Garante per la protezione dei dati personali (Italy) - 10036837

From GDPRhub
Garante per la protezione dei dati personali - 10036837
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(d) GDPR
Article 12(3) GDPR
Article 16 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.05.2024
Published:
Fine: 4,500 EUR
Parties: Azienda Socio-sanitaria Territoriale Rhodense
National Case Number/Name: 10036837
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA fined a health authority €4,500 after it failed to promptly act on a rectification request submitted via email instead of using a platform designated to data subjects' requests.

English Summary

Facts

The data subject submitted a rectification request to the controller, a health authority, to have his address rectified, as he noticed that the digital health dossier was displaying a wrong address.

After waiting more than 150 days without the controller acting on his request, he filed a complaint with the DPA. He argued that the controller had not acted on his request without undue delay and in any event not within one month as provided for by Article 12(3) GDPR.

First of all, the controller argued that, in the meantime, it had rectified the inaccurate address.

Secondly, it pointed out that the delay was due to the fact that the data subject, instead of using the dedicated platform as stated in the privacy policy, sent a registered email (Posta Elettronica Certificata – PEC).

Thirdly, it recalled that, according to point 54 of the EPDB Guidelines 01/2022 on data subject rights, the controller is not obliged to act on a request sent to a random or incorrect e-mail address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights if the controller has provided an appropriate communication channel that can be used by the data subject.

Holding

First of all, the DPA gave its interpretation of point 54 of the EPDB Guidelines 01/2022. It ruled that a “random or incorrect e-mail address” is not every other email address of the data subject which was not specifically dedicated to receive data subjects’ requests. On the contrary, the DPA recalled that point 53 of the same Guidelines foresees that if the data subject makes a request using a communication channel different from the one indicated as the preferable one – but however made public by it (such as an email address for legal communications) – the controller should however handle such a request.

Applying these principles to the case at hand, the DPA held that the PEC address of the controller cannot be seen as a “random or incorrect e-mail address”. In contrast, after receiving an email at that address, which is even used for legal purposes, the controller should have made reasonable efforts to redirect that email to the data protection officer and, therefore, promptly answered the request.

Therefore, the DPA found a violation of Article 12(3) GDPR in combination with Article 16 GDPR.

Secondly, the DPA noted that the controller had processed inaccurate data. Therefore, it found a violation of Article 5(1)(d) GDPR.

On these grounds, the DPA issued a fine of €4,500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10036837]

Provision of 23 May 2024

Register of measures
n. 305 of 23 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. The complaint

With the complaint made on XX, Mr. XX complained to this Authority that he had exercised the right referred to in the art. 16 of the Regulation against the Rhodense Territorial Social and Health Company located in Garbagnate (Milan), Viale Forlanini – Fiscal Code: 09323530965 (hereinafter the “Company”) and that I have not received any response. 

In particular, the complainant complained that: "on date XX, the undersigned sent, to the PEC address of the Rhodense territorial socio-health company, (...) a request for rectification of his personal data (specifically, the physical addresses of registered residence and medical home), which were erroneously registered in the regional health information system, as clearly appeared both from the consultation of the interested party's Electronic Health Record and from the data reported on the electronic prescriptions drawn up by the primary care doctor. More than 150 days after receipt, said request has not been processed, as the data reported in the electronic prescriptions drawn up by the GP still appear to be incorrect".

2. The preliminary investigation activity

Subsequent to this complaint, the Office, with note dated XX (prot. n. XX), addressed the Company inviting it to comply with the complainant's requests and with note dated XX (prot. n.XX), the latter provided feedback to the Office, representing, among other things, that: 

- with reference to “the request for rectification pursuant to art. 16 of the GDPR. (the) Asst Rhodense notes that it has already taken steps, on date XX, to rectify, in a timely and exhaustive manner, the personal information of the complainant (...), a requirement communicated to the latter on the same date (...), together with the sending the receipt certifying the requested correction (…);

- "(...) the delay with which he proceeded to satisfy the request in question received from the (...) (complainant) on XX (...) is, in his opinion, to be attributed exclusively to the fact that the latter had improperly used the so-called certified email address. institutional of the Asst Rhodense (i.e.:protocol.generale@pec.asst-rhodense), in place of the specific (and easy) IT platform made available, for this purpose, starting from the 20th century, by the Asst Rhodense (and easily available on the relevant website, at the following link: https://www.asstrhodense.it/inew/nuovo-sito/home/scopio-territoriale/scelta-revoca.html) or, alternatively, in place of the email addresses electronic devices indicated at the aforementioned link on the company website (i.e.:celoca.revoca.vialavorotori@asst-rhodense.it;celta.revoca.passirana@asst-rhodense.it;celta.revoca.settimo@asst-rhodense.it), which , although expressly designated to only receive requests for appointments at the offices of the "choice and revocation" sector, they would, however, have been able to allow, as usual, prompt management of the request, by forwarding it to the subjects of competence";

- “(the) Asst Rhodense highlights that it has fully managed, in the entire year 2022, n. 7538 requests for changes in personal details, to which are added the n. 4378 received in the first half of 2023 alone".

3. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

In relation to what was communicated by the Company, the Office, with act dated XX (prot. n. XX, has initiated, pursuant to art. 166, paragraph 5, of the Code, the procedure for the adoption of the measures of referred to in art. 58, par. 2 of the Regulation against the Company itself, inviting it to produce defensive writings or documents to the Guarantor, or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code , as well as art. 18, paragraph 1, law no. 689 of 24 November 1981. Following what emerged, the Office considered that the Company had processed some personal data of the complainant (addresses of registered residence and medical address). ), in failure to comply with the principle of accuracy and has not responded to the request to exercise the rights of the interested party, made on XX, within the terms set out in art. 12 of the Regulation. This, in violation, respectively, of the articles 5, paragraph 1, letter) of the Regulation, as well as of the art. 12, in relation to the art. 16 of the same Regulation.

With regard to this last profile of violation, the Company provided feedback to the complainant on XX, specifically following the submission of the complaint to the Authority by the interested party (XX) and prior to receiving the aforementioned invitation to comply with the requests of the complainant, sent by the Authority itself.

With PEC dated XX, the Company sent its defense briefs, in which, in particular, reiterating what was already represented in the aforementioned response provided dated XX, it also, among other things, declared that:

- “the delay in satisfying the request for rectification pursuant to art. 16 of the GDPR formulated by the complainant (...) is, in his opinion, to be attributed exclusively to the fact that the latter has improperly used the so-called email address. institutional of the ASST RHODENSE (i.e.: ufficio.generale@pec.asst-rhodense), (as well as in place of the channels indicated in the previously mentioned acknowledgment note of the XX, also) in place of the specific module responsible for the exercise of the rights referred to in Chapter III) of the GDPR, easily made available by ASST RHODENSE in the "Privacy" section of its website    (link: https://www.asst-rhodense.it/nuovo-sito/home/PRIVACY /documents/policyProcedure/Modulo%20 exercise%20diritti.pdf), then to be sent to the email address of the company Privacy Office (i.e.: privacy@asst-rhodense.it) or to that of the appointed Personal Data Protection Officer (i.e.: amministrazioneprotezionedati@asst-rhodense.it)”;

- “ASST RHODENSE therefore believes that it has adopted (and then easily made available to every interested party) a series of organizational measures (i.e.: ad hoc platform; no. 5 email addresses (i.e. : scuola.revoca.vialavorotori@asst-rhodense.it; scuola.revoca.passirana@asst-rhodense.it; scuolaprotezionedati@asst-rhodense.it; .it; specific form) that are adequate, reasonable, easy to use and available on the company website, in order to allow any interested party to exercise any right governed by Chapter III) of the GDPR".

- “Having read what has been observed by the Privacy Guarantor with specific regard to point 53) of Guidelines no. 1/2002 of the EDPB (...) ASST RHODENSE notes, however, that, in the following point 54) of the same Guidelines, the EDPB has provided a specific exemption, in favor of the Data Controller, in the event that the latter receives , as in the case in question, a request to exercise a right referred to in Chapter III) of the GDPR to an e-mail address clearly not intended to receive requests of this kind (official version in English: “It should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights, if the controller has provided an appropriate communication channel, that can be used by the data subject”; unofficial translation into Italian: “It is specified that the data controller is not obliged to follow up on a request sent randomly or incorrect email (or postal) address, not provided directly by the owner, nor to any communication channel which is clearly not intended to receive requests relating to the rights of the interested party, if the data controller has provided an appropriate communication channel, which can be used by the interested party””.

4. Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents and in the defense briefs, highlighting that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data and, in particular, with the provisions of the Regulation and the Code, the following is observed.

4.1 Failure to respond to the request to exercise the rights (art. 12 in relation to art. 16 of the Regulation)

In terms of information, communications and transparent methods for exercising the rights of the interested party, art. 12, par. 3 of the Regulation establishes that the data controller must respond to the interested party's request, made pursuant to the articles. from 15 to 22 of the Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the same. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests, it being understood that the interested party must be informed of this extension and of the reasons for the delay within one month of receipt of the request.

