Garante per la protezione dei dati personali (Italy) - 10025870

Garante per la protezione dei dati personali - 10025870

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 9(1) GDPR Article 9(2)(b) GDPR Art. 2-ter d.lgs. 196/2003 Art. 55-septies(2) d.lgs. 165/2001
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	09.05.2024
Published:
Fine:	n/a
Parties:	Azienda Ospedaliera Complesso Ospedaliero San Giovanni – Addolorata
National Case Number/Name:	10025870
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA issued a reprimand against a hospital. It held that data about the symptoms of an employee who is on sick leave are health data and forwarding such data to the hospital’s general director is unnecessary for the purposes of finding a replacement for the employee.

English Summary

Facts

The data subject is a doctor working for the controller, a hospital. The data subject sent an email to her manager containing personal data about her health in order to justify her absence from work. After that, the manager replied to her and added as a recipient the director general of the hospital.

The data subject filed a complaint with the DPA. She argued that forwarding the email to the director general was unlawful under the GDPR.

The controller argued that the data subject herself sent an email to her manager containing health data; moreover, it stressed that this data was never disclosed to a third party, but only to a person who was the head of the organisational structure of the controller and needed to know that information to arrange a replacement for the data subject.

Furthermore, the controller argued that the email did not contain any data relating to health, since the data subject only stated her symptoms and not an official diagnosis.

Holding

First, the DPA recalled that, according to Article 6(1)(c) and 6(1)(e) GDPR, public authorities can process personal data if it is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Moreover, the DPA pointed out that an employer can process sensitive data if the processing is necessary for the management of the employment relationship and to fulfill specific obligations or tasks arising from the applicable law, pursuant to Article 9(2)(b) GDPR.

Secondly, the DPA held that the information contained in the email was data relating the data subject’s health and, therefore, fell into the scope of Article 9(1) GDPR. The DPA recalled that – according to consistent case law of the CJEU (see C-184/20, Vyriausioji tarnybinės etikos komisija, para. 125; C-101/01, Lindqvist, paras. 13 and 50) – a broad definition of sensitive data must be adopted, since processing of this type of data is liable to constitute a particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data (see C-667/21, Krankenversicherung Nordrhein, para. 41). Moreover, the DPA highlighted that, also according to national case law, even the mere information that an employee is on sick leave is personal data concerning health.

Thirdly, the DPA recalled that according to national labour law (Article 55-septies(2) d.lgs. 165/2001), when an employee is on sick leave, an employer should manage the sick leave certificates only through the platform provided by the social security institute. This platform ensures that the diagnoses is redacted in the version of the certificate provided to the employer.

Moreover, it held that if the employee sends to their employer the certificate containing the diagnosis, the employer should not further process that information. In the present case, even though the data subject herself sent this information, the controller should not have further processed and sent the information to other people.

More in general, the DPA pointed out that if there is not an exception set by national law implementing Article 9(2)(b) GDPR, an employer cannot collect, neither from the data subject nor from other sources, data concerning its employees’ health.

Fourthly, the DPA held that forwarding the whole email to the director general was not necessary for the purpose of finding a replacement for the data subject’s shift, since this purpose could have been reached also by simply circulating the information that the data subject was sick, without including the specific symptoms.

Therefore, the DPA found a violation of Article 5(1)(a), 6 and 9(1) GDPR and Article 2-ter of the Italian Data Protection Code and issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10025870]

Provision of 9 May 2024

Register of measures
n. 270 of 9 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. Introduction.

With a complaint presented pursuant to art. 77 of the Regulation, Dr. xx, employee of the San Giovanni – Addolorata Hospital Complex (hereinafter, the "Company"), complained that on XX dated she sent an email - containing her personal data, including relating to the state of health, having indicated the symptoms suffered - to one of his hierarchical superiors and that the latter would have responded to this e-mail by including the then General Director of the Company among the recipients, who, in the complainant's opinion, did not could have become aware of the personal data in question.

