Garante per la protezione dei dati personali (Italy) - 10037439

Garante per la protezione dei dati personali - 10037439

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 9(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	23.05.2024
Published:
Fine:	8,400
Parties:	Azienda Sanitaria Locale TO4
National Case Number/Name:	10037439
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined a health authority €8,400 after it disclosed the 45 recipients' multiple sclerosis diagnosis to the other recipients by sending them an email using the CC instead of the BCC feature.

English Summary

Facts

The controller, a health authority, sent an email to 45 data subjects containing instructions on how to get medications used to cure multiple sclerosis. The person sending the email put the email addresses of the recipients in the “cc” field instead of choosing the “bcc” one. This resulted in the email addresses of the data subject being disclosed to each other.

After receiving a report by one of the data subject, the controller made a data breach notification to the DPA according to Article 33(1) GDPR.

The controller argued that the data breach happened due to a human mistake and that it had repeatedly instructed its employees to use the “bcc” field when sending emails to multiple people.

Moreover, the controller pointed out that the number of data subjects concerned was quite low and that the breach lasted for a short period of time.

Holding

First, the DPA noted that an email address is personal data even in the case it is not composed by the name and the surname of the data subject, since it however allows to identify a natural person.

Secondly, the DPA pointed out that data relating to the administration of a medication is data concerning health under Article 9(1) GDPR, which need a higher protection since its processing implies a higher risk for the freedom and rights of the data subjects.

Thirdly, the DPA noted that using the “cc” field resulted in the unlawful disclosure of the names and health data of 45 patients.

Therefore, the DPA found a violation of Article 5(1)(f) and 9 GDPR and issued a file of €8,400.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10037439]

Provision of 23 May 2024

Register of measures
n. 306 of 23 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stazione;

PREMISE

1. Data breach notification

With notes dated XX and XX the Local Health Authority TO4, hereinafter "Company", notified a violation of personal data, pursuant to art. 33 of the Regulation, declaring, in particular, that "on date XX at 2.04 pm, the interested party (...) submitted a detailed complaint via email to the URP in which she represented having received on date XX, 10.32 am, from the secretariat of the neurology clinic an email (from the address ambulatoriosm.cirie@aslto4.piemonte.it) with the subject "therapeutic plan renewal method", sent to another 44 unencrypted email addresses and, after about half an hour, a second rectification email of the first one in the same way. He complained about the violation of his personal privacy. The URP, with an internal note via email at 2.35 pm, communicated the complaint to the director of SC Neurology and to the medical director of the Ciriè-Lanzo hospital. On 7/15, the S.C. Neurology, with a note signed by the director, communicated to the management the outcome of the first internal investigation, which showed that the event had occurred due to a human error on the part of the secretarial employee, who, mistakenly disregarding the instructions on the data processing for the purpose of sending communications, sent a circular of instructions on the therapeutic plan (without specific indications) to n. 45 addresses of patients suffering from multiple sclerosis, entering the relevant addresses in the clear CC field. Subsequently, the XX, h. 4.24pm, the medical director of Ciriè Lanzo sent the correspondence relating to the episode to the company privacy office, attaching the complaint and the two communications sent by the clinic. As soon as the investigation was completed, the privacy office provided the preliminary communication to the Guarantor Authority".

In the aforementioned notes, the Company has indicated, as technical and organizational measures present at the time of the violation, adopted to guarantee the security of the personal data involved, the "operating instructions on the use of electronic mail" and the "specific instructions on the processing of health data, present in the letter of authorization for data processing".

According to what was communicated by the Company, the data subject to the violation concerned "45 email addresses and, partially, approximately 45 personal details relating to the owners of these addresses; the nature of the communication allows us to deduce the status of a patient suffering from multiple sclerosis and/or demyelinating pathologies".

