even in this context, the employer was not entitled to process personal data relating to private life, in particular, those relating to the vaccination choices of its employees, but that the aforementioned limit did not apply with respect to those categories of workers for whom, given the greater exposure to contagion, the legislator had established that vaccination constituted a specific professional requirement, considered essential to carry out certain work activities or tasks (a hypothesis without prejudice to the combined provisions of the aforementioned articles 8 of law 20 May 1970, n. 300, and 10 of Legislative Decree no. 276 of 10 September 2003), and the same legislator had also regulated the disciplinary consequences deriving from the lack of the aforementioned professional requirement (see Prov. of 13 December 2021 doc. web no. 9727220 and, subsequently, Provv. of 18 February 2022 and guidance documents referred to therein).

3.3 Illegality of the processing of data relating to the worker's "sexual life" and "sexual orientation".

The scope of the private sphere of the person also includes information relating to the "sexual life" and "sexual orientation" of the interested party, personal data to which the data protection regulations grant strengthened protection both on a general level, with regard to all possible processing contexts (being expressly considered among the particular categories of personal data referred to in art. 9 of the Regulation, the processing of which is generally prohibited unless an express exception exists among those indicated in par. 2) is, particularly in the specific working and professional context, considering the greater risks for the rights and freedoms of the interested parties and the "vulnerability" of the same in the relationship with the owner (cons. 43 of the Regulation; see 88 of the Regulation and art. 113 of the Code).

In this framework, in fact, the applicable national legislation includes the sexual life and sexual orientation of the worker or aspiring worker - precisely as information which, by accessing the intimate dimension of the person, is considered irrelevant with respect to the execution of the service - among the information which the employer is prohibited from processing (see, in particular, art.10 of Legislative Decree no. 276 of 10 September 2003, there are "personal beliefs [...i]sex, [...] sexual orientation […]” referred to in art. 113 of the Code).

With regard to the processing of data carried out in the context of an employment relationship to ascertain disciplinary responsibility, the Court of Cassation recalled that public entities can also process personal data, including those relating to particular categories of data, provided that there is "a significant purpose of public interest" envisaged by "an express provision of authorizing law" and has specified, with regard to the exercise of disciplinary power in the public sphere, that " [...] the express inclusion of this purpose among those of public interest is not in itself sufficient" to legitimize the processing of data relating to the sexual life and sexual orientation of the worker; this in consideration of the "particular nature of sensitive data, and in particular those concerning the health and sexual life of people [...] (which belong to the category of so-called supersensitive data, which affect the most intimate part of the person, in his corporeality and in his most reserved psychological beliefs), and which requires, due to the constitutional values placed under their protection (articles 2 and 3 of the Constitution), strengthened protection" (see, in this regard, Cass. Civ. 7 October 2014, no. 21107, which confirmed the provision of 6 December 2011, web document no.
In the system of the Regulation and the Code it is therefore not only required that the processing is based on a legal basis that has the characteristics required by the data protection regulations, both in terms of quality of the source, necessary contents and appropriate measures and, both in terms of proportionality of the regulatory intervention with respect to the objectives that are intended to be pursued (art. 6, par. 2 and 3, letter b), of the Regulation).  It is in fact essential, as mentioned, that the data controller who operates as an employer also acts in full compliance with the regulatory framework of the sector which aims to protect the dignity, freedom and private sphere of the worker (see 88 of the Regulation and art. 113 of the Code). However, these conditions do not apply in this case.