2. The preliminary investigation activity.

In response to a request for information from the Guarantor (see note prot. n. XX of XX), the Company, with note dated XX (prot. n. XX), declared, in particular, that:

“no processing activity with knowledge by external third parties, neither in the form of communication, nor even of disclosure [...] took place in this case: indeed, the response communication from the Director of the U.O.C. - which the electronic system places, as is known, together with the original letter to which a reply is given - has been sent for information only to the General Director, who is [...] the owner of the processing of personal data. Therefore, no personal data was intended for the knowledge of subjects other than the owner [...], while the knowledge by the Director of the U.O.C. was determined by the spontaneous display of the interested party";

"even [the] complainant's communication did not at all contain the description of a medical diagnosis and, therefore, the statement of personal data relating to the clinical qualification of one's own pathological condition, but rather only the description of a physical effect alleged as an impediment to the work performance, i.e. intense cervical and brachial pain, without any identification, statement or display, therefore, of diagnostic data relating to the health condition of the interested party";

"the communication of the interested party's absence and the consequent prospect of covering the shift through replacement by the Director of the U.O.C. were duly communicated and shared with [the] General Director, as the legal representative of the employing company - of the referring person and of the interested party -, responsible for the management activities of the [employment] relationship [...], and as the apical person in charge of the organization - also for the guarantee of efficiency of the public health service [...] and, therefore, the necessary knowledge of the reasons and the possible duration of the impediment and of the proposed solution, both for the purposes of the screening and possible refusal of approval regarding the methods of covering the shift for which the interested party declared herself unable, and in relation to any assessment of responsibility by the Director of the U.O.C. for the case in which the alternative methods of organizing the service had caused any diversion or impairment of the full functionality, efficiency and sustainability of the service itself, particularly and especially in terms of speed of interventions and timeliness of diagnostic responses for users and for internal medical commissions”;

“[...] the need for full and immediate knowledge of the matter on the part of the Director General was even more evident due to the prospect of the Director of the U.O.C carrying out the shift. […]”;

“nor, moreover, in the necessary internal communication relationship with the General Management, the Director of the U.O.C. had another means at its disposal, other than the participation of letters of interlocution with the interested party, in order to immediately and promptly document the reason, possible duration and method of the temporary reorganization of the service [...]";

"no other internal communication method, alternative to the one used, was practicable, given that the medical certificate was provided by the complainant, by her own representation and moreover legitimately, during the day of the shift for which it was requested his replacement and, therefore, at a time subsequent to that in which the timely internal communication of the Unit manager to the General Management was required and was actually carried out".

With note dated XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, by treaty the personal data of the complainant, also relating to the state of health, in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of the articles. 5, par. 1, letter. a), 6 and 9 of the Regulation, as well as 2-ter of the Code.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l. 24 November 1981, n. 689).
With note dated XX (prot. n. XX), the Company presented a defense statement, declaring, in particular, that:

“the response communication from the Director of the U.O.C. [...] was sent for information to the General Director, who is [...] [the] data controller [...] Therefore, there was no information intended for subjects other than the data controller";

“[…] the transfer of the data, in particular through communication or transmission, to the availability of the data controller, by anyone who has been made aware of it by mistake or excessive detail by the interested party, does not constitute illicit processing”;

“relevant case, for the purposes of applying the regulations on the processing of personal data and, a fortiori, of the sanctioning system, is the communication to a person other than the data controller”;

"furthermore and consistently, the person who, within the team in which the data controller operates, has been the recipient of the communication from the interested party of a piece of information containing personal data and directed, as in this case, to said team, obligatorily and appropriately transfers its availability to the data controller, precisely to allow the latter to carry out the decisions he is responsible for regarding the qualification of the personal data and to manage it, excluding its knowledge and circulation among subjects who are not authorized to take account of it";

the Director of the U.O.C. could not and should not have acted differently [...] [since the] determination [regarding the processing is] reserved to the data controller";

“[...] nor can it plausibly be considered [...] that the communication from the interested party to the manager of the Operational Unit was a confidential letter. The interested party's communication was intended ex professo to provoke and allow the functional fulfillment of the reorganization of the department's activity, so that she had no interest nor did she express any intent so that the news of her impediment was kept confidential (with respect to the knowledge of the data controller) and, indeed, communicated it precisely so that he could be replaced in service: a replacement which, as is known, is the responsibility of the manager of the organizing department and the company management to authorise, with regards to the obligations relating to the execution of the relationship of service";