The Company also declared that, following the violation, a "verbal warning was issued to the operator who incorrectly sent the email" and as technical and organizational measures adopted (or which are proposed to be adoption) have been listed "1 - Specific training for URP staff as the point of reception of user communications/complaints; 2 - Specific training of S.C. personnel Neurology as a unit affected by BD; 3 - Renewal of operational instructions to URP staff for internal communications (assignment by competence); 4 - Renewal of the specific instructions on the use of email for internal staff. 5 - Update of the manual on the use of IT tools".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described in the violation notification, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). This, as it was believed that the Company had communicated personal data and data relating to the health of 44 patients to as many patients, in the absence of a suitable legal basis and, therefore, in violation of the basic principles of processing referred to in the articles. 5, 6 and 9 of the Regulation and art. 2-ter of the Code.

With a note dated XX, the Company sent its defense briefs, in which it highlighted, in particular, that:

- “the processing affected by the violation concerns the transmission of correspondence to support the Company's diagnosis and treatment activities; this processing is included in the processing of health data (i.e. suitable for revealing the data subject's state of health) (...)";

- “this processing takes place on the legal basis of the combined provisions of the following rules: art. 9, paragraph 2 letter. “g”, “h” and “i” EU Reg. n. 2016/679 (“GDPR”); art. 2-sexies, paragraph 2, letter. t, u, v, cc, legislative decree 196/2003 and subsequent amendments. (reasons of significant public interest relating to the case in question) (…)”;

- "the purpose of the data processing in question is therefore that of diagnosis, healthcare and treatment of the patient concerned and, related to it, administrative activities related to specialist care on an outpatient basis (...)";

- "for carrying out the administrative activity in question, consisting of the processing of correspondence, via email, aimed at correctly informing the neurological patient about the progress of treatment activities, the Company has provided training and information to the operators, and this although the correct use of electronic mail is to be considered, in the current historical context, a common heritage of people of medium education, like all other tools for carrying out epistolary correspondence";

- “the events reported with the notification of violation that gave rise to the procedure are rooted in the failure by the personnel in charge, due to a simple oversight, to apply the precautions normally used for letter communication. In fact, human error in the application of the procedure actually interfered with the communication activity, but certainly did not constitute its purpose";

- “the event was absolutely accidental in nature. The use of email constitutes (...) a normal procedure aimed at communicating with the patients of the S.C. Neurology. This sending is, as a rule, individual or - in the case of collective sending - characterized by the use of the "hidden carbon copy" (CCN) method in order to avoid the production of communications to erroneous recipients. The reason for the choice made in favor of electronic mail as a means of communication is dictated on the one hand by the widespread diffusion of this instrument, and on the other by the fact that this means, being essentially classified as "postal", is assisted by the guarantees provided by the current legislation”;

- "in relation to the seriousness of the violation, (...), while noting that the events discussed have a high theoretical risk, however the impact, measured on table 1 of the ENISA WP2017 manual 0-2-2-5 (table of the severity due to the potential consequences for the interested party), reported to the concrete case highlighted that in fact the interested parties appear to have suffered consequences compatible with the "average" severity of the event ("Individuals may encounter significant inconveniences, which they will be able to overcome with some difficulties (extra costs, denial of access to professional services, fears, misunderstandings, stress, small physical inconveniences, etc.), reasonably attributable to the "fears" and "stress" categories;

- "these effects are also confirmed by the subsequent attitude of the complainant, who through her lawyer complained about the emergence of fears regarding the knowledge of the pathological state by third parties, knowledge partially heralding changes in the latter's attitude towards the complainant itself”;

- "the continuation of the correspondence with her lawyer also reiterated this circumstance, since even after some time there was no further allegation regarding hypotheses of damage, limiting itself to reiterating the presence of "frustration and psycho-emotional disturbance", all manifestations (net, however, of objective evidence which has not been offered so far) compatible with the (mentioned) etiological classification (...)";

- “the number of interested parties involved in the violation is equal to 44. The violation had an overall short duration; in fact, it is observed that the two mailings took place a few minutes apart from each other, so much so that both can be considered as the result of the same human error";

- “the violation was negligent in nature. The conduct appears to have been accidental, as per the admission of the operator involved during the disciplinary proceedings";

