Garante per la protezione dei dati personali (Italy) - 10039592

From GDPRhub
Garante per la protezione dei dati personali - 10039592
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Art. 2-sexies d.lgs. 196/2003
Art. 2-ter(1) d.lgs. 196/2003
Art. 2-ter(3) d.lgs. 196/2003
Art. 2-ter(4)(a) d.lgs. 196/2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 04.07.2024
Published:
Fine: n/a
Parties: Istituto Statale "Duca degli Abruzzi"
National Case Number/Name: 10039592
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA reprimanded a school after it shared a student's Covid-19 diagnosis with other students in violation of Article 9 GDPR.

English Summary

Facts

The father of the data subject filed a complaint with the DPA against the school attended by his son (the controller). He complained that a teacher had unlawfully sent to the other students and their parents a certificate issued by the health authority stating that the data subject had been tested positive for Covid-19.

The controller argued that it was not aware of this incident and that, after becoming aware, it had started a disciplinary procedure against the teacher. Moreover, it highlighted that this incident did not have any negative consequence on the data subject and that the certificate was only sent to a closed group of members of the school community. Finally, it pointed out that the teacher was undergoing a really stressful time due to the spreading of Covid-19.

Holding

First of all, the DPA noted that a public authority is allowed to process personal data under the legal bases provided for by Article 6(1)(c) and 6(1)(e) GDPR. Moreover, the national law implementing Article 6(2) GDPR, Article 2-ter(1) and 2-ter(3) of the Italian Data Protection Code, states that public administration might “disseminate” or “communicate” personal data to third parties only when a piece of legislation authorises to do so.

Secondly, the DPA noted that the definition of “communication” set by Article 2-ter(4)(a) of the Italian Data Protection Code does not require that personal data is shared with an undetermined amount of people. On the contrary, just sharing the certificate with a closed group of students is enough to fall into the scope of this definition.

Therefore, it found a violation of Article 5(1)(a) and 6 GDPR and Article 2-ter of the Italian Data Protection Code.

Thirdly, it pointed out that information relating to a Covid-19 diagnosis is data concerning health under Article 9 GDPR. It recalled that this kind of data can be processed only if an exception under Article 9(2) GDPR is applicable. In particular, Article 9(2)(g) GDPR allows processing of personal data for reasons of substantial public interest if it happens on the basis of EU or Member State law. However, the implementing national law, Article 2-sexies of the Italian Data Protection Code, does not allow such a “communication”.

Therefore, it found a violation of Article 9 GDPR and Article 2-sexies of the Italian Data Protection Code.

On these grounds, it issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10039592]

Provision of 4 July 2024

Register of provisions
no. 403 of 4 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

The Authority has received a complaint by which Mr. XX complained that, following the positive result for Covid-19 reported by his son following the swab carried out at the “ULSS2 Marca Trevigiana”, a teacher of the State High School “Duca degli Abruzzi” of Treviso (hereinafter, the Institute), had sent to the boy’s classmates and their parents, a communication containing the provision issued in this regard by the Hygiene and Public Health Services of the ASL, with which the class was informed of the minor’s positive status for Covid-19.

2. The preliminary investigation.

With a note of XX, the Institute responded to the request for information formulated by the Authority (note of XX, prot. no. XX), stating, in particular, that:

- "it was not aware of the actions of the teacher who would have disclosed personal data as set out in the complaint of Mr. XX";

- "after an internal investigation, it identified Prof. (...), the teacher who, together with the provision issued by the Hygiene and Public Health Services of the ASL, identified the son of Mr. XX as the person affected by COVID-19";

- "the protocol adopted by the school, in agreement with the SISP of the ASL, provides that the provision (anonymous) be transmitted to the members of the class and to the parents";

- "the Prof. received adequate information on the legislation relating to privacy at the beginning of the year";

- "promptly, following the (...) report, a charge was issued against Prof. (...) for the initiation of a disciplinary proceeding”;

-  “what happened was due exclusively to a mere material error due to a typo”.

On the basis of the elements acquired, the Office notified, with note of XX, (prot. no. XX) to the Institute, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, since the sending, to the parents of the interested party’s classmates, of the email message via electronic register containing the measure regarding the interested party’s “positivity” issued by the ASL’s Hygiene and Public Health Services, gave rise to an illicit “communication” of personal data, including health data, in the absence of a suitable basis for lawfulness, in violation of art. 5, paragraph 1, letter b) of the Code. a), 6 and 9 of the Regulation and 2-ter and 2- sexies of the Code.