"there is no doubt that the manager did not receive the amicus communication, but that the communication was instead intended for corporate articulation";

"in particular, the fact that the communication from the interested party professes to be carried out "in the interest of the service" and "so that you can find other solutions for my replacement" makes it completely clear, from the perspective of serious reasonableness, that this is of a service communication and certainly not of a confidential message";

in any case in the email in question "there is no information reported that could lead to the inference of a precise pathology or even a state of illness, but the summary and fleeting description of a completely non-specific and ambiguous symptom, unsuitable for representing a subjective condition specific, appreciably durable and characterizing”;

“it is not so much the fact that the communication did not contain a diagnosis that matters, but rather the fact that the idea of a specific pathology concerning the interested party could not even be drawn from it”;

“the news concerns the observation of a soreness, from which it is certainly not possible to infer the existence of any state of illness, nor of any symptoms indicative in this sense”;

"the news of a painful state does not constitute ex se even abstract news of an illness or of a specific subjective condition which concerns the way of being of the person concerned and which is therefore configured as personal data and, much less, as sensitive data”;

"the authorization of substitutive obligations for an imminent activity (i.e. for an incipient shift a few hours after the communication of the interested party) and of significant impact on the user - being the continuous preparation of the aforementioned radiological service - already in itself , could not fail to involve the scrutiny of the General Director";

it was in fact "necessary for the General Management to express, if necessary, its possible exceptions regarding the compatibility of the replacement task with the general organizational and management needs and with the numerous and demanding tasks entrusted in this case, with particular regard to the period in question and the organization of the activity and radioprotection devices, to the Director of the U.O.C.”;

“obviously, I determine itmination of the General Director, in addition to being necessary, also had to be taken in a short time […] The promptness of the decision and the aspects involved, as well as the always pre-eminent need to guarantee users fullness, timeliness and the highest level of quality of the health service, certainly did not allow the involvement of the Director General to take place only following the transmission of the medical certification by the interested party and within the times allowed, as is known, by labor regulations";

“the Director of the U.O.C. would not have had the opportunity to report and document the urgent organizational need to the General Management with the due and necessary timeliness [...] Nor would the simple report to the Director regarding the prevention of interested party: firstly, there was no documentation regarding the current need to provide the service as a substitute; furthermore, mere unsubstantiated information would not have been sufficient to allow appreciation of the reasons, consistency and duration of the need for replacement reorganization to be approved".

During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on XX (see minutes prot. n. XX of XX), the Company declared, in particular, that:

“the UOC in which the facts which are the subject of the complaint occurred is a structure of significant size and which carries out multiple activities characterized by high complexity”;

"in this context, the Director of the UOC - from whom the Director General had asked for extraordinary support for the preparation of the documentation and activities necessary to carry out the delegation assigned to him in the field of radiation protection, given the shortcomings that emerged in the previous management of the Health Physics - decided to promptly inform the Director General of the sudden absence of the complainant, to deal with the urgent need to plan and organize these activities, compatibly with the work shifts in the department, given the availability of the aforementioned Director of the UOC to personally replace the complainant, given the short notice with which the absence from service was communicated".

3. Outcome of the preliminary investigation.

According to data protection regulations, public entities may process personal data if the processing is necessary, in particular, "to fulfill a legal obligation to which the data controller is subject" or "for the performance of a supervisory task". public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letters c) and e) of the Regulation; v. also art. 2-ter of the Code).

The employer, in any case, may process the workers' personal data, including those relating to particular categories of data (see art. 9, par. 1, of the Regulation), if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks deriving from sector regulations (articles 6, par. 1, letter c), 9, parr. 2, letter. b), and 4, and 88 of the Regulation).

The data controller is, in any case, required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "minimization", according to which personal data must be " processed in a lawful, correct and transparent manner towards the interested party" and "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (art. 5, par. 1, letters a) and c), of Regulation).