If the data controller does not comply with the data subject's request, the data controller must, in any case, inform the data subject without delay and, at the latest, within one month of receiving the request, of the reasons for non-compliance and the possibility of lodging a complaint. to a Supervisory Authority and to lodge a judicial appeal (cons. 59 and art. 12, par. 4, of the Regulation).

In the document “Guidelines 01/2022 on data subject rights - Right of access, Version 2.0 adopted on 28 March 2023”, the European Committee provides guidance to data controllers regarding the exercise of the right of access to data referred to in art. . 15 of the Regulation, identifies methods and forms for sending requests (see, with reference to the matter in question, in particular, the Executive Summary, at the beginning of the document, as well as par. 3.1.2 “Form of the request ”, points from 52 to 56).

The owner, in the response sent to the Guarantor following the invitation to comply with the interested party's requests formulated by the Office, as well as in the defense statement, justified the failure to respond to the interested party's request, within the terms set out in the art. 12 of the Regulation, on the basis of the fact that the interested party has "improperly used the so-called certified email address. institutional of the Asst Rhodense (i.e.:protocol.generale@pec.asst-rhodense)" without making use of other communication channels used for this purpose.

To this end, in the defense statement produced on XX, the owner, in support of this argument, also argued that what is indicated in point 54 of par. would constitute an exemption for the data controller.  3.1.2 “Form of the request” of the aforementioned Guidelines for which (“(…) the data controller is not obliged to follow up on a request sent to a random or incorrect email (or postal) address, not provided directly by the controller, nor to any communication channel that is clearly not intended to receive requests relating to the rights of the interested party, if the data controller has provided an appropriate communication channel, which can be used by the interested party” - Unofficial translation) .

In relation to this, please note that, as indicated in the aforementioned Guidelines, "random or incorrect" address does not mean any other address other than the one designated for receiving requests to exercise the rights referred to in the articles. from 15 to 22 of the Regulation. The European Data Protection Committee does not exclude, in fact, that, once the owner has indicated this last address/channel as the preferable channel for receiving the aforementioned requests, any other institutional addresses of the same owner may not constitute a valid channel - at end of existence for the holder of the obligation to manage the request - from which to "redirect" the request to the competent Office.

This can be deduced both from a systematic reading of what is generally expressed in paragraph 3.1.2 "Form of the request", points 52 to 56, of the above-mentioned Guidelines, and specifically, with reference to certain periods of these points.

In particular, for this purpose, reference is made not only to the period of point 53 - already cited by this Authority in the act of initiating the procedure pursuant to art. 166 of the Code: “(…) if the data subject makes a request using a communication channel provided by the controller23, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request Accordingly (…)” (“(…) if the interested party makes a request using a communication channel provided by the owner, other than the one indicated as preferable, such request is, in general, considered effective and the owner must act accordingly on this request" - Unofficial translation) - and the related explanatory note of what is meant by a communication channel/electronic address which is still valid even if not indicated as preferable (see note no. 28 relating to a period of the point n. 53: “his may include, for example, communication data of the controller provided in its communications addressed directly to data subjects or contact data provided by the controller publicly, such as in the controller's privacy policy or other mandatory legal notices of the controller (e.g. owner or business contact information on a website” (“This may include, for example, the communication data of the data controller provided in its communications addressed directly to data subjects or the contact data provided by the data controller publicly, as in the privacy policy privacy of the data controller or in other mandatory legal communications of the data controller (...)” (unofficial translation)), but also what is highlighted in example no. 8, following point no. 56, as well as in the introductory part of the cited Guidelines, entitled "Executive Summary".

In the latter, in fact, and, specifically, in the paragraph “General considerations on the assessment of the data subject's request”, the European Committee maintains that: “(…) the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller” (“(…) the interested party is not required to use these specific channels (i.e. those responsible for sending requests to exercise the rights pursuant to the Regulation, ed.) and can instead send the request to an official contact point of the data controller" - unofficial translation); in this case “(…) the controller should make all reasonable efforts, to make its services aware of the request, which was made through the general e-mail, so that it can be redirected to the data protection contact point and answered within the time limits provided for by the GDPR. Moreover, the controller is not entitled to extend the period for responding to a request, merely because the data subject has sent a request to the controller's general e-mail address, not the controller's data protection contact point e-mail address” ( “( …) the data controller must make every reasonable effort to make its services aware of the request submitted via the general email, so that it can redirect it to the data protection contact point and respond within the deadlines set by the GDPR Furthermore, the data controller shall not have the right to extend the deadline for responding to a request, just because the data subject has sent a request to the general e-mail address of the data controller and not to the e-mail address. of the data protection contact point of the data controller” – unofficial translation) (see example no. 8, page 23 of the cited Guidelines).