- "this Administration promptly notified the interested parties of the event as soon as it learned of the event. The event itself (erroneous communication in plain text of a list of addresses connected to information regarding the status of recipient of a therapeutic plan) is not susceptible to mitigation in its effects, if not through the communication of the event itself to the interested parties , according to the provisions of the art. 34 GDPR”;

- “the processing subject to the violation is characterized by an estimated “high” level of potential risk, as highlighted in the relevant processing sheet; however, it is operated entirely by personnel employed by the Company, personnel who are in any case required to comply with the Code of Conduct referred to in the art. 54 Legislative Decree 30 March 2001, n. 165, and which the Company has adopted with resolution no. 907 of 2018 (...), now updated with resolution no. 920 of 10/21/2022; said act, in art. 12 paragraph 6, clearly declines the employee's obligation of confidentiality pursuant to art. 2105 cod. civil as an obligation to observe official secrecy and the legislation on the processing of personal data, actively working not to disclose information relating to office activities, and therefore also personal data, of any category, of which it becomes entrusted. The administrative staff assigned to the S.C. Neurology (…) through the Ciriè Hospital Medical Directorate, he also received training on the processing of personal data (….)”;

- "the processing in question is then assisted by the procedure referred to in (...) Company Regulations for the Use of IT Systems - resolution 3/07/2020 n. 713,(…). This document was under review at the time of the data breach event being investigated; however, already in the current edition, in par. 8, "use of e-mail" states that "Wherever it is necessary to send documents containing sensitive data, the creation of a password-protected file is mandatory (in the case of multiple documents, create a compressed folder always protected by password). The password must be communicated with another tool (e.g. SMS, dictated on the telephone, etc.)”;

- "following the event in question, the Company has prepared the following further and additional organizational measures: a. Renewal of specific instructions on the use of email for internal staff; b. Specific training for URP staff as the point of reception of user communications/complaints; c. Specific training for S.C. staff Ciriè Neurology as the unit affected by the event; d. Renewal of operational instructions to URP staff for internal communications (assignment by competence); And. Update of the user manual of the IT tools";

- "in particular, the "user manual for IT tools", (...), currently being approved, now includes the following specific instruction: "The uncontrolled diffusion of systems for propagating messages with widespread and widespread diffusion must be avoided multiplied which induce the recipient to produce multiple copies to send, in turn to new recipients, as they limit the efficiency of the mail system. The use of the "BCC" recipient (blind carbon copy sending) is encouraged whenever it is necessary to privately inform a certain number of recipients of the contents of the email, preventing everyone from seeing the other recipients; this use is preferable in communications in which the same content must be sent to multiple recipients without the other recipients being aware of it. In this case, the BCC recipient at the time of reply will not send to all recipients but only to the sender";

- "since this is a largely manual operation, therefore dependent exclusively on the skill and diligence of the operator in carrying out his duties, the Company proceeded to open disciplinary proceedings against the author of the error, which ended with the imposition of contractual labor law sanction (…)”;

- "the Administration is also exploring the technical possibility of inserting a technical procedure on its e-mail/anti-spam system that facilitates the interception of multiple mailings with the aim of reducing human risk";

- “OMISSIS";

- "the communication of data such as the status of recipient of a therapeutic plan is understood as communication only in the circumstance in which such communication occurs for (...) the purpose identified by the Data Controller, and in this context is subject to specific procedure, designation, instruction and specific training of the subjects appointed pursuant to the art. 29 GDPR”;

- “the communication operation found its definition, in the previous regime, in the repealed art. 4, c.1, letter. l, of Legislative Decree no. 196/2003 (…). Currently, this definitional rule has ceased to exist, but the notion of communication has fallen within the processing operations referred to in the art. 4, no. 2 GDPR, and this is because it is intended precisely as a processing operation, therefore as an activity knowingly implemented by the owner for a purpose. This distinction is essential to be able to distinguish communication as a processing operation (i.e. communication carried out with a finalistic logic by the Data Controller, who carries out the processing for a purpose - even regardless of the lawfulness of this -) from disclosure outside of the provision of the information and the reference legislation.

