Garante per la protezione dei dati personali (Italy) - 10068155

From GDPRhub
Garante per la protezione dei dati personali - 10068155
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(15) GDPR
Article 5 GDPR
Article 6 GDPR
Article 9(2)(b) GDPR
Art. 2-ter D.Lgs. 196/2003
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 26.09.2024
Fine: 10,000 EUR
Parties: Comune di Verona
National Case Number/Name: 10068155
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: ligialagev

The DPA fined a municipality €10,000 for unlawfully disclosing an employee's disability status and other health data to the employee’s colleagues. The DPA ordered the municipality to implement appropriate measures to prevent unauthorised disclosures in the future.

English Summary

Facts

The data subject is an employee of the Municipality of Verona (the controller). Via email, the data subject requested the controller to provide him with a new FFP2 mask and mentioned his health conditions in this message.

When a municipal officer replied to the email, they cc'd the email account of the controller's warehouse. This email address was shared among 6 other employees. In this response, the officer mentioned the fact that the data subject suffered from certain illnesses and referenced to the Italian law regulating disability benefits (Law 104/1992 - Legge 104/1992), implying that the data subject was entitled to them.

Believing that sharing this data with other employees of the controller was unlawful, the data subject filed a complaint with the DPA.

The controller argued that it had referenced to the Law 104 only in a generic way, not specifically stating that it applied to the data subject. Moreover, it pointed out that after realizing the mistake, its officer sent subsequent communications only to the data subject.

Holding

First, the DPA pointed out that referring to the Italian Law 104/1992, notoriously known in Italy for entitling to disability benefits, combined with the reference to the fact that data subject was suffering from "illnesses", is enough affirm that the email contained health data as defined by Article 4(15) GDPR.

Secondly, the DPA noted that, pursuant to Article 2-ter of the Italian Data Protection Code, a public administration can disclose personal data only if a specific piece of legislation authorises it to do so.

On this point, the DPA held that, even though the recipients of the email were employees of the controller, this rule however applies. Pursuant to the data minimisation principle, the controller should share personal data among its employees only when that specific employee needs to know the information.

The DPA held that in the case at hand this did not happen, since the data was disclosed to the warehouse employees, that did not need to know the data subject's health and disability status. The DPA emphasized that colleagues' potential prior knowledge of the employee's health condition was irrelevant.

Therefore, the DPA found a violation of Articles 5, 6 and 9(2)(b) GDPR and of Article 2-ter of the Italian Data Protection Code.

On these grounds, the DPA fined the controller €10,000 and ordered the controller to implement appropriate measures to prevent unauthorized internal circulation of employees' health data, even when such information might be already known to colleagues through workplace interactions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10068155]

Provision of 26 September 2024

Register of provisions
no. 606 of 26 September 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX complained, through his lawyer, that the Municipality of Verona (hereinafter “Municipality”), where he works, had communicated his personal data including the circumstance of availing himself of the benefits provided for by law no. 5 February 1992. 104.

In particular, it was stated that, following a request by the complainant for a new FFP2 mask, sent via email exclusively to XX's email address - in which he also made explicit reference to "my well-known pathologies" - the latter replied, "adding to the recipients, albeit "for information" the email address called magazzinoeconomato@comune.verona.it", referring, in the same email, to the existence of the aforementioned pathologies in the complainant's head and, furthermore, stating that there were no "special provisions for those protected by law 104".

2. The investigative activity.

In response to a request for information from the Authority, the Municipality, with note prot. no. XX of XX, stated, in particular, that

- “the “magazzinoeconomato” mailbox to which the email dated XX at XX hours was addressed for information[…], is an internal mailbox for the service of the economal warehouse (not accessible to the other offices of the aforementioned Directorate), used only for organizational and management purposes of the same warehouse and for communications concerning the employees of the same, without the possibility of access by third parties and/or disclosure to other personnel other than those authorized, even if employed by the same Directorate (not even XX has access to it)”;

- “in the period in question, the people who could access and use the mailbox were 6 (including Mr. XX): XX with specific responsibility for the warehouse; the person in charge of the furnishings (kept in the same warehouse); the other two warehouse employees, in addition to a third who in the meantime was transferred to another Directorate and subsequently disabled”;