In light of the above, it is believed that the institutional certified email address of the Company, ufficio.generale@pec.asst-rhodense, used by the interested party to send the request in question, dated XX, although not coinciding with the one indicated by the Company for the presentation of requests to exercise the rights, cannot be considered a "casual or incorrect" address in the sense understood by the European Committee in the above-mentioned Guidelines, but instead constitutes an address through which "the owner of the processing must make every reasonable effort to make its services aware of the request submitted via the general email, so that it can redirect it to the data protection contact point and respond within the deadlines established by the GDPR. Furthermore, the data controller does not have the right to extend the deadline for responding to a request, just because the interested party has sent a request to the general email address of the data controller (…)” (see example no. 8, page 23 of the aforementioned Guidelines, cited above).

Therefore, it appears that the health authority did not provide feedback, within the terms established by the art. 12 of the Regulation, to the request for rectification of personal data referred to in art. 16 of the same Regulation, submitted by the interested party on XX. Specifically, the Company provided feedback on XX, or after 156 days from the date of the interested party's request, specifically following the submission of the complaint by the latter to the Guarantor (XX) and prior to receipt of the aforementioned invitation from the Authority to comply with the complainant's requests (note of the XX - protocol no. XX).

4.2 Compliance with the principles applicable to processing and, in particular, with the principle of accuracy (art. 5, paragraph 1, letter d) of the Regulation)

The owner must process the data so that it is “accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or rectify data that are inaccurate in relation to the purposes for which they were processed (“accuracy”)” (art. 5, par. 1, letter d) of the Regulation). 

In response to the failure to respond to the request made by the interested party for a change in his/her personal data due to the updating of the road toponymy officially adopted by the Municipality of residence (XX), the Company, considering that the interested party, at his/her request , had attached the certificate of registry change adopted by that Municipality, should have updated the data in compliance with the principle of "accuracy" of the data referred to in the art. 5, par. 1, letter. d), of the Regulation. The Company carried out the rectification of the inaccurate data on XX, following the submission of the complaint to the Guarantor (XX) by the interested party and prior to receiving the aforementioned invitation from the Authority to comply with the complainant's requests (note from the XX - protocol no. XX).

5. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the elements provided by the data controller in the defense statement referred to above, although worthy of consideration, do not allow the findings to be overcome notified by the Office with the aforementioned act of initiation of the procedure, since, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019.

Therefore, with all the foregoing, in the state of the documents and declarations provided, in relation to the matter in question, it is ascertained that the Company, data controller:

- processed some personal data of the complainant (addresses of registered residence and medical home), in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

- did not respond to the request to exercise the rights of the interested party made on XX within the deadlines set out in the art. 12 of the Regulation; this, in violation of the art. 12, in relation to the art. 16 of the same Regulation.

In this context, considering that the owner's conduct has exhausted its effects since the Company has provided feedback, after 156 days from the date of the interested party's request, taking steps to rectify the inaccurate data, the conditions for the adoption of measures, of a prescriptive or injunctive nature, referred to in art. 58, par. 2, of the Regulation.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. d), and 12, in relation to the art. 16 of the Regulation, caused by the conduct carried out by the Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 5, letter. a) and b) of the Regulation and 166, paragraph 2, of the Code.

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, in relation to the conduct carried out by the owner, considering that it involved related processing, it is deemed necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation, the total amount of the sanction is calculated so as not to exceed the legal maximum provided for by the same art. 83, par. 5” (see also the European Data Protection Board document “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” Version 2.1 adopted on 24 May 2023). Consequently, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called "static" statutory maximum).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1, of the Regulation.

As regards the assessment of the seriousness of the violation (art. 83, par. 2, letters a), b) and g) of the Regulation), it is believed that the level of seriousness is to be considered low, as it was an isolated case and in the absence of fraud and it is taken into account that the response sent on XX - or after 156 days from the date of receipt of the request by the Company - was carried out immediately following the submission of the complaint to the Guarantor by the interested party (XX) and prior to the invitation to comply with the requests of the complainant formulated by the Authority (note of XX - protocol n. XX).