During the investigation, the Ministry invoked, in its defense, the "obligatory nature of the disciplinary action envisaged for employment at the Public Administration. sanctioned by the art. 55 of Legislative Decree 165/2001” and an alleged responsibility for the holders of disciplinary action in the event of any inaction. However, these arguments cannot be considered relevant to the specific case considering that the typology of disciplinary infringements and related sanctions applicable to the public context is defined by the law and the applicable collective agreements (see art. 55 et seq., spec. 55- quater and 55-sexies of Legislative Decree no. 165/2001) and that any omissive liability on the part of the personnel in charge of the disciplinary action is provided for by law, in particular, in the presence of "manifestly unreasonable assessments of the non-existence of the illicit in relation to conduct having objective and clear disciplinary relevance" (see 55-sexies, paragraphs 3 and 4, cit.). In this regard, it is noted that the Ministry itself was able to point out, from the first assessments carried out on the facts in question, the criminal non-relevance (see annex no. 3 note of the XX, containing service report and related correspondence) and the the behavior of the interested party is extraneous to his/her work activity (as shown by the documentation in documents which shows, for example, the times of the employee's online activity, see also annexes to notes dated XX and XX). Nonetheless, despite lacking "objective and clear disciplinary relevance", the procedure was still initiated against the employee, using information that already appeared irrelevant with respect to the employment relationship. So much so that, as mentioned, even in the disciplinary complaint it was made clear that the behavior had not "been carried out during service hours" (see disciplinary complaint of XX, cit.), a circumstance later confirmed in the provision dismissal of the disciplinary proceedings. Nor, for the same reasons, can what is declared regarding the fact that the "constitutional principles of good performance of the Public Administration" be considered relevant for the purposes of excluding the owner's liability. […], the dutiful pursuit of which is hindered by the unpunished tolerance of illegal phenomena within the public apparatus” […]”, as the private nature of the matter and its conduct outside the working hours and places. The Ministry then declared, during the investigation, that it had activated the procedure due to the complainant's behavior deemed "not in keeping with the behavior of an employee" (see minutes of the hearing, in documents).

Furthermore, to justify the processing of the data in question by initiating disciplinary proceedings, reference to art. 71 lett. p) of the CCNL 16 November 2022 (formerly art. 42 letter p) of the "National Collective Labor Agreement for Central Functions Sector Staff", three-year period XX) as the conduct that public employees must observe - in relation to "abstaining from participating in the adoption of decisions or activities that may directly or indirectly involve one's own financial or non-financial interests, that of one's spouse, cohabitants, relatives, in-laws up to the second degree" - refers to any situations of potential conflict of interest upon use of which the public employee has the obligation to abstain, in the exercise of his duties, from adopting acts that could lead to the realization of an interest that is opposed to the public interest of the administration.

In relation to what was then declared regarding the need to initiate disciplinary proceedings in the face of "possible profiles of criminal relevance", the following is observed. The sector provisions regulate the relationship between disciplinary proceedings and criminal proceedings (in particular, the hypotheses of suspension of the disciplinary proceedings when criminal action has been carried out for the facts charged) and the cases in which there are specific communication obligations between the offices of the administration and between these and the competent judicial authority (art. 55-ter of legislative decree no. 165/2001, as well as art. 154-ter, legislative decree no. 271/1989; on this point, Presidency of the Council of the Ministers - Circular of 23 December 2010, n. 14, Discipline on disciplinary infringements and sanctions and disciplinary proceedings). This occurs when the disciplinary proceedings concern, in whole or in part, facts in relation to which the judicial authority is already proceeding, a circumstance which however does not occur in the present case, having, moreover, only been feared by the administration alleged criminal relevance of the behavior to justify the censure carried out on a disciplinary level (see, on the subject of disciplinary proceedings of public employees, Civil Cassation labor section, 17 November 2022, n.33979; see also Court of Appeal Potenza labor section ., 25 October 2022, n.79). On the other hand, it appears necessary to highlight that disciplinary action against public employees is instead provided for by law (which in this regard provides for the imposition of the sanction of disciplinary dismissal) in the presence of a "definitive criminal conviction, in relation to which perpetual disqualification from holding public offices or the extinction, however named, of the employment relationship is envisaged" (see art. 54-quater, letter f), Legislative Decree 165/2001), a provision which therefore gives relevance on a disciplinary level exclusively to those definitive criminal convictions which, due to the legal good offended, have ordered the application of the aforementioned accessory penalties which affect the employment relationship with the administration.

Nor, in conclusion, even from the perspective of legal certainty and the principle of non-discrimination, can the disciplinary function be invoked by the employer to justify initiatives allegedly connected to possible judicial investigations or to legitimize a general action of prevention, investigation, assessment and prosecution of crimes (which, however, is the responsibility of the competent authorities) or, again, in order to exercise preventive control over the actions of employees, even more so if, as declared in the present case, it is intended to extend such control to "conduct relating to the extra-work sphere [on the assumption that] they must necessarily be known by the administration which will then evaluate whether or not to initiate disciplinary action". On this point, it is useful to recall the aforementioned ruling of the Court of Cassation which highlighted, in reference to the protection of the private sphere of the public employee, that "the public importance of the tasks entrusted [to the owner] is not suitable to justify the violation of the current legislation which intends to ensure a guarantee of the constitutionally recognized rights of workers, first and foremost the right to privacy" (Cass. section I civ. 19 Sept. 2016, n. 18302, which confirmed the Provision of the Guarantor n. 308 of 21 July 2011, web document no. 1829641; see also European Court of Human Rights, Antovic and Mirković v. Montenegro, application no. 70838/13 of 28.11.2017.