The Office invited the aforementioned holder to produce written defenses or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

The Institute sent its defense briefs with note of XX, representing that:

- "As known to this Authority, in this case the teacher of class 4CA addressed a communication via electronic register sent exclusively to the parents of the class group in the student component of the same";

- “The purpose of the communication was presumably intended to be linked to the communication of the positivity of a classmate positive for covid, this communication had been indicated by the colleague Prof. (…) who in turn communicated the name and surname of the student positive for covid, this communication also concerned the organization of the trip planned for some time in which the boy would have wanted to participate after more than a year of isolation”;

- “this communication was deleted and its content was not the subject of circulars, resolutions, or other documents addressed to non-specific recipients”;

- “the Headmaster or school staff never received news that this communication had subsequently created embarrassing or offensive situations for the student”;

- “the communication, which is attached to this one, as can be well understood, is the result of an error related to the rush to communicate the case of positivity to the students, within the class group and certainly not a voluntary action on the part of the teacher. It can be assumed that the situation of psychological stress that was very present in those days, and certainly this situation contributed to lowering the teacher's attention";

- "every year, by decision of the various School Directors, several circulars have been issued regarding respect for the privacy of the interested parties to continue to raise awareness in teachers of the spirit of observance and respect for it. In fact, the case is considered isolated and above all determined by the situation of psychological stress to which all school staff were subjected in the emergency situation";

- "the communication in question was instantaneous in nature and has already been concluded, it had organizational purposes and as indicated by the Legislative Decree of 4 February 2022,5 "Urgent measures regarding COVID-19 green certifications and for the safe performance of activities within the educational, school and training system. (22G00014) (GU General Series no. 29 of 04-02-2022)” in line with the exercise of the teaching function and was shared with a very limited number of recipients”;

- “the communication in question was certainly negligent, with no evidence to support the teacher’s intent, even from the literal content of the communication”;

- “in this case, no technical measure could have mitigated the risk. In general terms, information was provided, via a school circular, which I attach to this document, to raise awareness of the attention that each teacher must pay when processing the data of interested parties, especially students”;

- “the Director pro tempore called on the teacher to pay greater attention to the processing of data, urging her to take greater account, in addition to the processing rules, of the consequences that a communication shared with all parents, even if agreed upon, may have on the interested parties”.

During the hearing, held on XX, the Institute declared that:

-  "in addition to what is already in the file, I represent that from the point of view of the interested party there was no negative impact recorded after the event nor did any other similar or equal event occur. We have implemented the measures already declared in the defense briefs, to mitigate possible negative effects, such as sending to all interested parties a communication containing the request to delete the information regarding the interested party received erroneously, monitoring, through the teachers, the actual deletion. In general terms, we have taken steps to raise awareness through an Institute circular, the attention of teachers in the treatment of student data; there has been a written warning to the teacher who caused the event. The event occurred in full Covid, in a complex situation also from an organizational point of view. As already highlighted, the case is totally isolated".

3. Outcome of the preliminary investigation.

3.1 Applicable legislation.

According to the Regulation, the processing of personal data carried out in the public sphere is lawful when it is necessary “for compliance with a legal obligation to which the controller is subject” or “for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6, paragraph 1, letters c) and e) and paragraphs 2 and 3 of the Regulation; Article 2-ter of the Code).

More generally, European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing (…)” (Article 6, paragraph 2 of the Regulation).

National legislation has introduced more specific provisions to adapt the application of the provisions of the Regulation, determining, with greater precision, specific requirements for processing and other measures to ensure lawful and correct processing (art. 6, par. 2 of the Regulation) and, in this context, has provided that processing operations consisting in the "dissemination" and "communication" of personal data are permitted only when provided for by a law or regulation or by general administrative acts. (art. 2-ter, paragraphs 1 and 3, of the Code).

With regard to special categories of personal data, processing is, as a rule, permitted where “necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter g), of the Regulation), provided that the processing is “provided for by European Union law or, in the internal legal system, by provisions of law or regulation or by general administrative acts specifying the types of data that may be processed, the operations that may be performed and the substantial public interest reason, as well as the suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 2-sexies, paragraph 1, of the Code).

The data controller is then required to comply with the principles of data protection (Article 5, of the Regulation).

3.2 The processing of personal data carried out by the Institute.

As can be seen from the documents and statements made by the data controller as well as from the investigation carried out on the basis of the elements acquired following the investigation and subsequent assessments of this Department, it was ascertained that, following the positive result for Covid-19 reported by the complainant's son by means of the swab carried out at the "ULSS2 Marca Trevigiana", a teacher of the Institute sent, to the parents of the interested party's classmates, an email via electronic register containing the provision issued in this regard by the ASL Public Health and Hygiene Services and also informing the aforementioned subjects "of the positivity" of the interested party.

In this regard, it is noted that, pursuant to art. 4 par. 1, n. 15 of the Regulation, data relating to health are considered "personal data relating to the physical and mental health of a natural person, including the provision of health care services, which reveal information on his or her state of health". Given the definition of personal data and health data (art. 4, points 1 and 15, of the Regulation), it is believed that the state of positivity to Covid-19 represents information relating to the state of health of the student to whom such information is referred.

Although, therefore, the sending of the communication in question, containing information relating to the state of health of the interested party did not involve subjects external to the school community and did not result in the dissemination of personal data - the knowledge of the data contained therein occurred in any case in favor of a number, determined or determinable, of subjects, i.e. all the parents of the class (see the definition of "communication" of personal data contained in art. 2-ter paragraph 4 letter a), of the Code), giving rise to a "communication" of the personal data of the interested party.

For these reasons, the Institute gave rise, in the absence of a suitable prerequisite of lawfulness, to a communication in a manner not compliant with the principle of "lawfulness, correctness and transparency", in violation of art. 5, paragraph 1, letter a) of the Regulation and in the absence of an appropriate regulatory basis, in violation of Articles 6 and 9 of the Regulation and 2-ter and 2-sexies of the Code.

4. Conclusions.

In light of the assessments referred to above, taking into account the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to Article 168 of the Code ˗ it is represented that the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by Article 11 of the Regulation of the Guarantor no. 1/2019 do not apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Institute is noted, in violation of Articles. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2- ter and 2-sexies of the Code.

Having said this, taking into account that:

- the data controller is a school and, therefore, a small entity;

- the unlawful conduct involved only one interested party belonging to the school community;

- it was an isolated case;

- the Institute, following the episode that occurred, once again sensitized the teacher involved in the case in question and all teaching and secretarial staff in relation to the rules on the protection of personal data;

- the event occurred in the context of an epidemic which also led to organizational difficulties for the Institute;

- the data controller cooperated fully with the Authority during the investigation;

- there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

- the circumstances of the specific case lead to qualifying it as a “minor violation”, pursuant to Article 148 of the Regulation and the “Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) No. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018.

It is therefore believed, with respect to the case in question, that it is sufficient to warn the data controller pursuant to Articles 58, paragraph 2, letter b), and 83, paragraph 2, of the Regulation, for having violated Articles 5, paragraph 1, letter a), 6 and 9 of the Regulation as well as Article 2-ter and 2-sexies of the Code.

Considering that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist.

Finally, it is noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f), declares the conduct held by the State Institute "Duca degli Abruzzi" with headquarters in Via Caccianiga, n. 5, 31100, Treviso - Fiscal Code 80011400266 described in the terms set out in the reasons, consisting in the violation of art. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2- ter and 2-sexies of the Code;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, warns the Istituto Statale “Duca degli Abruzzi” as the data controller in question, for having violated art. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2- ter and 2-sexies of the Code;

c) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei

[web doc. no. 10039592]

Provision of 4 July 2024

Register of provisions
no. 403 of 4 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY’S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and the Councilor Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD to Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “Code”);

HAVING REGARD to Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

The Authority received a complaint in which Mr. XX complained that, following the positive result for Covid-19 reported by his son following the swab carried out at the “ULSS2 Marca Trevigiana”, a teacher of the State High School “Duca degli Abruzzi” of Treviso (hereinafter, the Institute), had sent to the boy’s classmates and their parents, a communication containing the provision issued in this regard by the Hygiene and Public Health Services of the ASL, with which the class was informed of the minor’s positive status for Covid-19.

2. The investigative activity.

With a note of XX, the Institute responded to the request for information formulated by the Authority (note of XX, prot. no. XX), stating, in particular, that:

- "it was not aware of the actions of the teacher who would have disclosed personal data as set out in the complaint of Mr. XX";

- "after an internal investigation, it identified Prof. (...), the teacher who, together with the provision issued by the Hygiene and Public Health Services of the ASL, identified the son of Mr. XX as the person affected by COVID-19";

- "the protocol adopted by the school, in agreement with the SISP of the ASL, provides that the provision (anonymous) be transmitted to the members of the class and to the parents";

- "the Prof. received adequate information on the legislation relating to privacy at the beginning of the year";

- "promptly, following the (...) report, a charge was issued against Prof. (...) for the initiation of a disciplinary proceeding”;

-  “what happened was due exclusively to a mere material error due to a typo”.

On the basis of the elements acquired, the Office notified, with note of XX, (prot. no. XX) to the Institute, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, since the sending, to the parents of the interested party’s classmates, of the email message via electronic register containing the measure regarding the interested party’s “positivity” issued by the ASL’s Hygiene and Public Health Services, gave rise to an illicit “communication” of personal data, including health data, in the absence of a suitable basis for lawfulness, in violation of art. 5, paragraph 1, letter b) of the Code. a), 6 and 9 of the Regulation and 2-ter and 2- sexies of the Code.

The Office invited the aforementioned holder to produce written defenses or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

The Institute sent its defense briefs with note of XX, representing that:

- "As known to this Authority, in this case the teacher of class 4CA addressed a communication via electronic register sent exclusively to the parents of the class group in the student component of the same";

- “The purpose of the communication was presumably intended to be linked to the communication of the positivity of a classmate positive for covid, this communication had been indicated by the colleague Prof. (…) who in turn communicated the name and surname of the student positive for covid, this communication also concerned the organization of the trip planned for some time in which the boy would have wanted to participate after more than a year of isolation”;

- “this communication was deleted and its content was not the subject of circulars, resolutions, or other documents addressed to non-specific recipients”;

- “the Headmaster or school staff never received news that this communication had subsequently created embarrassing or offensive situations for the student”;

- “the communication, which is attached to this one, as can be well understood, is the result of an error related to the rush to communicate the case of positivity to the students, within the class group and certainly not a voluntary action on the part of the teacher. It can be assumed that the situation of psychological stress that was very present in those days, and certainly this situation contributed to lowering the teacher's attention";

- "every year, by decision of the various School Directors, several circulars have been issued regarding respect for the privacy of the interested parties to continue to raise awareness in teachers of the spirit of observance and respect for it. In fact, the case is considered isolated and above all determined by the situation of psychological stress to which all school staff were subjected in the emergency situation";

- "the communication in question was instantaneous in nature and has already been concluded, it had organizational purposes and as indicated by the Legislative Decree of 4 February 2022,5 "Urgent measures regarding COVID-19 green certifications and for the safe performance of activities within the educational, school and training system. (22G00014) (GU General Series no. 29 of 04-02-2022)” in line with the exercise of the teaching function and was shared with a very limited number of recipients”;

- “the communication in question was certainly negligent, with no evidence to support the teacher’s intent, even from the literal content of the communication”;

- “in this case, no technical measure could have mitigated the risk. In general terms, information was provided, via a school circular, which I attach to this document, to raise awareness of the attention that each teacher must pay when processing the data of interested parties, especially students”;

- “the Director pro tempore called on the teacher to pay greater attention to the processing of data, urging her to take greater account, in addition to the processing rules, of the consequences that a communication shared with all parents, even if agreed upon, may have on the interested parties”.

During the hearing, held on XX, the Institute declared that:

-  "in addition to what is already in the file, I represent that from the point of view of the interested party there was no negative impact recorded after the event nor did any other similar or equal event occur. We have implemented the measures already declared in the defense briefs, to mitigate possible negative effects, such as sending to all interested parties a communication containing the request to delete the information regarding the interested party received erroneously, monitoring, through the teachers, the actual deletion. In general terms, we have taken steps to raise awareness through an Institute circular, the attention of teachers in the treatment of student data; there has been a written warning to the teacher who caused the event. The event occurred in full Covid, in a complex situation also from an organizational point of view. As already highlighted, the case is totally isolated".

3. Outcome of the preliminary investigation.

3.1 Applicable legislation.

According to the Regulation, the processing of personal data carried out in the public sphere is lawful when it is necessary “for compliance with a legal obligation to which the controller is subject” or “for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6, paragraph 1, letters c) and e) and paragraphs 2 and 3 of the Regulation; Article 2-ter of the Code).

More generally, European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing (…)” (Article 6, paragraph 2 of the Regulation).

National legislation has introduced more specific provisions to adapt the application of the provisions of the Regulation, determining, with greater precision, specific requirements for processing and other measures to ensure lawful and correct processing (art. 6, par. 2 of the Regulation) and, in this context, has provided that processing operations consisting in the “dissemination” and “communication” of personal data are permitted only when provided for by a law or regulation or by general administrative acts. (art. 2-ter, paragraphs 1 and 3, of the Code).

With regard to special categories of personal data, processing is, as a rule, permitted where “necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter g), of the Regulation), provided that the processing is “provided for by European Union law or, in the internal legal system, by provisions of law or regulation or by general administrative acts specifying the types of data that may be processed, the operations that may be performed and the substantial public interest reason, as well as the suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 2-sexies, paragraph 1, of the Code).

The data controller is then required to comply with the principles of data protection (Article 5, of the Regulation).

3.2 The processing of personal data carried out by the Institute.

As can be seen from the documents and declarations made by the data controller as well as from the investigation carried out on the basis of the elements acquired following the investigative activity and subsequent assessments of this Department, it was ascertained that, following the positive result for Covid-19 reported by the complainant's son by means of the swab carried out at the "ULSS2 Marca Trevigiana", a teacher of the Institute sent, to the parents of the interested party's classmates, an email message via electronic register containing the provision issued in this regard by the ASL Public Health and Hygiene Services and also informing the aforementioned subjects "of the positivity" of the interested party.

In this regard, it is noted that, pursuant to art. 4 par. 1, no. 15 of the Regulation, data relating to health are considered “personal data relating to the physical and mental health of a natural person, including the provision of health care services, which reveal information on his or her state of health”. Given the definition of personal data and data relating to health (art. 4, points 1 and 15, of the Regulation), it is believed that the state of positivity to Covid-19 represents information relating to the state of health of the student to whom such information is referred.

Although, therefore, the sending of the communication in question, containing information relating to the health status of the interested party, did not involve subjects external to the school community and did not result in the dissemination of personal data - the knowledge of the data contained therein occurred in any case in favor of a number, determined or determinable, of subjects, i.e. all the parents of the class (see the definition of "communication" of personal data contained in art. 2-ter paragraph 4 letter a), of the Code), giving rise to a "communication" of the personal data of the interested party.

For these reasons, the Institute gave rise, in the absence of a suitable prerequisite of lawfulness, to a communication in a manner not compliant with the principle of "lawfulness, correctness and transparency", in violation of art. 5, paragraph 1, letter a) of the Regulation and in the absence of a suitable regulatory prerequisite, in violation of arts. 6 and 9 of the Regulation and 2-ter and 2-sexies of the Code.

4. Conclusions.

In light of the above assessments, taking into account the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗ it is represented that the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Institute is noted, in violation of art. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2-ter and 2-sexies of the Code.

That said, taking into account that:

- the data controller is a school and, therefore, a small entity;

- the unlawful conduct involved only one data subject belonging to the school community;

- it was an isolated case;

- the Institute, following the episode that occurred, once again sensitized the teacher involved in the case in question and all the teaching and secretarial staff in relation to the rules on the protection of personal data;

- the event occurred in the context of an epidemic which also led to organizational difficulties for the Institute;

- the data controller cooperated fully with the Authority during the investigation;

- there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

- the circumstances of the specific case lead to qualifying it as a "minor violation", pursuant to cons. 148 of the Regulation and of the “Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) No. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018.

It is therefore believed, with respect to the case in question, that it is sufficient to warn the data controller pursuant to Articles 58, paragraph 2, letter b), and 83, paragraph 2, of the Regulation, for having violated Articles 5, paragraph 1, letter a), 6 and 9 of the Regulation as well as Article 2-ter and 2-sexies of the Code.

Considering that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist.

Finally, it is noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f), declares the conduct held by the State Institute "Duca degli Abruzzi" with headquarters in Via Caccianiga, n. 5, 31100, Treviso - Fiscal Code 80011400266 described in the terms set out in the reasons, consisting in the violation of art. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2- ter and 2-sexies of the Code;

b) pursuant to art. 58, par. 2, letter b) of the Regulation, warns the Istituto Statale “Duca degli Abruzzi” as the data controller in question, for having violated art. 5, par. 1, letter a), 6 and 9 of the Regulation as well as art. 2- ter and 2-sexies of the Code;

c) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE GENERAL SECRETARY
Mattei