In relation to the evaluation of the additional elements provided for by the art. 83, par. 2 of the Regulation, as aggravating and mitigating circumstances, it is taken into account that:

- no measures regarding relevant violations have previously been adopted against the Company (art. 83, par. 2, letter e) of the Regulation);

- the Company has demonstrated a high degree of cooperation with the Authority in all phases of the procedure (art. 83, par. 2, letter f) of the Regulation);

- the Authority became aware of the case in question following a complaint lodged by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the data controller specified that he found himself managing "(...) in the entire year 2022, n. 7538 requests for changes in personal details, to which are added the n. 4378 received only in the first half of 2023" (art. 83, par. 2, letter k) of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 4,500.00 (four thousand five hundred) euros for the violation of the articles. 5, par. 1, letter. d) and 12 in relation to the art. 16 of the Regulation as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019 in consideration of the fact that the violation concerns the rights of the interested parties.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Rhodense Territorial Social and Health Authority located in Garbagnate, Viale Forlanini – Fiscal Code: 09323530965, for the violation of the articles. 5, par. 1, letter. d) and 12 in relation to the art. 16 of the Regulation within the terms set out in the justification;

ORDER

to the cited Company to pay the sum of euro 4,500.00 (four thousand five hundred/00) as a pecuniary administrative sanction, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, for the violations indicated in this provision, according to the methods highlighted in the annex, within 30 days of the notification in justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned healthcare company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €4,500.00 (four thousand five hundred) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

the publication in full of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor which requires annotation in the internal register of the Authority.

It is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad (art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011).

Rome, 23 May 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

[doc. web no. 10036837]

Provision of 23 May 2024

Register of measures
n. 305 of 23 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER the lawyer. Guido Scorza;

PREMISE

1. The complaint

With the complaint made on XX, Mr. XX complained to this Authority that he had exercised the right referred to in the art. 16 of the Regulation against the Rhodense Territorial Social and Health Company located in Garbagnate (Milan), Viale Forlanini – Fiscal Code: 09323530965 (hereinafter “Company”) and that I have not received any response. 

In particular, the complainant complained that: "on date XX, the undersigned sent, to the PEC address of the Rhodense territorial socio-health company, (...) a request for rectification of his personal data (specifically, the physical addresses of registered residence and medical home), which were erroneously registered in the regional health information system, as clearly appeared both from the consultation of the interested party's Electronic Health Record and from the data reported on the electronic prescriptions drawn up by the primary care doctor. More than 150 days after receipt, said request has not been processed, as the data reported in the electronic prescriptions drawn up by the GP still appear to be incorrect".

2. The preliminary investigation activity

Subsequent to this complaint, the Office, with note dated XX (prot. n. XX), addressed the Company inviting it to comply with the complainant's requests and with note dated XX (prot. n.XX), the latter provided feedback to the Office, representing, among other things, that: 

- with reference to “the request for rectification pursuant to art. 16 of the GDPR. (the) Asst Rhodense notes that it has already taken steps, on date XX, to rectify, in a timely and exhaustive manner, the personal information of the complainant (...), a requirement communicated to the latter on the same date (...), together with the sending the receipt certifying the requested correction (…);

- "(...) the delay with which he proceeded to satisfy the request in question received from the (...) (complainant) on XX (...) is, in his opinion, to be attributed exclusively to the fact that the latter had improperly used the so-called certified email address. institutional of the Asst Rhodense (i.e.:protocol.generale@pec.asst-rhodense), in place of the specific (and easy) IT platform made available, for this purpose, starting from the 20th century, by the Asst Rhodense (and easily available on the relevant website, at the following link: https://www.asstrhodense.it/inew/nuovo-sito/home/scopio-territoriale/scelta-revoca.html) or, alternatively, in place of the email addresses electronic devices indicated at the aforementioned link on the company website (i.e.:celoca.revoca.vialavorotori@asst-rhodense.it;celta.revoca.passirana@asst-rhodense.it;celta.revoca.settimo@asst-rhodense.it), which , although expressly designated to only receive requests for appointments at the offices of the "choice and revocation" sector, they would, however, have been able to allow, as usual, prompt management of the request, by forwarding it to the subjects of competence";

- “(the) Asst Rhodense highlights that it has fully managed, in the entire year 2022, n. 7538 requests for changes in personal details, to which are added the n. 4378 received in the first half of 2023 alone".

3. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

In relation to what was communicated by the Company, the Office, with act dated XX (prot. n. XX, has initiated, pursuant to art. 166, paragraph 5, of the Code, the procedure for the adoption of the measures of referred to in art. 58, par. 2 of the Regulation against the Company itself, inviting it to produce defense writings or documents to the Guarantor, or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code , as well as art. 18, paragraph 1, law no. 689 of 24 November 1981. Following what emerged, the Office considered that the Company had processed some personal data of the complainant (addresses of registered residence and medical address). ), in failure to comply with the principle of accuracy and has not responded to the request to exercise the rights of the interested party, made on XX, within the terms set out in art. 12 of the Regulation. This, in violation, respectively, of the articles 5, paragraph 1, letter) of the Regulation, as well as of the art. 12, in relation to the art. 16 of the same Regulation.