And in fact, this last event constitutes a violation of confidentiality (...), but it is still an event that did not fall within the purpose of the processing".

The healthcare company then carried out considerations on the qualification of the violation, believing it to be an unexpected and accidental disclosure of data relating to health resulting in a violation of confidentiality which did not fall within the purpose of the processing. The owner also highlighted that he believes "that an accidental violation of confidentiality" cannot "be reclassified as a processing operation (sub species, communication) without a legal basis; in fact, this evaluation would in itself entail an advance judgment regarding the existence of a processing purpose (which does not exist) not supported by a suitable legal basis, which would be equivalent to saying that it is possible to attribute to the offender his behavior in the absence of consciousness and will, or in the presence of a fact that interrupts the causal link (which is excluded pursuant to art. 3 L. 689/81)", underlining, in any case, that "the violation in question was reported by this Administration promptly pursuant to art. 33 and art. 34 GDPR; that measures have been introduced which are expected to further reduce the risk of a repetition of the event in the future, that the violation only affected a set of email addresses, and that only one of the interested parties complained of effects, which were apparently limited".

In the hearing held on the 20th, it was also declared that:

- "regarding the measures adopted following the violation, the current email service provider has been asked for the possibility of adopting an "alert" that warns the user that an email is being sent to people external to the organization, in so as to intercept any improper use of the "c.c." field. Proof of this request and the related response was provided through the transmission, on XX, of a copy of the correspondence exchanged to the Authority (...). The Company declares its commitment to repeating the same request to the new email service provider who will be identified over the next year following a selective process";

- "a draft of a new regulation for the use of IT tools by Company employees is currently being viewed by the trade unions, which contains the specifications indicated in the memorandum for the use of the recipient in "c.c.n."; this regulation may be perfected and updated in view of the next change of supplier";

- "an update of training has been planned, also with regard to the critical profiles that determined the event, with particular reference to the use of e-mail, company devices and the Internet".

3. Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs, it is noted that:

1. e-mail addresses are attributable to the notion of personal data, even if they do not contain references to the name and surname or in any case to other information directly identifying the interested parties; the circumstance by which, from the context of the communication, it could be deduced that the recipients of the emails, sent by the secretariat of the neurology clinic and having as their subject the "therapeutic plan renewal methods", were patients being treated at the aforementioned clinic, meant that the processing described concerned health data, as it concerns information relating to health care services, which reveal information on the state of health (art. 4, par. 1, n. 15 of the Regulation; see, on the traceability of the email address to the notion of personal data, see, among others, the provision of 25 June 2002, provision of 24 June 2003. web no. 1132562); such data deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51);

2. the Code, in the version reformulated by Legislative Decree no. 101/2018, defines the communication of personal data, meaning "giving knowledge of personal data to one or more specific subjects other than the interested party, the representative of the owner in the territory of the European Union, the manager or his representative in the territory of the European Union, by authorized persons, pursuant to art. 2-quaterdecies, to the processing of personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or interconnecting them" (art. 2-ter, paragraph 4, letter a );

3. the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, legislative decree 10 August 2018, no.

4. the data controller is required to respect the principles of data protection, including that of "integrity and confidentiality", according to which personal data must be "processed in a manner that guarantees adequate security (... ), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage” (art. 5, par. 1, letter f) of the Regulation).

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is represented that the elements provided by the Company in the notification of violation, in the defense briefs and during the hearing do not allow the findings notified by the Office to be overcome with the aforementioned act initiating the procedure, without, however, any of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

As described above, the sending of the two communications, sent approximately half an hour apart from each other, coming from the secretariat of the neurology clinic and concerning the "therapeutic plan renewal methods", took place through a single email message addressed to a multiple number of recipients, whose addresses had been entered clearly in the carbon copy (c.c.) field; this circumstance has, in fact, without justified reason and in the absence of legal basis, mutually revealed to the recipients of the same communications, the state of health of the other patients, giving rise to a communication of data on the health of the interested parties (to whom the addresses belong email), in violation of the basic principles set out in articles. 5, par. 1, letter. f), and 9 of the Regulation.