- “given that the above-mentioned personnel, like any municipal employee, is in any case required to maintain confidentiality regarding the activities and/or procedures and/or internal news/communications of the various offices, XX, given that the purpose of the email was to give general instructions on the behavior to be observed within the warehouse […], had considered that the communication for information to the “magazzinoeconomato” email address was the appropriate tool to achieve this purpose”;

- “the disputed email dated XX at XX […], followed other emails in which Mr. XX requested the supply of FFP2 masks. The aforementioned email of July 30 was addressed to Mr. XX, a category D official, as the Manager of the economato warehouse, as well as holder of the organizational position “Manager of Transport Services and Set-up of Institutional Events” and, for information, to the “magazzinoeconomato” email address, in order to give specific instructions to the managers and warehouse workers regarding the general behavior to be observed in relation to the covid emergency”;

- “in the second part of the email, in response to the request for the supply of FFP2 masks, XX intended to clarify that at that specific time and on that specific PPE there was no particular provision, not even for certain categories of employees such as, for example, those protected by Law 104. No direct reference was made to a possible granting of this benefit to Mr. XX, who, moreover, had not forwarded any request in this sense either to the User Contracts Purchasing Department or to the Personnel Manager”.

With a note from XX, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation, notified the Municipality pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having communicated information also regarding the health of the complainant in a manner not compliant with the principle of "lawfulness, correctness and transparency", as well as "data minimization", and in the absence of an appropriate legal basis, in violation of Articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter and 2-sexies of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021 and in the text currently in force).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note from XX, the Municipality, which did not request to be heard, presented a defense brief, declaring, in particular, that:

- “the conduct carried out by XX must be considered, as an isolated case, placed outside the prescriptions of conduct imposed by this Owner and that it must in fact be considered absolutely isolated with respect to the normal action of the Entity”;

- “what is reported finds further evidence, right in the minutes in the documents of XX, in which it is clear that on that date, the then RPD/DPO of the Entity met XX in question, verbally reminding him of the provisions in force on the matter”;

- "as further proof of the absolutely fortuitous nature of the event, XX during that meeting stated that she had immediately realized it and shortly after (1.26 pm) the aforementioned email of 12.40 wrote to the interested party Mr. XX as the sole recipient of subsequent communications";

- "although we are aware that the data processing carried out by XX does not comply with the provisions of the current legislation and company regulations, it is nevertheless important to highlight that the aforementioned authorized person, in replying to the email of the interested party Mr. XX, informing the department, made the mistake in good faith that, even if colleagues in the same sector in question were aware of the health problems of the aforementioned, said information should not have been processed, because it is not only a violation to reveal data because it is not known, but also to carry out a processing without an appropriate legal basis, as well as carried out using unsuitable tools";

- “with regard to the reference to Law 104, it is instead specified that XX has expressed a general directive to the department that deals with the distribution of masks and that, therefore, the FFP2 type masks could not be recognized simply because they held that status”;

- “it is also highlighted that neither this Data Controller nor the then RPD/DPO of the Entity nor the Municipal Privacy Office were aware of the incident before the note prot. no. XX of this Authority”.

3. Outcome of the investigation activity.

The personal data protection regulation provides that public bodies, within the context of the work context, can process the personal data of the interested parties, even relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by the law or by the law of the Union or of the Member States (articles 6, paragraph 1, letter c), 9, paragraph 2, letter e). b) and 4 and 88 of the Regulation). Furthermore, processing is lawful when it is “necessary for the performance of a task carried out in the public interest or in connection with the exercise of public authority vested in the data controller” (Article 6, paragraphs 1, letter e), 2 and 3, and Article 9, paragraph 2, letter g), of the Regulation; Article 2-ter of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint and Article 2-sexies, paragraph 1, of the Code).

European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (Article 6, paragraph 2, of the Regulation). In this regard, it should be noted that the operation of “communication” of personal data, by public bodies, is permitted only when provided for by a law or, in the cases provided for by law, by regulation (see Article 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts subject to the complaint).

With regard to special categories of personal data, processing is, as a rule, permitted, in addition to fulfilling specific obligations “in the field of employment law […] to the extent that it is authorised by law […] in the presence of appropriate safeguards” (Article 9, paragraph 2, letter b), of the Regulation), also when “necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter g), of the Regulation).

The employer, the data controller, is, in any case, required to comply with the general principles regarding the protection of personal data (art. 5 of the Regulation) and must process the data through “authorized” and “trained” personnel regarding access and processing of the data (art. 4, point 10), 29, and 32, par. 4, of the Regulation).