The data controller, the employer, must therefore always operate within the scope and limits established by the applicable legislation, which constitutes the legal basis of the relevant processing (articles 5, 6, 9, par. 2, letter b ) and g) and 88 of the Regulation), avoiding implementing initiatives not provided for by law which, in certain circumstances, may also conflict with the aforementioned national provisions which prohibit the employer from processing information not relating to the work activity , with possible harmful effects for those concerned in the work and professional context.

Nor, for the reasons set out above, can the fact that the interested party voluntarily inserted the aforementioned advertisement on a website accessible by anyone be sufficient to justify the data processing carried out by the Ministry. Also from this point of view, "the entry of some of one's personal data online, while allowing one to presume the interested party's willingness to allow its use in view of the objectives for which it was made available to the public, does not, however, allow consider that that consent was implicitly given also in relation to any other processing. The use of the data disclosed for purposes other than that for which disclosure was permitted constitutes an eventuality already taken into consideration by this Court, which stated in this regard that the protection provided by Legislative Decree no. . 196 of 2003 also extends to data already public or published, since the person who carries out processing operations on such information can obtain further information from their comparison, comparison, examination, analysis, conjunction, relationship or cross-referencing, therefore an «added value information", cannot be extracted from data considered in isolation, potentially harmful to the dignity of the interested party, supreme value (protected by art. 3, first paragraph, first part, and art. 2 of the Constitution) which inspires the legislation in matter of processing of personal data” (see Cass. Civ. 7 October 2014, n. 21107, cit., as well as Cass., Section I, 8 August 2013, n. 18981).

In this regard, albeit in relation to different contexts (see, for example, provision of 12 March 2020, no. 56, web doc. no. 9429218; provision no. 367 of 10 November 2022, web doc. no. 9835095 and provision no. 45, 10 February 2022, web doc. 9751549), the Guarantor has declared the collection and use by public administrations of personal data or information already disclosed to be non-compliant with data protection regulations, or in any case available, even online, given that such personal data, although knowable by anyone, can be processed and used by third parties within the limits and when the conditions of the applicable sector laws are met and, therefore, also in compliance with the more specific and more protection without prejudice to art. 88 of the Regulation with regard to the working context (see, most recently, Court of Justice of the European Union, ruling of 30 March 2023, case C-34/21).

It is also believed that the circumstance on the basis of which the disciplinary proceedings were subsequently archived cannot be considered sufficient to exclude the responsibility of the data controller, given that the data relating to the private and sexual sphere of the employee were in any case used to formally initiate the aforementioned disciplinary proceedings and processed within the same (see, on this point, in particular, provision dated 13 May 2021, no. 190, web doc. no. 9669974).

Having therefore used the personal data also relating to the sexual sphere of the complainant in the exercise of employer functions - in the alleged belief that the processing was necessary in compliance with the legal obligation and even though this occurred in the presence of precautions adopted to limit knowledge of the facts to a limited number of authorized persons - cannot be considered sufficient to fill the lack of legal basis and to overcome the conflict with the aforementioned provisions which prohibit the employer from processing information not relating to the work activity (for similar considerations in relation to the use of data collected in the absence of a legal basis for the exercise of disciplinary power in a different context, see provision 10 November 2022 n.

For all of the above, given the unusability of "personal data processed in violation of the relevant regulations on data processing" (see art. 2-decies of the Code), it is therefore believed that the Ministry, once it has come to knowledge by the interested party's colleagues of information relating to aspects relating to the employee's sexual life and sexual orientation, he should have refrained from using it.

For the reasons highlighted above, it must be concluded, given the provisions of the art. 113 of the Code, that the acquisition and subsequent processing of personal data also attributable to the "sexual life" and "sexual orientation" of the complainant, even if found online as previously made available there by the interested party, took place in the absence of a suitable legal basis and in conflict with national provisions which prohibit the employer from acquiring and processing information relating to the employee's private sphere, in violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276).