Having said this, it is noted that, as emerges from the complaint and the documentation attached to it, with an email dated XX, sent to one's hierarchical superior, or to the Director of the U.O.C. of affiliation, the complainant informed him of her health condition which was incompatible with carrying out work on the shift scheduled for the following day, so that "other solutions could be found for [her] replacement".

On the same date, the aforementioned Director of the U.O.C., in responding to this message from the complainant, the text of which was reported in full, also copied the then General Director of the Company for information, giving him his availability to carry out the shift and asking the complainant "in the interest of good performance to produce medical certification according to the established methods". The forwarding by the Director of the U.O.C. of the interested party's message in the manner indicated above has, therefore, made the General Director aware of the reasons given by the complainant to justify her unavailability to cover her work shift and, in particular, of her state of health and the details relating to the symptoms suffered.

As a preliminary matter, it must be remembered that, within the regulatory framework of the Regulation and according to the constant orientation of the Guarantor, the notion of personal data relating to health "can also include information relating to absence from service due to illness, regardless of the circumstance that it is contextually the diagnosis explicitly indicated” (see provisions of 23 March 2023, n. 84, web doc. n. 9888113; 15 December 2022, n. 420, web doc. n. 9853429; 25 February 2021, n. 68, doc. . web no. 9567429; 7 July 2004, web doc. no. 1068917 8 of the "Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector", adopted in force of the previous regulatory framework on data protection with provision dated 14 June 2007, no. 23 , web document no. 1417809).

This is in accordance with the consolidated orientation of the Court of Justice of the European Union, according to which "it is necessary to give the expression "data relating to health" [...] a broad interpretation such as to include information concerning all aspects, both physical and psychological. , of a person's health", as the Court also referred to this notion the information relating to a person who had "injured his foot and [was] on partial sick leave" (sentence C-101/01, Lindqvist, 6 November 2003, paras. 13 and 50). A broad interpretation of the notions of "special categories of personal data" and "sensitive data" is, in fact, "supported by the objective of Directive 95/46 and the [Regulation] [...], consisting in guaranteeing a high degree of protection of the fundamental rights and freedoms of natural persons, in particular of their private lives, with regard to the processing of personal data concerning them" (sentence C-184/20, Vyriausioji tarnybinės etikos komisija, of 1 August 2022, par . 125), considering that the processing of these particular categories of data "may constitute a particularly serious interference with the fundamental rights to respect for private life and the protection of personal data, guaranteed by articles 7 and 8 of the Charter of Fundamental Rights" ( sentence C-667/21, Krankenversicherung Nordrhein, of 21 December 2023, par. 51 of the Regulation, according to which "personal data which, by their nature, are particularly sensitive the profile of fundamental rights and freedoms, since the context of their processing could create significant risks for fundamental rights and freedoms").

Even in the national legal system, the jurisprudence of legitimacy has stated that "it cannot be doubted that an absence from work "due to illness" constitutes personal data "relating to the health" of the subject to whom the information refers (Cass. civ., section I, 8 August 2013, where it is stated that "the simple reference to an absence from work "due to illness" constitutes personal data "relating to the health" of the subject to whom the information refers).

This implies that, contrary to what the Company claims in its defense briefs, the information relating to the symptoms affecting the complainant must also be considered as personal data relating to the state of health, despite the fact that she had not indicated the specific pathology causing the symptoms in question.

From another perspective, it must be noted that, since 2007, in adopting the aforementioned "Guidelines on the processing of workers' personal data for the purposes of managing the employment relationship in the public sector", the principles of which are still to be considered valid , the Guarantor, recalling the specific applicable sector legislation, clarified that the employer can lawfully process the personal data relating to the absence of employees due to illness only for the purposes and conditions provided for by law, without, however, being able to knowledge of the diagnosis or, more generally, detailed information on the state of health of the same (see, in particular, paragraph 8.2, where it is highlighted that "with regard to the processing of data suitable for revealing the state of health, the legislation on the employment relationship and the provisions contained in collective agreements can justify the processing of data relating [...] to absence from work due to illness", without prejudice to the fact that the employer must limit himself to receiving the "specific documentation justifying the absence, consisting of a medical certificate containing only the indication of the onset and presumed duration of the illness: so-called "prognosis" [...], not being "legitimated to collect medical certifications also containing the indication of the diagnosis").