On this point, the arguments put forward by the owner are not suitable to exclude his liability in relation to what is contested, since, with reference to the error in which, twice, the authorized person who carried out the processing operations allegedly made in question, we do not recognize the condition that allows us to affirm that the error was inevitable and blameless, i.e. such that it could have been avoided with ordinary diligence. In light of consolidated jurisprudence of the S.C. (Cass. n. 7885/2011, Cass. n. 16320/2010, Cass. n. 19759/2015, Cass. n. 33441/2019 and Cass. n. 17822/2021), for the purposes of applying the invoked art. 3 of law no. 689/1981 it is necessary that the good faith or the error are based on a positive element, extraneous to the agent and capable of determining in him the belief in the lawfulness of his behavior (excusable error). This positive element must not be remedied by the agent with the use of ordinary diligence. In this case, the operator could have diligently ascertained, through a more accurate control, the correctness of the operations carried out when sending the emails, thus avoiding communicating health data to unauthorized third parties.

For these reasons, the illicit nature of the processing of personal data carried out by the Company is noted, in the terms set out in the justification.

In this framework, considering, in any case, that the conduct has exhausted its effects and that the Company has expressed its intention to implement technical and organizational measures deemed necessary to avoid future similar events and, in any case, to minimize the human error, the conditions for the adoption of measures, of a prescriptive or injunctive nature, referred to in the art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. f) and 9 of the Regulation is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 5 of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, on the basis of the elements provided for by art. 83, par. 2, of the Regulation.

In light of the above and, in particular, the category of personal data affected by the violation, the number of interested parties (44) and the non-intentional nature of the violation, it is believed that the level of severity of the violation committed by the Company is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Furthermore, we would like to point out that the Company has already been the recipient of a provision adopted pursuant to art. 58 of the Regulation, which however concerned the activation of video surveillance systems in violation of the art. 4 of law 20 May 1970, n. 300 (see provision of 5 March 2020, no. 53, web doc. no. 9433080) Therefore, the aforementioned violation cannot be classified as a "previous relevant violation" pursuant to art. 83, par. 2, letter. e) of the Regulation.

Having said this, having assessed certain elements as a whole and, in particular, that:

- the Guarantor became aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation, as soon as the same has received a report to this effect (art. 83, par. 2, letter h) of the Regulation);

- the owner, in order to avoid the repetition of the event that occurred, is committed to implementing the training activity of the operators authorized to process personal data and to designing "alert" procedures for the use of the "field" c.c.” of the email (art. 83, par. 2, letters c) and f) of the Regulation);

- the violation concerned a specific internal structure of the data controller and not the overall organization of the same and was caused by an error by an operator, who was in any case subjected to disciplinary proceedings (art. 83, par. 2, letter k) of the Regulation).

it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 8,400.00 euros (eight thousand four hundred) for the violation of the articles. 5 and 9 of the same Regulation as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the TO4 Local Health Authority, due to the violation of the basic principles of processing, referred to in the articles. 5 and 9 of the Regulation, within the terms set out in the justification;

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, to the TO4 Local Health Authority, with registered office in Via Po n. 11 - 10034 Chivasso (TO), Tax Code/VAT no. 09736160012, to pay the sum of 8,400.000 (eight thousand four hundred) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €8,400.00 (eight thousand four hundred) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 23 May 2024

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE GENERAL SECRETARY
Mattei

[doc. web no. 10037439]

Provision of 23 May 2024

Register of measures
n. 306 of 23 May 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stazione;