With regard to this last profile of violation, the Company provided feedback to the complainant on XX, specifically following the submission of the complaint to the Authority by the interested party (XX) and prior to receiving the aforementioned invitation to comply with the requests of the complainant, sent by the Authority itself.

With PEC dated XX, the Company sent its defense briefs, in which, in particular, reiterating what was already represented in the aforementioned response provided dated XX, it also, among other things, declared that:

- “the delay in satisfying the request for rectification pursuant to art. 16 of the GDPR formulated by the complainant (...) is, in his opinion, to be attributed exclusively to the fact that the latter has improperly used the so-called email address. institutional institution of the ASST RHODENSE (i.e.:protocol.generale@pec.asst-rhodense), (as well as in place of the channels indicated in the previously mentioned feedback note of the XX, also) in place of the specific module responsible for the exercise of the rights referred to in Chapter III) of the GDPR, easily made available by ASST RHODENSE in the "Privacy" section of its website    (link: https://www.asst-rhodense.it/nuovo-sito/home/PRIVACY /documents/policyProcedure/Modulo%20 exercise%20diritti.pdf), then to be sent to the email address of the company Privacy Office (i.e.: privacy@asst-rhodense.it) or to that of the appointed Personal Data Protection Officer (i.e.: amministrazioneprotezionedati@asst-rhodense.it)”;

- “ASST RHODENSE therefore believes that it has adopted (and then easily made available to every interested party) a series of organizational measures (i.e.: ad hoc platform; no. 5 email addresses (i.e. : scuola.revoca.vialavorotori@asst-rhodense.it; scuola.revoca.passirana@asst-rhodense.it; scuolaprotezionedati@asst-rhodense.it; .it; specific form) that are adequate, reasonable, easy to use and available on the company website, in order to allow any interested party to exercise any right governed by Chapter III) of the GDPR".

- “Having read what has been observed by the Privacy Guarantor with specific regard to point 53) of Guidelines no. 1/2002 of the EDPB (...) ASST RHODENSE notes, however, that, in the following point 54) of the same Guidelines, the EDPB has provided a specific exemption, in favor of the Data Controller, in the event that the latter receives , as in the case in question, a request to exercise a right referred to in Chapter III) of the GDPR to an e-mail address clearly not intended to receive requests of this kind (official version in English: “It should be noted that the controller is not obliged to act on a request sent to a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests regarding data subject's rights, if the controller has provided an appropriate communication channel, that can be used by the data subject”; unofficial translation into Italian: “It is specified that the data controller is not obliged to follow up on a request sent randomly or incorrect email (or postal) address, not provided directly by the owner, nor to any communication channel which is clearly not intended to receive requests relating to the rights of the interested party, if the data controller has provided an appropriate communication channel, which can be used by the interested party””.

4. Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents and in the defense briefs, highlighting that the processing of personal data must take place in compliance with the applicable legislation on the protection of personal data and, in particular, with the provisions of the Regulation and the Code, the following is observed.

4.1 Failure to respond to the request to exercise the rights (art. 12 in relation to art. 16 of the Regulation)

In terms of information, communications and transparent methods for exercising the rights of the interested party, art. 12, par. 3 of the Regulation establishes that the data controller must respond to the interested party's request, made pursuant to the articles. from 15 to 22 of the Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the same. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests, it being understood that the interested party must be informed of this extension and of the reasons for the delay within one month of receipt of the request.

If the data controller does not comply with the data subject's request, the data controller must, in any case, inform the data subject without delay and, at the latest, within one month of receiving the request, of the reasons for non-compliance and the possibility of lodging a complaint. to a Supervisory Authority and to lodge a judicial appeal (cons. 59 and art. 12, par. 4, of the Regulation).

In the document “Guidelines 01/2022 on data subject rights - Right of access, Version 2.0 adopted on 28 March 2023”, the European Committee provides guidance to data controllers regarding the exercise of the right of access to data referred to in art. . 15 of the Regulation, identifies methods and forms for sending requests (see, with reference to the matter in question, in particular, the Executive Summary, at the beginning of the document, as well as par. 3.1.2 “Form of the request ”, points from 52 to 56).

The owner, in the response sent to the Guarantor following the invitation to comply with the interested party's requests formulated by the Office, as well as in the defense statement, justified the failure to respond to the interested party's request, within the terms set out in the art. 12 of the Regulation, on the basis of the fact that the interested party has "improperly used the so-called certified email address. institutional of the Asst Rhodense (i.e.:protocol.generale@pec.asst-rhodense)" without making use of other communication channels used for this purpose.

