Garante per la protezione dei dati personali (Italy) - 10066215

From GDPRhub
Garante per la protezione dei dati personali - 10066215
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 17(3)(b) GDPR
Art. 223(2) D. Lgs. 285/1992
Type: Complaint
Outcome: Upheld
Started:
Decided: 26.09.2024
Published:
Fine: n/a
Parties: Ministero dell'Interno
National Case Number/Name: 10066215
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA reprimanded the Interior Ministry after it failed to reply to an erasure request. The DPA highlighted that a controller must always act on such a request and reply to the data subject, even if the request is unfounded.

English Summary

Facts

In 2009, the data subject was stopped by the Police and his driving licence was revoked given that he was driving under the influence.

In 2023, the data subject noticed that in the national database of driving licences, his name was still associated with this offence.

Therefore, he filed an erasure request with the Interior Ministry (Ministero dell'Interno).

Since the Interior Ministry never replied, the data subject filed a complaint with the DPA.

The controller pointed out that it cannot delete the data since Article 17(3)(b) GDPR applies, i.e. the controller has a legal obligation to continue processing this data in accordance with Articles 223(1) and 226(11) of the Italian Traffic Regulation (Codice della strada - D. Lgs. 285/1992), obliging the controller to register the issuing and revoking of driving licenses in a database.

Regarding the failure to reply to the data subject's request, the controller argued that the data subject, when filing the erasure request, did not tick the box of the form saying that he did not want to be informed according to Article 12(4) GDPR. According to the controller, this it to think that the 30-day deadline was not legally binding.

Finally, the controller noted that it had deemed not necessary to reply to the data subject since the latter was, however, not entitled to the erasure at hand.

Holding

First, the DPA pointed out that, according to Article 12(3) and 12(4) GDPR, a controller should reply to an erasure request in every case, including when it believes that the request should be rejected.

Since in the case at hand the controller did not reply, the DPA found a violation of Article 12(1), 12(3) and 12(4) GDPR.

On these grounds, the DPA issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10066215]

Provision of 26 September 2024

Register of provisions
no. 587 of 26 September 20204

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the Personal Data Protection Code (hereinafter, the “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation no. 1/2019”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. no. 1098801);

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX complained about the lack of response by the Ministry of the Interior - Prefecture of Rome (hereinafter, “Ministry” or “Prefecture”) and the ASL of Rome 1 (hereinafter, “ASL”) to a request, submitted pursuant to art. 17 of the Regulation, concerning the exercise of the right to erasure of his personal data.

In particular, on 7 February 2023, the complainant requested the Prefecture and the ASL "to delete the personal data from the databases of the prefecture and the competent ASL", stating that "On 09.09.2009 the Police of the Municipality of [omissis] withdrew the undersigned's driving license because (...) he was in a state of drunkenness. 13 (thirteen) years have passed since then and the undersigned has scrupulously followed the complete rehabilitation process provided for by Italian law. The undersigned is not a repeat offender (...) but his personal data is still present in the Prefecture's lists relating to this crime. To date, neither the competent ASL nor the Prefecture have removed such personal data, in an eternal exchange of responsibilities and competences". The complainant has attached, in this regard, a copy of the statute of limitations for the crime issued by the competent Court.

On 15 February 2023, the ASL contacted provided feedback to the interested party stating that it was impossible to "proceed (...) with the deletion of the data held at the Rome 1 Local Medical Commission as the current legislation establishes that the relevant file must be kept for at least twenty years. Since this is a case closed in 2019, the deletion of the data cannot take place before 2039". However, no response to the aforementioned request to exercise rights was received from the Ministry of the Interior.

2. The investigation activity.

That said, with a note dated 11 April 2023, the Authority formulated a request for information to the Ministry pursuant to art. 157 of the Code), aimed at acquiring any useful element for assessing the case, also inviting the Ministry, pursuant to art. 15 of Regulation no. 1/2019, to adhere to the request to exercise rights presented by the complainant. Subsequently, with a note dated 27 April 2023, the Prefecture represented to the Authority that it had "arranged for Mr. XX to undergo a medical examination, the temporary suspension of the validity of the driving license and proceeded, as provided for by art. 223 c. 1, to update the National Registry", declaring that it had "limited itself exclusively to entering the data in the aforementioned Registry which is not accessible to third parties, but only to authorized administrative personnel".