As can be seen from the documents and statements made by the data controller during the investigation, as well as from the investigation carried out on the basis of the elements acquired, following the investigation and subsequent assessments by this Department, the Municipality sent a communication, not only to the interested party, but also to the mailbox magazzinoeconomato@comune.verona.it, containing information relating to the complainant, including health, as, in the same email, reference is made to "his pathologies" and to the specific provisions provided for those protected by Law 104 of 1992.

In general, since 2007 the Guarantor has clarified that the administration must adopt technical and organizational measures to prevent the unjustified knowledge of personal data of its employees by other colleagues or third parties, in order to avoid the undue circulation of personal information - in this case concerning information relating to the health of the complainant - not only externally, but also within the working contexts by unauthorized persons. (see, points 2, 4, 5.1 and 5.3 of the “Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector”, dated 14 June 2007, published in the Official Journal 13 July 2007, no. 161, and in www.garanteprivacy.it, web doc. no. 1417809).

In this regard, according to the consolidated orientation of the Guarantor (see, provisions of 18 October 2012, no. 296, web doc. no. 2174351 and no. 297, web doc. no. 2174582, as well as provision of 8 May 2013, no. 232, web doc. no. 2501216, provision of 3 October 2013, no. 431, web doc. 2747867 and, lastly, provision of 31 July 2014, no. 392, web doc. no. 3399423), recently confirmed in numerous provisions on individual cases, the personal data of employees processed for the purposes of managing the employment relationship cannot, as a rule, be disclosed to persons other than those who are part of the specific employment relationship (see definitions of "personal data" and “interested party”, contained in art. 4, par. 1, n. 1, of the Regulation), or those who - also taking into account the definition of “third party”, contained in art. 4, par. 1, n. 10, of the Regulation - are not entitled to process them by virtue of the tasks assigned and the organizational choices of the data controller (see, provision no. 43 of 23 February 2023, web doc. no. 9868646 as well as provision no. 322 of 16 September 2021, web doc. no. 9711517, provision no. 214 of 27 May 2021 web doc. 9689234 but see also provision no. 105 of 18 June 2020, web doc. no. 9444865 and provisions of 24 March 2022, prot. no. 98 web doc. no. 976305 and of 11 February 2021, no. 50 web doc. no. 9562866).

This is because, as confirmed by the Guarantor in numerous provisions, even the provision of data to subjects who, although part of the organization of the data controller, due to the role performed and the functions performed, cannot be considered "authorized" to process (see Articles 4, no. 10, 28, par. 3, letter b), 29 and 32, par. 4, of the Regulation, as well as Article 2-quaterdecies of the Code), may give rise to a communication of personal data in the absence of a legal basis. Information regarding workers in the context of the work context may be known within the employer's organization to the extent that, in light of the applicable legislation, those who are made aware of it are entitled to process it in consideration of the functions attributed, the institutional role performed as well as any responsibilities that, to varying degrees, fall upon them. Therefore, the employer is required, in any case, to adopt suitable measures, including organizational ones, to ensure that no unjustified circulation of information occurs in the work context or behaviors inspired by mere curiosity.

With reference, in particular, to data relating to health, in recalling that, pursuant to art. 4 par.1, n. 15 of the Regulation, health data are considered "personal data relating to the physical and mental health of a natural person, including the provision of health care services, which reveal information on his or her state of health", it should be noted that, as clarified by the Guarantor in numerous provisions, also the reference to law 104, which notoriously regulates benefits and guarantees for the assistance, social and work integration of disabled people or their family members, allows information to be obtained on the state of health of a person (see in this regard, provision of 1 September 2022, no. 290 web doc. 9811361, provision of 28 April 2022, no. 150, web doc. no. 9777200 and provision of 28 May 2020, no. 92, web doc. no. 9434609). Even though the Municipality stated that “no direct reference was made to a possible granting of such a benefit to Mr. XX”, the simple reference, even indirect, to the use of such a benefit may entail a communication of data relating to health, considering, moreover, that the contested email made express reference to “his pathologies”, meaning the pathologies of the complainant.

For these reasons, the Municipality, which processes the aforementioned information through authorized personnel only within the scope of the specific obligations and rights of the owner and the interested party, in matters of labor law (art.9, par.2 letter b) of the Regulation and not instead pursuant to letter g) of the same article, as well as art.2-sexies of the Code), has made personal data, including health-related data, of the interested party known in an unjustified manner to other employees, colleagues of the complainant (i.e. to all the personnel of the “economic warehouse” office without distinction).