The art. 55-septies, paragraph 2, of Legislative Decree 30 March 2001, n. 165, in fact, provides that, in all cases of absence due to illness, the medical certification is sent electronically - directly by the doctor or the health facility that issues it - to the National Social Security Institute, according to the methods established for the electronic transmission of medical certificates in the private sector by current legislation (see Prime Ministerial Decree referred to in art. 50, paragraph 5-bis, of legislative decree no. 269 of 30 September 2003, converted, with amendments, by law no. of 24 November 2003 326, introduced by art. 1, co. 810, of the aforementioned certification. administration concerned, as employer.

In the aforementioned Guidelines it was also clarified that even "if the worker produces medical documentation also indicating the diagnosis together with that of the prognosis, the administration (except for special cases possibly provided for in the terms indicated above) must abstain from 'further use such information (art. 11, paragraph 2, of the Code [, in the text currently in force,]) also inviting personnel not to produce others with the same characteristics" (see art. 2-decies of the Code, in text currently in force). This principle was lastly reiterated by the Guarantor in FAQ no. 12 regarding "Data processing in the school context in the context of the health emergency" (on www.gpdp.it).

In this framework, in the absence of express regulatory provisions, the employer is therefore not allowed to collect, directly from interested parties or from other sources, personal data relating to the worker's state of health. If, as in the present case, such information has nevertheless become known to the employer, the latter must refrain from using it or circulating it in the working environment.

In the case subject to the complaint, the interested party had spontaneously communicated detailed information relating to her state of health to her hierarchical superior, in order to represent her inability to carry out her work. The latter should therefore have refrained from further using such information, inviting the worker to communicate the absence due to illness to the Administration according to the specific procedures established by law, which, as highlighted above, only provide for the transmission to the employer of documentation work certifying only the prognosis.

The Director of the U.O.C. instead, it forwarded the complainant's message in full, bringing to the attention of the then General Director of the Company all the information contained therein, including the symptoms suffered by the interested party.

In this regard, it must be noted that the legitimate need to quickly organize work shifts in certain contexts, as in the case of hospital shifts for healthcare personnel, cannot justify the circulation of detailed information relating to the specific symptoms suffered by workers, as it may the same purpose be pursued through only the necessary information, or by referring to the mere absence from the service of the workers concerned.

In the present case, an e-mail message was forwarded - a form of correspondence generally assisted by guarantees of secrecy also protected constitutionally (articles 2 and 15 of the Constitution) - which the interested party, regardless of the formal obligations communication to the employer, which is the responsibility of the worker in the event of absence due to illness, he had "considered it appropriate" to write to his superior to promptly inform him of his "unavailability to work for [the following day] so that [he could] find other solutions for [his] replacement.” In this context, the personal nature of the message is evident not only from the confidential register used, but also from the fact that this message contained detailed information, not even due to the employer, regarding the specific symptomatology suffered (see l 'email sent by the complainant to the then General Director, following the facts which are the subject of the complaint, in the documents, to complain "that in the [...] email [she had] also indicated the pathology from which she was afflicted and therefore the communication could only be considered by the [recipient] as absolutely confidential").

The forwarding of the full text of this message to the then General Director of the Company, in addition to having compromised the legitimate expectation of confidentiality of the communication addressed to the colleague, was not, however, necessary in order to allow the administration to assume all the initiatives to reschedule work shifts. Pending the completion of the formalities required by law for the complainant's communication of the absence due to illness, through her general practitioner, it would have been, in fact, completely sufficient to inform the competent company functions regarding the absence of the complainant, without specifying the reason for the same, thus avoiding the undue and unnecessary circulation of information relating to their state of health.

In light of all the preceding considerations, it must be concluded that the forwarding in full to the then General Director of the Company, by the hierarchical superior of the complainant, of an email message from the latter, containing information relating to the own state of health, cannot consider a treatment necessary for the purposes of managing and organizing work, placing itself in conflict with the articles. 5, par. 1, letter. a), 6 and 9 of the Regulation, as well as 2-ter of the Code.

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illicit nature of the processing of personal data carried out by the Company is noted, for having implemented personal processing operations, including those relating to the state of health, which are not necessary for the purposes of management and organization of work, in violation of articles. 5, par. 1, letter. a), 6 and 9 of the Regulation, as well as 2-ter of the Code.

Having said this, it is necessary, however, to take into consideration certain elements, including contextual ones, which emerged during the investigation, which are indispensable for the purposes of concretely evaluating the extent of the violations found and the harmfulness of the overall conduct (see cons. 148 of the Regulation).

In particular, taking into account that:

the violation, in this case, concerned the personal data relating to a single interested party (see art. 83, par. 2, letter a), of the Regulation);

the violation is negligent, given that, according to what was declared by the Company, the Director of the U.O.C. acted in conditions of urgency and with the aim of promptly informing the administrative top management of the Company regarding the subsequent absence of the complainant and the need to reorganize the work shifts (see art. 83, par. 2, letter b), of the Regulation);

there are no previous relevant violations, with respect to the context subject to the complaint, committed by the Company (art. 83, par. 2, letter e), of the Regulation);

the Company offered a good level of cooperation with the Authority during the investigation (art. 83, par. 2, letter f), of the Regulation);

the circumstances of the specific case lead to classify it as a "minor violation", pursuant to the cons. 148 of the Regulation and the “Guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018 (see, in similar sense, issued 17 May 2023, n. 194).

In light of all of the above and the overall terms of the matter in question, it is therefore considered sufficient to warn the Company for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, letter. b), of the Regulation (see also paragraph 148 of the Regulation).

Considering that the conduct has now exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the unlawfulness of the processing of personal data carried out by the San Giovanni – Addolorata Hospital Complex, in the person of the legal representative pro tempore, with registered office in Via dell'Amba Aradam, 9 - 00184 Rome, C.F. 04735061006, for violation of articles. 5, par. 1, letter. a), 6 and 9 of the Regulation, as well as 2-ter of the Code, within the terms set out in the justification;

b) pursuant to art. 58, par. 2, letter. b) of the Regulation, warns the Azienda Ospedaliera Complesso Ospedaliero San Giovanni – Addolorata, as owner of the processing in question, for having violated the articles. 5, par. 1, letter. a), 6 and 9 of the Regulation, as well as 2-ter of the Code, as described above;

c) believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 9 May 2024

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

[doc. web no. 10025870]

Provision of 9 May 2024

Register of measures
n. 270 of 9 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. Introduction.

With a complaint presented pursuant to art. 77 of the Regulation, Dr. xx, an employee of the San Giovanni – Addolorata Hospital Complex (hereinafter, the "Company"), complained of having sent on XX an email - containing her personal data, including relating to the state of health, having indicated the symptoms suffered - to one of his hierarchical superiors and that the latter would have responded to this e-mail by including the then General Director of the Company among the recipients, who, in the complainant's opinion, did not could have become aware of the personal data in question.

2. The preliminary investigation activity.

In response to a request for information from the Guarantor (see note prot. n. XX of XX), the Company, with note dated XX (prot. n. XX), declared, in particular, that:

“no processing activity with knowledge by external third parties, neither in the form of communication, nor even of disclosure [...] took place in this case: indeed, the response communication from the Director of the U.O.C. - which the electronic system places, as is known, together with the original letter to which a reply is given - has been sent for information only to the General Director, who is [...] the owner of the processing of personal data. Therefore, no personal data was intended for the knowledge of subjects other than the owner [...], while the knowledge by the Director of the U.O.C. was determined by the spontaneous display of the interested party";

"even [the] complainant's communication did not at all contain the description of a medical diagnosis and, therefore, the statement of personal data relating to the clinical qualification of her own pathological condition, but only the description of a physical effect alleged as an impediment to the work performance, i.e. intense cervical and brachial pain, without any identification, statement or display, therefore, of diagnostic data relating to the health condition of the interested party";