However, in the absence of evidence of any response from the Ministry to the request to exercise the rights presented by the complainant, the Authority, with a note dated 20 May 2023, formulated a further request for information, following which the Ministry, with a note dated 17 July 2023, provided the necessary response, representing to the complainant that it had "provided for the data to be entered exclusively" in the National Register of Drivers, which "is not accessible to third parties, but only to authorised administrative personnel" and that, furthermore, there was "no "list" published on its institutional website".

On the basis of the elements acquired, the Office notified the Ministry of the Interior - Prefecture of Rome, with a note dated 20 October 2023, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, contesting the Ministry for the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation, for having late found the request for exercise of rights presented by the complainant pursuant to the aforementioned art. 17.

In this context, the Office invited the Ministry to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). The Ministry therefore, with a note dated 6 October 2023, transmitted its defensive briefs, representing, in particular, that:

- “the office, as per the regulatory provisions (art. 223 c. 1 of the Highway Code, but see also art. 226 paragraphs 10 and following and, in particular, paragraph 12 which cites the prefectures), has, among other things, fulfilled the obligation to communicate to the national registry of those authorised to drive”;

- “the registry is not freely accessible by third parties: no personal data can be drawn from it; therefore, no impairment of the right to privacy can be envisaged. The right to be forgotten has a reason to exist only if there is a public potentially capable of obtaining the information - an aspect completely absent in the dispute in question. Moreover, consistently with what has just been stated, EU Regulation 679/16, in art. 17 par. 3, after having recognized the right to be forgotten, delimits its boundaries, providing, for what is relevant here, that such legal position can be omitted "for the fulfillment of a legal obligation [...] or for the performance of a task carried out in the public interest or in the exercise of public powers vested in the data controller" (letter b)) and "for reasons of public interest in the public health sector" (letter c) same paragraph)";

- "it is not possible to give a positive answer to the party's request, given that the prefectural administration, in processing those personal data, has: - fulfilled a legal obligation (art. 17 par. 3 letter b) first part of the EU Regulation cit., in conjunction with art. 223 c. 1 of the Highway Code); - performed an activity of public importance (art. 17 par. 3 letter b) at the end); - satisfied public health interests (art. 17 par. 3 letter c) in connection with art. 9)”;

- “the right to be forgotten was exercised by the private party with a request dated 7.2.23; this was followed by the response of this administration dated 27.4.23. It is true that the 30-day time limit referred to in art. 12 par. 3 EU Regulation was not respected, but, given the limited human and material resources that afflict the office, having exceeded the limit while remaining within the maximum period set by the legislation (30 ordinary days + 60 days of extraordinary extension) can be considered an omission of little importance, excusable or, at the very least, slightly negligent.

This is even more true if one takes into account the fact that the interested party is a single natural person and that the purposes and object of the processing relate to public aspects of certain importance, as indicated above”;

- “a corrective measure was promptly adopted, consisting in sending a more in-depth and detailed response to the party’s request […]; this was intended to eliminate any possible private prejudice”;

- “the unfoundedness of the party’s request on the merits for the reasons indicated cannot but be an element to be taken into account”.
The hearing requested by the Ministry with a note dated 20 November 2023 was subsequently held on 19 February 2024, during which the Ministry further specified that:

- “the offices of the Prefecture are called upon to process personal data in the context of a large number of administrative proceedings, which also relate to multiple sectors of intervention, due to the broad powers attributed to the Prefecture; in this context, it is also highlighted that the request to exercise the rights presented by the complainant does not fall within the ordinary activities carried out daily by the Prefecture and, for this reason, was probably not immediately classified within the due terms; it is also highlighted that the request to exercise the rights submitted by the complainant is the first received by this Office of the Prefecture”;

- “in the period in question […] the Office of the Prefecture affected by the complainant’s request was temporarily managed by another Manager - who simultaneously managed another equally strategic area - in place of the Office’s head; […] like many other administrations, the aforementioned Office suffers from a lack of personnel”;

- “in December 2023, the Minister of the Interior adopted a regulation relating to the processing of personal data (see decree of 15 December 2023, containing the discipline of the organizational structure of the structures and subjects in the matter of processing of personal data); furthermore, the Prefecture, also in light of the investigation started by the Authority, deemed it appropriate to raise awareness among all managers and employees regarding the discipline on the processing of personal data and the related obligations”;