Nor can the statement regarding the fact that “colleagues in the same sector in question were aware of the health problems” of the complainant be considered relevant for the purposes of assessing the employer’s overall conduct, as expressly highlighted by the Municipality in its defense briefs of. XX, specifying that “this information should not have been processed, because not only disclosing data because it is not known constitutes a violation, but also carrying out processing without an appropriate legal basis, as well as carried out using unsuitable tools”.

In light of the foregoing considerations, this conduct led to the communication of information regarding the complainant’s health – also with regard to the circumstance, even if only indirectly deducible, that the complainant enjoyed the benefits provided for by regulatory provisions such as those of Law no. 104 of 1992, which, notoriously, regulates aid and guarantees for the assistance, social and work integration of disabled people or their family members (see, among others, provisions of 27 April 2023, no. 168, web doc 9896845 and of 11 January 2023, no. 3 web doc no. 9857610, and provisions referred to therein) in violation of articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts which are the subject of the complaint).

4. Conclusions.

In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which one can be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having communicated personal data of the interested party, including health data, in a manner not compliant with the principle of "lawfulness, correctness and transparency", as well as "data minimization", and in the absence of an appropriate legal basis, in violation of arts. 5, 6 and 9 par. 2 lett. b) of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint).

Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct, art. 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the violations are all subject to the sanction provided for by art. 83, paragraph 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Garante] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Garante pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Garante Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.
The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

Taking into account that:

- with specific regard to the nature, gravity and duration of the violation, it must be considered that the communication of personal data concerned only one interested party (see art. 83, par. 2, letter a), of the Regulation);

- with specific regard to the subjective profile, the violation is negligent, the owner admitting "that the data processing carried out by XX does not comply with the provisions of the legislation in force and the company regulations" and the conduct was the result of an isolated error (art. 83, par. 2, letter b of the Regulation);

it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). 

That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account:

- the Municipality offered a good level of cooperation with the Authority during the investigation, also declaring that the Data Protection Officer has taken steps to raise awareness among the parties involved regarding the principles of personal data protection and the measures to be taken to prevent similar errors from occurring in the future (Article 83, paragraph 2, letter f), of the Regulation);

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures pursuant to Article 58 of the Regulation (Article 83, paragraph 2, letter e), of the Regulation);

- the violation occurred in a context characterized by numerous organizational difficulties related to the problems of the emergency period due to the spread of the Sars Cov 2 virus (Article 83, paragraph 2, letter k), of the Regulation);

In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of 10,000 (ten thousand) euros for the violation of Articles 5, 6 and 9 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor.

This is in consideration of the specific circumstance that the communication concerned delicate matters relating to the employment relationship of the interested party and information also referring to particular categories of data.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

GIVEN ALL THE ABOVE, THE GUARANTOR

- declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Municipality of Verona, due to violation of articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter of the Code in the terms set out in the reasons;

ORDER

- to the Municipality of Verona, in the person of its legal representative pro-tempore, with registered office in Piazza Bra, 1 - 37121 Verona (VR), C.F. 00215150236, for violation of articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter of the Code within the terms set out in the reasons;

ORDER

- to the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 10,000 (ten thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that, pursuant to art. 166, paragraph 8, of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

ORDERS

- pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

- pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

- pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 September 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei

[web doc. no. 10068155]

Provision of 26 September 2024

Register of provisions
n. 606 of 26 September 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX complained, through his lawyer, that the Municipality of Verona (hereinafter “Municipality”), where he works, had communicated his personal data including the circumstance of availing himself of the benefits provided for by law no. 5 February 1992. 104.

In particular, it was represented that, following a request by the complainant for a new FFP2 type mask, sent via email exclusively to XX's email address - in which he also made explicit reference to "my well-known pathologies" - the latter replied, "adding to the recipients, albeit "for information" the email address called magazzinoeconomato@comune.verona.it", referring, in the same email, to the existence of the aforementioned pathologies in the complainant's head and, furthermore, representing that there were no "special provisions for those protected by law 104".