PREMISE

1. Data breach notification

With notes dated XX and XX the Local Health Authority TO4, hereinafter "Company", notified a violation of personal data, pursuant to art. 33 of the Regulation, declaring, in particular, that "on date XX at 2.04 pm, the interested party (...) submitted a detailed complaint via email to the URP in which she represented having received on date XX, 10.32 am, from the secretariat of the neurology clinic an email (from the address ambulatoriosm.cirie@aslto4.piemonte.it) with the subject "therapeutic plan renewal method", sent to another 44 unencrypted email addresses and, after about half an hour, a second rectification email of the first one in the same way. He complained about the violation of his personal privacy. The URP, with an internal note via email at 2.35 pm, communicated the complaint to the director of SC Neurology and to the medical director of the Ciriè-Lanzo hospital. On 7/15, the S.C. Neurology, with a note signed by the director, communicated to the management of the outcome of the first internal investigation, which showed that the event had occurred due to a human error on the part of the secretarial employee, who, mistakenly disregarding the instructions on the data processing for the purpose of sending communications, sent a circular of instructions on the therapeutic plan (without specific indications) to n. 45 addresses of patients suffering from multiple sclerosis, entering the relevant addresses in the clear CC field. Subsequently, the XX, h. 4.24pm, the medical director of Ciriè Lanzo sent the correspondence relating to the episode to the company privacy office, attaching the complaint and the two communications sent by the clinic. As soon as the investigation was completed, the privacy office provided preliminary communication to the Guarantor Authority".

In the aforementioned notes, the Company has indicated, as technical and organizational measures present at the time of the violation, adopted to guarantee the security of the personal data involved, the "operating instructions on the use of electronic mail" and the "specific instructions on the processing of health data, present in the letter of authorization for data processing".

According to what was communicated by the Company, the data subject to the violation concerned "45 email addresses and, partially, approximately 45 personal details relating to the owners of these addresses; the nature of the communication allows us to deduce the status of a patient suffering from multiple sclerosis and/or demyelinating pathologies".

The Company also declared that, following the violation, a "verbal warning was issued to the operator who incorrectly sent the email" and as technical and organizational measures adopted (or which are proposed to be adoption) have been listed "1 - Specific training for URP staff as the point of reception of user communications/complaints; 2 - Specific training of S.C. personnel Neurology as a unit affected by DB; 3 - Renewal of operational instructions to URP staff for internal communications (assignment by competence); 4 - Renewal of the specific instructions on the use of email for internal staff. 5 - Update of the manual on the use of IT tools".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described in the violation notification, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). This, as it was believed that the Company had communicated personal data and data relating to the health of 44 patients to as many patients, in the absence of a suitable legal basis and, therefore, in violation of the basic principles of processing referred to in the articles. 5, 6 and 9 of the Regulation and art. 2-ter of the Code.

With a note dated XX, the Company sent its defense briefs, in which it highlighted, in particular, that:

- “the processing affected by the violation concerns the transmission of correspondence to support the Company's diagnosis and treatment activities; this processing is included in the processing of health data (i.e. suitable for revealing the data subject's state of health) (...)";

- “this processing takes place on the legal basis of the combined provisions of the following rules: art. 9, paragraph 2 letter. “g”, “h” and “i” EU Reg. n. 2016/679 (“GDPR”); art. 2-sexies, paragraph 2, letter. t, u, v, cc, legislative decree 196/2003 and subsequent amendments. (reasons of significant public interest relating to the case in question) (…)”;

- "the purpose of the data processing in question is therefore that of diagnosis, healthcare and treatment of the patient concerned and, related to it, administrative activities related to specialist care on an outpatient basis (...)";

- "for carrying out the administrative activity in question, consisting of the processing of correspondence, via email, aimed at correctly informing the neurological patient about the progress of treatment activities, the Company has provided training and information to the operators, and this although the correct use of electronic mail is to be considered, in the current historical context, a common heritage of people of medium education, like all other tools for carrying out epistolary correspondence";

- “the events reported with the notification of violation that gave rise to the procedure are rooted in the failure by the personnel in charge, due to a simple oversight, to apply the precautions normally used for epistolary communication. In fact, human error in the application of the procedure actually interfered with the communication activity, but certainly did not constitute its purpose";