- “in addition to the difficulties described above, […] it should be noted, on the merits, that the request for communication to the complainant pursuant to art. 12, par. 4, of the Regulation was not flagged in the form sent by the complainant and this led the Prefecture not to consider the 30-day deadline for the response as peremptory, given that, from a substantive point of view, the request for cancellation formulated by the complainant could not have been legitimately accepted. This is because the indication of the deadline for the revision of the driving license remains recorded in the “National Register of Qualified Drivers”, with an alert function for the validity of the license itself. The deadline for the revision of suspended licenses is set at the discretion of the competent Medical Commission and remains visible until the subject is issued a license with ordinary revision. The Medical Commission is responsible for establishing the frequency with which to repeat the visits; the minutes of the Medical Commission are sent to the Motor Vehicle Department, while they are sent to the Ministry of the Interior, so that the police can proceed with the cancellation of the data from the SDI”.

The Ministry has therefore requested, in this context, to proceed with the archiving of the administrative procedure, and, alternatively, the adoption of a corrective measure with the application of a sanction in the smallest possible amount.

3. Outcome of the investigation activity.

3.1 Applicable legislation.

Generally speaking, it should be noted that the processing of personal data carried out in the public sphere is lawful if it is necessary for the performance of a task of public interest with which the owner is entrusted (art. 6, par. 1, letter e), of the Regulation) and must, in any case, take place in compliance with the principles on the protection of personal data, including that of "lawfulness, fairness and transparency" according to which personal data must be "processed lawfully, fairly and transparently in relation to the data subject" (art. 5, par. 1, letter a), of the Regulation).

Furthermore, Articles 15 to 22 of the Regulation grant the data subject the right to request from the data controller access to personal data, rectification, erasure of the same, restriction of processing concerning him or her or to object to their processing, as well as the right to data portability, if the conditions are met.

These rights aim to make the data subject aware of the processing of data concerning him or her and, therefore, in a perspective of fairness and transparency towards the latter, it is necessary that the data controller provides appropriate and timely feedback even if the request submitted cannot be accepted.

Article 12, paragraph 3, of the Regulation establishes, in fact, that the data controller - regardless of whether the request of the data subject is well-founded or not - must provide feedback without unjustified delay and, in any case, no later than one month after receiving the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests, without prejudice to the fact that the data subject must be informed of such extension and of the reasons for the delay within one month of receiving the request.

If the data controller does not comply with the request of the data subject, it must, in any case, inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority, as well as of lodging a judicial remedy (cons. 59 and art. 12, par. 4, of the Regulation).

3.2 The Ministry's response to the request to exercise the rights formulated by the complainant.

From the assessment carried out on the basis of the elements acquired, the statements made and the facts that emerged following the investigative activity conducted, as well as the subsequent assessments of this Department, it is noted that the Ministry did not deem it necessary to respond to the interested party, among other things, "since the request for cancellation formulated by the complainant could not have been legitimately accepted [...]" (see minutes of the hearing of 19 February 2024), providing a communication to the interested party only after the requests formulated by the Authority, while, pursuant to art. 12, par. 3, of the Regulation, the response is due, within the terms provided, regardless of whether the request is well-founded or not.

For these reasons, it is established that the Ministry did not provide, within the terms prescribed by the aforementioned art. 12, par. 3, of the Regulation, the due response to the request to exercise the rights made by the complainant on 7 February 2023, sending the latter the due communications only on 17 July 2023. Therefore, the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation is ascertained.

4. Conclusions.

In light of the assessments referred to above, taking into account the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗ it is represented that the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of Regulation no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation by the Ministry of the Interior is found.

Having said this, taking into account that:

the violation concerned only one interested party and the request to exercise the rights submitted by the complainant is the first received by the Office of the Prefecture involved (see the minutes of the hearing of 19 February 2024);

the violation occurred in a particularly critical organizational context, in which the aforementioned Office was called upon to deal with a large number of functions and multiple sectors of intervention, in the absence of adequate staff and at a time of temporary replacement of management;

the data controller provided full cooperation to the Authority during the investigation and, following the same, took steps to raise awareness among all managers and employees regarding the discipline regarding the processing of personal data and the related obligations;

there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

the circumstances of the specific case lead to qualifying this case as a “minor violation”, pursuant to cons. 148 of the Regulation and the “Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018.