2. The investigative activity.

In response to a request for information from the Authority, the Municipality, with note prot. no. XX of XX, declared, in particular, that

- “the “magazzinoeconomato” mailbox to which the email dated XX at XX hours was addressed for information[…], is an internal mailbox for the service of the economal warehouse (not accessible to the other offices of the aforementioned Directorate), used only for organizational and management purposes of the same warehouse and for communications concerning the employees of the same, without the possibility of access by third parties and/or disclosure to other personnel other than those authorized, even if employed by the same Directorate (not even XX has access to it)”;

- “in the period in question, the people who could access and use the mailbox were 6 (including Mr. XX): XX with specific responsibility for the warehouse; the person in charge of the furnishings (kept in the same warehouse); the other two warehouse employees, in addition to a third who in the meantime was transferred to another Directorate and subsequently disabled”;

- “given that the above-mentioned personnel, like any municipal employee, is in any case required to maintain confidentiality regarding the activities and/or procedures and/or internal news/communications of the various offices, XX, given that the purpose of the email was to give general instructions on the behavior to be maintained within the warehouse […], had considered that the communication for information to the “magazzinoeconomato” mailbox was the appropriate tool to achieve this purpose”;

- “the disputed email dated XX at XX […], followed other emails in which Mr. XX requested the supply of FFP2 masks. The aforementioned email of July 30 was addressed to Mr. XX, a category D official, as the Manager of the economato warehouse, as well as holder of the organizational position “Manager of Transport Services and Set-up of Institutional Events” and, for information, to the “magazzinoeconomato” mailbox, in order to give specific instructions to the managers and warehouse workers regarding the general behavior to be maintained in relation to the covid emergency”;

- “in the second part of the email, in response to the request for the supply of FFP2 masks, XX intended to clarify that at that specific time and on that specific PPE there was no particular provision, not even for certain categories of employees such as, for example, those protected by Law 104. No direct reference was made to a possible granting of this benefit to Mr. XX, who, moreover, had not forwarded any request in this sense either to the User Contracts Purchasing Department or to the Personnel Manager”.

With a note from XX, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation, notified the Municipality pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having communicated information also regarding the health of the complainant in a manner not compliant with the principle of "lawfulness, correctness and transparency", as well as "data minimization", and in the absence of an appropriate legal basis, in violation of Articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter and 2-sexies of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021 and in the text currently in force).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note from XX, the Municipality, which did not request to be heard, presented a defense brief, declaring, in particular, that:

- “the conduct carried out by XX must be considered, as an isolated case, placed outside the prescriptions of conduct imposed by this Owner and that it must in fact be considered absolutely isolated with respect to the normal action of the Entity”;

- “what is reported finds further evidence, right in the minutes in the documents of XX, in which it is clear that on that date, the then RPD/DPO of the Entity met XX in question, verbally reminding him of the provisions in force on the matter”;

- "as further proof of the absolutely fortuitous nature of the event, XX during that meeting stated that she had immediately realized it and shortly after (1.26 pm) the aforementioned email of 12.40 wrote to the interested party Mr. XX as the sole recipient of subsequent communications";

- "although we are aware that the data processing carried out by XX does not comply with the provisions of the current legislation and company regulations, it is nevertheless important to highlight that the aforementioned authorized person, in replying to the email of the interested party Mr. XX, informing the department, made the mistake in good faith that, even if colleagues in the same sector in question were aware of the health problems of the aforementioned, said information should not have been processed, because it is not only a violation to reveal data because it is not known, but also to carry out a processing without an appropriate legal basis, as well as carried out using unsuitable tools";

- “with regard to the reference to Law 104, it is instead specified that XX has expressed a general directive to the department that deals with the distribution of masks and that, therefore, the FFP2 type masks could not be recognized simply because they held that status”;

- “it is also highlighted that neither this Data Controller nor the then RPD/DPO of the Entity nor the Municipal Privacy Office were aware of the incident before the note prot. no. XX of this Authority”.

3. Outcome of the investigation activity.

The personal data protection regulation provides that public bodies, within the context of the work context, can process the personal data of the interested parties, even relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by the law or by the law of the Union or of the Member States (articles 6, paragraph 1, letter c), 9, paragraph 2, letter e). b) and 4 and 88 of the Regulation). Furthermore, processing is lawful when it is “necessary for the performance of a task carried out in the public interest or in connection with the exercise of public authority vested in the data controller” (Article 6, paragraphs 1, letter e), 2 and 3, and Article 9, paragraph 2, letter g), of the Regulation; Article 2-ter of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint and Article 2-sexies, paragraph 1, of the Code).