To this end, in the defense statement produced on XX, the owner, in support of this argument, also argued that what is indicated in point 54 of par. would constitute an exemption for the data controller.  3.1.2 “Form of the request” of the aforementioned Guidelines for which (“(…) the data controller is not obliged to follow up on a request sent to a random or incorrect email (or postal) address, not provided directly by the controller, nor to any communication channel that is clearly not intended to receive requests relating to the rights of the interested party, if the data controller has provided an appropriate communication channel, which can be used by the interested party” - Unofficial translation) .

In relation to this, please note that, as indicated in the aforementioned Guidelines, "random or incorrect" address does not mean any other address other than the one designated for receiving requests to exercise the rights referred to in the articles. from 15 to 22 of the Regulation. The European Data Protection Committee does not exclude, in fact, that, once the owner has indicated this last address/channel as the preferable channel for receiving the aforementioned requests, any other institutional addresses of the same owner may not constitute a valid channel - at end of existence for the holder of the obligation to manage the request - from which to "redirect" the request to the competent Office.

This can be deduced both from a systematic reading of what is generally expressed in paragraph 3.1.2 "Form of the request", points 52 to 56, of the above-mentioned Guidelines, and specifically, with reference to certain periods of these points.

In particular, for this purpose, reference is made not only to the period of point 53 - already cited by this Authority in the act of initiating the procedure pursuant to art. 166 of the Code: “(…) if the data subject makes a request using a communication channel provided by the controller23, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request Accordingly (…)” (“(…) if the interested party makes a request using a communication channel provided by the owner, other than the one indicated as preferable, such request is, in general, considered effective and the owner must act accordingly on this request" - Unofficial translation) - and the related explanatory note of what is meant by a communication channel/electronic address which is still valid even if not indicated as preferable (see note no. 28 relating to a period of the point n. 53: “his may include, for example, communication data of the controller provided in its communications addressed directly to data subjects or contact data provided by the controller publicly, such as in the controller's privacy policy or other mandatory legal notices of the controller (e.g. owner or business contact information on a website” (“This may include, for example, the communication data of the data controller provided in its communications addressed directly to data subjects or the contact data provided by the data controller publicly, as in the privacy policy privacy of the data controller or in other mandatory legal communications of the data controller (...)” (unofficial translation)), but also what is highlighted in example no. 8, following point n. 56, as well as in the introductory part of the cited Guidelines, entitled "Executive Summary".

In the latter, in fact, and, specifically, in the paragraph “General considerations on the assessment of the data subject's request”, the European Committee maintains that: “(…) the data subject is not required to use these specific channels and may instead send the request to an official contact point of the controller” (“(…) the interested party is not required to use these specific channels (i.e. those responsible for sending requests to exercise the rights pursuant to the Regulation, ed.) and can instead send the request to an official contact point of the data controller" - unofficial translation); in this case “(…) the controller should make all reasonable efforts, to make its services aware of the request, which was made through the general e-mail, so that it can be redirected to the data protection contact point and answered within the time limits provided for by the GDPR. Moreover, the controller is not entitled to extend the period for responding to a request, merely because the data subject has sent a request to the controller's general e-mail address, not the controller's data protection contact point e-mail address” ( “( …) the data controller must make every reasonable effort to make its services aware of the request submitted via the general email, so that it can redirect it to the data protection contact point and respond within the deadlines set by the GDPR Furthermore, the data controller shall not have the right to extend the deadline for responding to a request, just because the data subject has sent a request to the general e-mail address of the data controller and not to the e-mail address. of the data protection contact point of the data controller” – unofficial translation) (see example no. 8, page 23 of the cited Guidelines).

In light of the above, it is believed that the institutional certified email address of the Company, ufficio.generale@pec.asst-rhodense, used by the interested party to send the request in question, dated XX, although not coinciding with the one indicated by the Company for the presentation of requests to exercise the rights, cannot be considered a "casual or incorrect" address in the sense understood by the European Committee in the above-mentioned Guidelines, but instead constitutes an address through which "the owner of the processing must make every reasonable effort to make its services aware of the request submitted via the general email, so that it can redirect it to the data protection contact point and respond within the deadlines established by the GDPR. Furthermore, the data controller does not have the right to extend the deadline for responding to a request, just because the interested party has sent a request to the general email address of the data controller (…)” (see example no. 8, page 23 of the aforementioned Guidelines, cited above).

Therefore, it appears that the health authority did not provide feedback, within the terms established by the art. 12 of the Regulation, to the request for rectification of personal data referred to in art. 16 of the same Regulation, submitted by the interested party on XX. Specifically, the Company provided feedback on XX, or after 156 days from the date of the interested party's request, specifically following the submission of the complaint by the latter to the Guarantor (XX) and prior to receipt of the aforementioned invitation from the Authority to comply with the complainant's requests (note of the XX - protocol no. XX).

4.2 Compliance with the principles applicable to the processing and, in particular, with the principle of accuracy (art. 5, paragraph 1, letter d) of the Regulation)

The owner must process the data so that it is “accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or rectify data that are inaccurate in relation to the purposes for which they were processed (“accuracy”)” (art. 5, par. 1, letter d) of the Regulation). 

In response to the failure to respond to the request made by the interested party for a change in his/her personal data due to the updating of the road toponymy officially adopted by the Municipality of residence (XX), the Company, considering that the interested party, at his/her request , had attached the certificate of registry change adopted by that Municipality, should have updated the data in compliance with the principle of "accuracy" of the data referred to in the art. 5, par. 1, letter. d), of the Regulation. The Company carried out the rectification of the inaccurate data on XX, following the submission of the complaint to the Guarantor (XX) by the interested party and prior to receiving the aforementioned invitation from the Authority to comply with the complainant's requests (note from the XX - protocol no. XX).

5. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the elements provided by the data controller in the defense statement referred to above, although worthy of consideration, do not allow the findings to be overcome notified by the Office with the aforementioned act of initiation of the procedure, since, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019.

Therefore, with all the foregoing, in the state of the documents and declarations provided, in relation to the matter in question, it is ascertained that the Company, data controller:

- processed some personal data of the complainant (addresses of registered residence and medical home), in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

- did not respond to the request to exercise the rights of the interested party made on XX within the deadlines set out in the art. 12 of the Regulation; this, in violation of the art. 12, in relation to the art. 16 of the same Regulation.

In this context, considering that the owner's conduct has exhausted its effects since the Company has provided feedback, after 156 days from the date of the interested party's request, taking steps to rectify the inaccurate data, the conditions for the adoption of measures, of a prescriptive or injunctive nature, referred to in art. 58, par. 2, of the Regulation.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. d), and 12, in relation to the art. 16 of the Regulation, caused by the conduct carried out by the Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 5, letter. a) and b) of the Regulation and 166, paragraph 2, of the Code.

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, in relation to the conduct carried out by the owner, considering that it involved related processing, it is deemed necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation, the total amount of the sanction is calculated so as not to exceed the legal maximum provided for by the same art. 83, par. 5” (see also the European Data Protection Board document “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” Version 2.1 adopted on 24 May 2023). Consequently, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called "static" statutory maximum).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1, of the Regulation.

As regards the assessment of the seriousness of the violation (art. 83, par. 2, letters a), b) and g) of the Regulation), it is believed that the level of seriousness is to be considered low, as it was an isolated case and in the absence of fraud and it is taken into account that the response sent on XX - or after 156 days from the date of receipt of the request by the Company - was carried out immediately following the submission of the complaint to the Guarantor by the interested party (XX) and prior to the invitation to comply with the requests of the complainant formulated by the Authority (note of XX - protocol no. XX).

In relation to the evaluation of the additional elements provided for by the art. 83, par. 2 of the Regulation, as aggravating and mitigating circumstances, it is taken into account that:

- no measures regarding relevant violations have previously been adopted against the Company (art. 83, par. 2, letter e) of the Regulation);

- the Company has demonstrated a high degree of cooperation with the Authority in all phases of the procedure (art. 83, par. 2, letter f) of the Regulation);

- the Authority became aware of the case in question following a complaint lodged by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the data controller specified that he found himself managing "(...) in the entire year 2022, n. 7538 requests for changes in personal details, to which are added the n. 4378 received only in the first half of 2023" (art. 83, par. 2, letter k) of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 4,500.00 (four thousand five hundred) euros for the violation of the articles. 5, par. 1, letter. d) and 12 in relation to the art. 16 of the Regulation as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019 in consideration of the fact that the violation concerns the rights of the interested parties.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Rhodense Territorial Social and Health Authority located in Garbagnate, Viale Forlanini – Fiscal Code: 09323530965, for the violation of the articles. 5, par. 1, letter. d) and 12 in relation to the art. 16 of the Regulation within the terms set out in the justification;

ORDER

to the cited Company to pay the sum of euro 4,500.00 (four thousand five hundred/00) as a pecuniary administrative sanction, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, for the violations indicated in this provision, according to the methods highlighted in the annex, within 30 days of the notification in justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned healthcare company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €4,500.00 (four thousand five hundred) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

the publication in full of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor which requires annotation in the internal register of the Authority.

It is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad (art. 78 of the Regulation, of the articles . 152 of the Code and 10 of Legislative Decree no. 150/2011).

Rome, 23 May 2024

PRESIDENT
Stanzione

THE SPEAKER
Scorza

THE GENERAL SECRETARY
Mattei