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases envisaged by the 'art. 11 of the Guarantor Regulation n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and it is noted, given the provisions of the art. 113 of the Code, the illegality of the collection and subsequent processing of personal data carried out by the Ministry, also attributable to the "sexual life" and sexual orientation of the complainant, even if found online as previously made available there by the interested party, in the absence of an appropriate legal basis and in contrast with national provisions which prohibit the employer from acquiring and processing information relating to the employee's private sphere, in violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276).

Having said this, it is necessary, however, to take into consideration certain elements, including contextual ones, which emerged during the investigation, which are indispensable for the purposes of concretely evaluating the extent of the violations found and the harmfulness of the overall conduct (see cons. 148 of the Regulation).

In particular, taking into account that:

- the violation, in the present case, concerned the personal data relating to a single interested party (see art. 83, par. 2, letter a), of the Regulation);

- XX, having received the report, upon initial examination and by mistake did not recognize that it concerned conduct unrelated to the work activity and pertaining to the employee's private sphere (see art. 83, par. 2, letter b), of the Regulation); the same, also as a result of the aforementioned error of assessment, sent the documentation collected to the Central Management in the belief of having to comply with a legal obligation (art.55 sexies of Legislative Decree 165/2001 et seq.);

- in this context the administration, aware of the sensitivity of the personal data in question, has nevertheless adopted measures aimed at ensuring that only personnel deemed authorized on the basis of the owner's organizational choices had access to the documentation relating to the aforementioned report, ensuring in any case its circulation confidential (in particular, by transmitting the package in a closed envelope and "clearly indicating in the letter of transmission the following wording: "We also inform you that the documentation transmitted contains so-called "sensitive data" provided for by art. 9 of the regulation on the protection of EU data 2016/679") and also avoiding any form of computer reproduction or recording of the same, also guaranteeing that it is kept in the competent Office (see art. 83, par. 2, letter d), of the Regulation);

- at the end of the preliminary investigation, the Ministry proceeded, taking note of the irrelevance of the matter from a work perspective, to dismiss the disciplinary proceedings against the interested party, expressly confirming in the dismissal provision that the conduct had not occurred during the working hours and that there were no elements that could damage the image of the Administration (see art. 83, par. 2, letter k), of the Regulation);

- therefore, given the dismissal of the proceedings against him, the interested party did not in any case suffer specific repercussions on a disciplinary level (see art. 83, par. 2, letter c), of the Regulation);

- the processing of the aforementioned documentation was carried out exclusively by the staff of the Disciplinary Procedures Office who have the duty of absolute confidentiality of all the elements and documentation of which they come into possession for reasons of their Office" (see art. 83, par. 2, letter), of the Regulation);

- there are no previous violations committed by the data controller or previous measures referred to in the art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Ministry offered a good level of cooperation with the Authority during the investigation (art. 83, par. 2, letter f), of the Regulation);

The circumstances of the specific case, pursuant to the cons. 148 of the Regulation and the “Guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018 (see, in similar sense, provision dated 17 May 2023, n. 194), allow us to consider it sufficient to warn the Ministry for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, letter. b), of the Regulation (see also paragraph 148 of the Regulation).

Considering that the conduct has now exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Ministry of Justice - Department of Penitentiary Administration, in the person of the legal representative pro tempore, with registered office in Largo Luigi Daga, 2, 00164 Rome, C.F. 80252050580, for violation of articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276);

b) pursuant to art. 58, par. 2, letter. b) of the Regulation, warns the Ministry, as owner of the processing in question, for having violated the articles. 5, par. 1 letter a), 6, 9 and 88 of the Regulation, as well as 2-ter, 2-sexies and 113 of the Code (in relation to art. 8 of law no. 300 of 20 May 1970 and art. 10 of Legislative Decree 10 September 2003, n. 276), as described above;

c) believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 April 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei
  1. Article 55-sexies d.lgs. 165/2001
  2. Under Article 88 GDPR, Member States can provide for more specific rules on the processing of employees' personal data in the context of employment. The authority held that Article 8 l. 300/1970 and Article 10 d.lgs. 276/2003 were relevant to the case at hand.