European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (Article 6, paragraph 2, of the Regulation). In this regard, it should be noted that the operation of “communication” of personal data, by public bodies, is permitted only when provided for by a law or, in the cases provided for by law, by regulation (see Article 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts subject to the complaint).

With regard to special categories of personal data, processing is, as a rule, permitted not only to fulfill specific obligations “in the field of employment law […] to the extent authorised by law […] in the presence of appropriate safeguards” (Article 9, paragraph 2, letter b), of the Regulation), but also where “necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 9, paragraph 2, letter g), of the Regulation).

The employer, the data controller, is, in any case, required to comply with the general principles on the protection of personal data (Article 5 of the Regulation) and must process the data through “authorised” and “trained” personnel regarding access to and processing of data (Articles 4, point 10), 29, and 32, paragraph 1). 4, of the Regulation).

As can be seen from the documents and statements made by the data controller during the investigation, as well as from the investigation carried out on the basis of the elements acquired, following the investigation and subsequent assessments by this Department, the Municipality sent a communication, not only to the interested party, but also to the mailbox magazzinoeconomato@comune.verona.it, containing information relating to the complainant, including health, as, in the same email, reference is made to "his pathologies" and to the specific provisions provided for those protected by Law 104 of 1992.

In general, since 2007 the Guarantor has clarified that the administration must adopt technical and organizational measures to prevent the unjustified knowledge of personal data of its employees by other colleagues or third parties, in order to avoid the undue circulation of personal information - in this case concerning information relating to the health of the complainant - not only externally, but also within the working contexts by unauthorized persons. (see points 2, 4, 5.1 and 5.3 of the “Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector”, dated 14 June 2007, published in the Official Journal of 13 July 2007, no. 161, and in www.garanteprivacy.it, web doc. no. 1417809).

In this regard, according to the consolidated orientation of the Guarantor (see, provisions of 18 October 2012, no. 296, web doc. no. 2174351 and no. 297, web doc. no. 2174582, as well as provision of 8 May 2013, no. 232, web doc. no. 2501216, provision of 3 October 2013, no. 431, web doc. 2747867 and, lastly, provision of 31 July 2014, no. 392 web doc. no. 3399423), recently confirmed in numerous provisions on individual cases, the personal data of employees processed for the purposes of managing the employment relationship cannot, as a rule, be disclosed to persons other than those who are part of the specific employment relationship (see definitions of "personal data" and “interested party”, contained in art. 4, par. 1, n. 1, of the Regulation), or those who - also taking into account the definition of “third party”, contained in art. 4, par. 1, n. 10, of the Regulation - are not entitled to process them by virtue of the tasks assigned and the organizational choices of the data controller (see, provision no. 43 of 23 February 2023, web doc. no. 9868646 as well as provision no. 322 of 16 September 2021, web doc. no. 9711517, provision no. 214 of 27 May 2021 web doc. 9689234 but see also provision no. 105 of 18 June 2020, web doc. no. 9444865 and provisions of 24 March 2022, prot. no. 98 web doc. no. 976305 and of 11 February 2021, no. 50 web doc. no. 9562866).

This is because, as confirmed by the Guarantor in numerous provisions, even the provision of data to subjects who, although part of the organization of the data controller, due to the role performed and the functions performed, cannot be considered "authorized" to process (see Articles 4, no. 10, 28, par. 3, letter b), 29 and 32, par. 4, of the Regulation, as well as Article 2-quaterdecies of the Code), may give rise to a communication of personal data in the absence of a legal basis. Information regarding workers in the context of the work context may be known within the employer's organization to the extent that, in light of the applicable legislation, those who are made aware of it are entitled to process it in consideration of the functions attributed, the institutional role performed as well as any responsibilities that, to varying degrees, fall upon them. Therefore, the employer is required, in any case, to adopt suitable measures, including organizational ones, to ensure that no unjustified circulation of information occurs in the work context or behaviors inspired by mere curiosity.