It is therefore believed, with respect to the case in question, that it is sufficient to warn the data controller pursuant to art. 58, par. 2, letter b), and 83, par. 2, of the Regulation, for having violated art. 12, parr. 1, 3 and 4 of the Regulation.

Considering that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2 of the Regulation do not exist.

Finally, it is noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f), declares unlawful the conduct held by the Ministry of the Interior, with headquarters in Palazzo del Viminale, C.F. 97149560589, 00184, Rome, described in the terms set out in the reasons, consisting in the violation of art. 12, par. 1, 3 and 4 of the Regulation;

b) pursuant to art. 58, par. 2, letter b), of the Regulation, warns the Ministry of the Interior, as the data controller in question, for having violated art. 12, par. 1, 3 and 4, of the Regulation, as described above;

c) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 September 2024

THE PRESIDENT
Stanzione

THE REPORTER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

[web doc. no. 10066215]

Measure of 26 September 2024

Register of measures
no. 587 of 26 September 20204

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the Personal Data Protection Code (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. no. 1098801);

REPORTER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX complained about the lack of response by the Ministry of the Interior - Prefecture of Rome (hereinafter, “Ministry” or “Prefecture”) and the ASL of Rome 1 (hereinafter, “ASL”) to a request, submitted pursuant to art. 17 of the Regulation, concerning the exercise of the right to erasure of his personal data.

In particular, on 7 February 2023, the complainant requested the Prefecture and the ASL "to delete the personal data from the databases of the Prefecture and the competent ASL", stating that "On 09.09.2009 the Police of the Municipality of [omissis] withdrew the undersigned's driving license because (...) he was in a state of drunkenness. 13 (thirteen) years have passed since then and the undersigned has scrupulously followed the complete rehabilitation process provided for by Italian law. The undersigned is not a repeat offender (...) but his personal data is still present in the Prefecture's lists relating to this crime. To date, neither the competent ASL nor the Prefecture have removed such personal data, in an eternal exchange of responsibilities and competences". The complainant has attached, in this regard, a copy of the statute of limitations for the crime issued by the competent Court.

On 15 February 2023, the ASL contacted provided feedback to the interested party stating that it was impossible to "proceed (...) with the deletion of the data held at the Rome 1 Local Medical Commission as the current legislation establishes that the relevant file must be kept for at least twenty years. Since this is a case closed in 2019, the deletion of the data cannot take place before 2039". However, no response to the aforementioned request to exercise the rights was received from the Ministry of the Interior.

2. The preliminary investigation.

That said, with a note dated 11 April 2023, the Authority formulated a request for information to the Ministry pursuant to art. 157 of the Code), aimed at acquiring any useful element for assessing the case, also inviting the Ministry, pursuant to art. 15 of Regulation no. 1/2019, to adhere to the request to exercise the rights presented by the complainant. Subsequently, with a note dated 27 April 2023, the Prefecture represented to the Authority that it had "arranged for Mr. XX to undergo a medical examination, the temporary suspension of the validity of the driving license and proceeded, as provided for by art. 223 c. 1, to update the National Registry", declaring that it had "limited itself exclusively to entering the data in the aforementioned Registry which is not accessible to third parties, but only to authorized administrative personnel".

However, in the absence of evidence of any response from the Ministry to the request to exercise the rights presented by the complainant, the Authority, with a note dated 20 May 2023, formulated a further request for information, following which the Ministry, with a note dated 17 July 2023, provided the necessary response, representing to the complainant that it had "provided for the data to be entered exclusively" in the National Register of Drivers, which "is not accessible to third parties, but only to authorised administrative personnel" and that, furthermore, there was "no "list" published on its institutional website".

On the basis of the elements acquired, the Office notified the Ministry of the Interior - Prefecture of Rome, with a note dated 20 October 2023, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, contesting the Ministry for the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation, for having late found the request for exercise of rights presented by the complainant pursuant to the aforementioned art. 17.

In this context, the Office invited the Ministry to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). The Ministry therefore, with a note dated 6 October 2023, transmitted its defensive briefs, representing, in particular, that:

- “the office, as per the regulatory provisions (art. 223 c. 1 of the Highway Code, but see also art. 226 paragraphs 10 and following and, in particular, paragraph 12 which cites the prefectures), has, among other things, fulfilled the obligation to communicate to the national registry of those authorised to drive”;

- “the registry is not freely accessible by third parties: no personal data can be drawn from it; therefore, no impairment of the right to privacy can be envisaged. The right to be forgotten has a reason to exist only if there is a public potentially capable of obtaining the information - an aspect completely absent in the dispute in question. Moreover, consistently with what has just been stated, EU Regulation 679/16, in art. 17 par. 3, after having recognized the right to be forgotten, delimits its boundaries, providing, for what is relevant here, that such legal position can be omitted "for the fulfillment of a legal obligation [...] or for the performance of a task carried out in the public interest or in the exercise of public powers vested in the data controller" (letter b)) and "for reasons of public interest in the public health sector" (letter c) same paragraph)";

- "it is not possible to give a positive answer to the party's request, given that the prefectural administration, in processing those personal data, has: - fulfilled a legal obligation (art. 17 par. 3 letter b) first part of the EU Regulation cit., in conjunction with art. 223 c. 1 of the Highway Code); - performed an activity of public importance (art. 17 par. 3 letter b) at the end); - satisfied public health interests (art. 17 par. 3 letter c) in connection with art. 9)”;

- “the right to be forgotten was exercised by the private party with a request dated 7.2.23; this was followed by the response of this administration dated 27.4.23. It is true that the 30-day time limit referred to in art. 12 par. 3 EU Regulation was not respected, but, given the limited human and material resources that afflict the office, having exceeded the limit while remaining within the maximum period set by the legislation (30 ordinary days + 60 days of extraordinary extension) can be considered an omission of little importance, excusable or, at the very least, slightly negligent.

This is even more true if one takes into account the fact that the interested party is a single natural person and that the purposes and object of the processing relate to public aspects of certain importance, as indicated above”;

- “a corrective measure was promptly adopted, consisting in sending a more in-depth and detailed response to the party’s request […]; this was intended to eliminate any possible private prejudice”;

- “the unfoundedness of the party’s request on the merits for the reasons indicated cannot but be an element to be taken into account”.
The hearing requested by the Ministry with a note dated 20 November 2023 was subsequently held on 19 February 2024, during which the Ministry further specified that:

- “the offices of the Prefecture are called upon to process personal data in the context of a large number of administrative proceedings, which also relate to multiple sectors of intervention, due to the broad powers attributed to the Prefecture; in this context, it is also highlighted that the request to exercise the rights presented by the complainant does not fall within the ordinary activities carried out daily by the Prefecture and, for this reason, was probably not immediately classified within the due terms; it is also highlighted that the request to exercise the rights submitted by the complainant is the first received by this Office of the Prefecture”;

- “in the period in question […] the Office of the Prefecture affected by the complainant’s request was temporarily managed by another Manager - who simultaneously managed another equally strategic area - in place of the Office’s head; […] like many other administrations, the aforementioned Office suffers from a lack of personnel”;

- “in December 2023, the Minister of the Interior adopted a regulation relating to the processing of personal data (see decree of 15 December 2023, containing the discipline of the organizational structure of the structures and subjects in the matter of processing of personal data); furthermore, the Prefecture, also in light of the investigation started by the Authority, deemed it appropriate to raise awareness among all managers and employees regarding the discipline on the processing of personal data and the related obligations”;

- “in addition to the difficulties described above, […] it should be noted, on the merits, that the request for communication to the complainant pursuant to art. 12, par. 4, of the Regulation was not flagged in the form sent by the complainant and this led the Prefecture not to consider the 30-day deadline for the response as peremptory, given that, from a substantive point of view, the request for cancellation formulated by the complainant could not have been legitimately accepted. This is because the indication of the deadline for the revision of the driving license remains recorded in the “National Register of Qualified Drivers”, with an alert function for the validity of the license itself. The deadline for the revision of suspended licenses is set at the discretion of the competent Medical Commission and remains visible until the subject is issued a license with ordinary revision. The Medical Commission is responsible for establishing the frequency with which to repeat the visits; the minutes of the Medical Commission are transmitted to the motorization, while to the Ministry of the Interior they are transmitted, so that the police can proceed with the cancellation of the data from the SDI”.

The Ministry has therefore requested, in this context, to proceed with the archiving of the administrative procedure, and, secondarily, the adoption of a corrective measure with the application of a sanction in the smallest possible amount.

3. Outcome of the preliminary investigation.

3.1 Applicable legislation.

In general, it should be noted that the processing of personal data carried out in the public sphere is lawful if it is necessary for the performance of a task of public interest with which the controller is entrusted (Article 6, paragraph 1, letter e), of the Regulation) and must, in any case, take place in compliance with the principles on the protection of personal data, including that of "lawfulness, fairness and transparency" according to which personal data must be "processed lawfully, fairly and in a transparent manner in relation to the data subject" (Article 5, paragraph 1, letter a), of the Regulation).

Furthermore, Articles 15 to 22 of the Regulation grant the data subject the right to request from the data controller access to personal data, rectification, erasure of the same, restriction of processing concerning him or her or to object to their processing, as well as the right to data portability, if the conditions are met.

These rights aim to make the interested party aware of the processing of data concerning him and, therefore, in a perspective of fairness and transparency towards the latter, it is necessary that the data controller provides appropriate and timely feedback even where the request submitted cannot be accepted.

Article 12, paragraph 3, of the Regulation establishes, in fact, that the data controller - regardless of whether the request of the interested party is well-founded or not - must provide feedback without unjustified delay and, in any case, no later than one month from receipt of the request. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests, without prejudice to the fact that the interested party must be informed of such extension and of the reasons for the delay within one month from receipt of the request.

If the data controller does not comply with the request of the data subject, the data controller must, in any case, inform the data subject without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority, as well as of lodging a judicial remedy (cons. 59 and art. 12, par. 4, of the Regulation).

3.2 The Ministry's response to the request to exercise the rights formulated by the complainant.

From the assessment carried out on the basis of the elements acquired, the statements made and the facts that emerged following the investigative activity conducted, as well as the subsequent assessments of this Department, it is noted that the Ministry did not deem it necessary to respond to the interested party, among other things, "since the request for cancellation formulated by the complainant could not have been legitimately accepted [...]" (see minutes of the hearing of 19 February 2024), providing a communication to the interested party only after the requests formulated by the Authority, while, pursuant to art. 12, par. 3, of the Regulation, the response is due, within the terms provided, regardless of whether the request is well-founded or not.

For these reasons, it is established that the Ministry did not provide, within the terms prescribed by the aforementioned art. 12, par. 3, of the Regulation, the due response to the request to exercise the rights made by the complainant on 7 February 2023, sending the latter the due communications only on 17 July 2023. Therefore, the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation is ascertained.

4. Conclusions.

In light of the assessments referred to above, taking into account the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗ it is represented that the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of Regulation no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the violation of art. 12, paragraphs 1, 3 and 4, of the Regulation by the Ministry of the Interior is found.

Having said this, taking into account that:

the violation concerned only one interested party and the request to exercise the rights submitted by the complainant is the first received by the Office of the Prefecture involved (see the minutes of the hearing of 19 February 2024);

the violation occurred in a particularly critical organizational context, in which the aforementioned Office was called upon to deal with a large number of functions and multiple sectors of intervention, in the absence of adequate staff and at a time of temporary replacement of management;

the data controller provided full cooperation to the Authority during the investigation and, following the same, took steps to raise awareness among all managers and employees regarding the discipline regarding the processing of personal data and the related obligations;

there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

the circumstances of the specific case lead to qualifying this case as a “minor violation”, pursuant to cons. 148 of the Regulation and the “Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018.

It is therefore believed, with respect to the case in question, that it is sufficient to warn the data controller pursuant to art. 58, par. 2, letter b), and 83, par. 2, of the Regulation, for having violated art. 12, parr. 1, 3 and 4 of the Regulation.

Considering that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2 of the Regulation do not exist.

Finally, it is noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f), declares unlawful the conduct held by the Ministry of the Interior, with headquarters in Palazzo del Viminale, C.F. 97149560589, 00184, Rome, described in the terms set out in the reasons, consisting in the violation of art. 12, par. 1, 3 and 4 of the Regulation;

b) pursuant to art. 58, par. 2, letter b), of the Regulation, warns the Ministry of the Interior, as the data controller in question, for having violated art. 12, par. 1, 3 and 4, of the Regulation, as described above;

c) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 September 2024

THE PRESIDENT
Stanzione

THE REPORTER
Cerrina Feroni

THE SECRETARY GENERAL
Mattei