With reference, in particular, to data relating to health, in recalling that, pursuant to art. 4 par.1, n. 15 of the Regulation, health data are considered "personal data relating to the physical and mental health of a natural person, including the provision of health care services, which reveal information on his or her state of health", it should be noted that, as clarified by the Guarantor in numerous provisions, also the reference to law 104, which notoriously regulates benefits and guarantees for the assistance, social and work integration of disabled people or their family members, allows information to be obtained on the state of health of a person (see in this regard, provision of 1 September 2022, no. 290 web doc. 9811361, provision of 28 April 2022, no. 150, web doc. no. 9777200 and provision of 28 May 2020, no. 92, web doc. no. 9434609). Even though the Municipality stated that “no direct reference was made to a possible granting of such a benefit to Mr. XX”, the simple reference, even indirect, to the use of such a benefit may entail a communication of data relating to health, considering, moreover, that the contested email made express reference to “his pathologies”, meaning the pathologies of the complainant.

For these reasons, the Municipality, which processes the aforementioned information through authorized personnel only within the scope of the specific obligations and rights of the owner and the interested party, in matters of labor law (art.9, par.2 letter b) of the Regulation and not instead pursuant to letter g) of the same article, as well as art.2-sexies of the Code), has made personal data, including health-related data, of the interested party known in an unjustified manner to other employees, colleagues of the complainant (i.e. to all the personnel of the “economic warehouse” office without distinction).

Nor can the statement regarding the fact that "colleagues in the same sector in question were aware of the health problems" of the complainant be considered relevant for the purposes of assessing the employer's overall conduct, as expressly highlighted by the Municipality in its defense briefs of. XX, specifying that "this information should not have been processed, because not only disclosing data because it is not known constitutes a violation, but also carrying out processing without an appropriate legal basis, as well as carried out using unsuitable tools".

In light of the above considerations, this behavior led to the communication of information regarding the complainant's health - also with regard to the circumstance, even if only indirectly deducible, that the complainant enjoyed the benefits provided for by regulatory provisions such as those of Law no. 104 of 1992, which, notoriously, regulates aid and guarantees for the assistance, social and work integration of disabled people or their family members (see, among others, provisions of 27 April 2023, no. 168, web doc 9896845 and of 11 January 2023, no. 3 web doc no. 9857610, and provisions referred to therein) in violation of articles 5, 6 and 9 par. 2 letter b) of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts which are the subject of the complaint).

4. Conclusions.

In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which one can be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having communicated personal data of the interested party, including health data, in a manner not compliant with the principle of "lawfulness, correctness and transparency", as well as "data minimization", and in the absence of an appropriate legal basis, in violation of arts. 5, 6 and 9 par. 2 lett. b) of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint).

Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct, Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the violations are all subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to Article do not exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Garante] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Garante pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Garante Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.
The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

Taking into account that:

- with specific regard to the nature, gravity and duration of the violation, it must be considered that the communication of personal data concerned only one interested party (see art. 83, par. 2, letter a), of the Regulation);

- with specific regard to the subjective profile, the violation is negligent, the owner admitting "that the data processing carried out by XX does not comply with the provisions of the legislation in force and the company regulations" and the conduct was the result of an isolated error (art. 83, par. 2, letter b of the Regulation);

it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). 

That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account:

- the Municipality offered a good level of cooperation with the Authority during the investigation, also declaring that the Data Protection Officer has taken steps to raise awareness among the parties involved regarding the principles of personal data protection and the measures to be taken to prevent similar errors from occurring in the future (Article 83, paragraph 2, letter f), of the Regulation);

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures pursuant to Article 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the violation occurred in a context characterized by numerous organizational difficulties related to the problems of the emergency period due to the spread of the Sars Cov 2 virus (art. 83, par. 2, letter k), of the Regulation);

In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of 10,000 (ten thousand) euros for the violation of arts. 5, 6 and 9 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor.

This is in consideration of the specific circumstance that the communication concerned delicate matters relating to the employment relationship of the interested party and information also relating to particular categories of data.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

- declares, pursuant to art. 57, paragraph 1, letter f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Municipality of Verona, due to violation of articles. articles 5, 6 and 9 paragraph 2 letter f), of the Regulation. b) of the Regulations, as well as 2-ter of the Code in the terms set out in the reasons;

ORDERS

- to the Municipality of Verona, in the person of its legal representative pro-tempore, with registered office in Piazza Bra, 1 - 37121 Verona (VR), C.F. 00215150236, for violation of articles 5, 6 and 9 par. 2 letter b) of the Regulations, as well as 2-ter of the Code in the terms set out in the reasons;

ORDERS

- to the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 10,000 (ten thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that, pursuant to art. 166, paragraph 8, of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

ORDERS

- pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

- pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

- pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 September 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei