Garante per la protezione dei dati personali (Italy) - 10073751

Garante per la protezione dei dati personali - 10073751

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(b) GDPR Article 6(1)(c) GDPR Article 9(2)(b) GDPR Art. 14 d.lgs. 33/2013 Art. 23 d.lgs. 33/2013 Art.124 d.lgs. 267/2020
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	17.10.2024
Published:
Fine:	8,000 EUR
Parties:	Comune di Offanengo
National Case Number/Name:	10073751
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	elu

The DPA fined a municipality €8,000 for publishing personal and sensitive data related to the termination of employment of the data subject.

English Summary

Facts

The data subject filed a complaint with the Italian DPA against the controller, a municipality, due to the publishing on their official website, of all deliberations concerning the data subject, containing personal data, like email correspondence between the controller and the data subject, letters concerning proceedings, the data subject´s leave calendar (annual leave, accepted and rejected days off, payment) as well as sensitive data, like the data subject´s belonging to a trade union.

The controller argued that:

a. No personal data connected to the private life of the data subject was published, except for his name and surname in initials and their personal details were only present in one document.

b. The facts in question happened in the Context of the Covid-19 emergency;

c. The personal data published were already public for transparent communication due to national law governing access to information kept by the public administration (d.lgs. 33/2013).

Holding

The DPA started by considering that the GDPR applies to the case as the use of initials is insufficient to avoid the identifiability of the data subject.

First, on the lawfulness of the processing, the DPA recognised that public authorities are allowed to treat data subjects´ personal data as per Article 6(1)(c) GDPR, but specified that the mere presence of public authority does not automatically provide for any derogation from the GDPR.

Second, on the processing of sensitive data, under Article 9(2)(b) GDPR, the DPA found that, even if it not explicitly written, the fact that a document was signed by a trade union was sufficient to indirectly establish the data subject´s membership.

Third, it considered that national law (Art.124 d.lgs. 267/2020) provides that any publications in the online website are still subject to the principles of data minimisation and lawfulness and thus, according to previous DPA decisions, required to only keep the documents on the website for 15 days.

Moreover, the DPA underlined that the national law mentioned by the controller (d.lgs. 33/2013) only requires the publication of the list of information on the termination of the employment contract and not of the integral documents.

Finally, with regards to the fact that the data was already published, the DPA considered that this approach is inconsistent with the purpose limitation principle of Article 5(1)(b) GDPR.

Therefore, the DPA found a violation of Articles 5, 6 and 9 GDPR and fined the controller €8,000 as per Article 83(5)(e) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10039471]

Provision of 20 June 2024

Register of provisions
no. 372 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur: lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint filed pursuant to art. 77 of the Regulation, Ms. XX complained about the online publication, at the address “https://...”, as well as the indexing on search engines of a ranking drawn up following the pre-selection test of a public competition announced by the Municipality of Nepi, containing the list of candidates admitted and not admitted.

The complainant also complained that, despite multiple requests for removal of the aforementioned ranking addressed to the aforementioned Municipality, the same continued to be available online - a circumstance that was ascertained by the Authority on 10 February 2022.

During the investigation, the Authority also noted the failure to regulate, pursuant to art. 28 of the Regulation, the relationship with the company Grafiche E. Gaspari S.r.l. (hereinafter also “Company”), which has been responsible for managing the institutional website and its contents on behalf of and in the interest of the Municipality for many years.

2. The investigation activity.

In response to a request for information formulated by the Authority pursuant to art. 157 of the Code, the Municipality of Nepi, with a note dated March 2, 2022, declared, in particular, that:

it “promptly took action to resolve the problem” and “immediately contacted [its] external supplier soc. Gaspari srl […] for the removal of the page” indicated above;

“the assistance [… has] proceeded to permanently eliminate the indicated data, which also concern an obsolete address and is no longer reachable from the official portal of the Municipality”;

the Municipality itself has “therefore verified that the page no longer appears at the indicated link” and therefore believes “to have definitively resolved the problem”.

In response to a subsequent request from the Authority, aimed at acquiring both the information already requested, but not received, and certain additional information, with a note dated 13 June 2022 the aforementioned Municipality declared, in particular, that:

it was “urgently requested from the managers [of the competent Municipal Offices] […] the maximum collaboration in providing a detailed report on all the activities undertaken […]”;

the “Municipality has identified the legal basis of the processing, which would have justified the online dissemination of the ranking of the public competition in which the [complainant] participated, in art. 19 of Legislative Decree 33/2013, as well as in art. 15, Presidential Decree 9 May 1994, no. 487. The Authority was inspired, in good faith, by the principle of total accessibility of documents held by public administrations pursuant to art. 1 of the aforementioned decree. In the belief of the Authority, the legislation on the obligations of publicity, transparency and dissemination of information by public administrations would have allowed it to publish the ranking in question for a period of 5 years, starting from 1 January of the year following the year from which the alleged obligation to publish began”;

“the ranking in question was published in the “Transparent Administration” section [of] the Municipality on 28 September 2016, and was intended for publication on the institutional website until 31 December 2021, pursuant to art. 8 of Legislative Decree 33/2013 […]. The indexing of the site took place in application of art. 9 of Legislative Decree 33/2013 […]”;

the “previous institutional website, on which the ranking was originally published, was removed from the Internet by the supplier, Gaspari S.r.l., and replaced with a new website […]”;

“subsequent to the publication of the new site, the ranking in question was published, by mistake, on the site https://.., no longer accessible from the new portal of the Authority”;

“upon receipt of the request from the [complainant], the Municipality mistakenly assumed that the publication of the ranking was necessary until 31 December 2021”;

“following the request for information, notified by the Guarantor […] last 14 February [2022], the Municipality contacted, without delay, the supplier's assistance service to request the removal of the ranking and, therefore, verified that no web page can be traced back to the indicated link”;

“the Municipality took steps to subsequently transmit the copy of the agreement on the protection of personal data stipulated by the Authority and the company Gaspari S.r.l. pursuant to art. 28 of the Regulation […]”;

the Municipality “will promptly inform the Authority […] of the removal of the ranking list formed following the pre-selection test of a public competition announced by the Municipality of Nepi as soon as it has obtained all the documentation and has been aware”.

Subsequently, with a note dated 11 November 2022, following a further request for elements by the Authority, the Municipality declared, in particular, that:

“subsequent to the publication of the new site, the ranking list in question was still published, by mistake, on the site https://..., no longer accessible from the new portal of the Authority”;

after contacting the supplier's assistance service, “the Authority then verified that the indicated link can no longer be traced back to any web page”;

“the aforementioned article (content) was published on the institutional website on 3 February 2015, in the “News” section (albeit with a different nomenclature and respective access link), and subsequently migrated to the new version of the platform, without undergoing any substantial modification (with the exception of the links through which the contents were accessible in 2015) until 18 February 2022, when the .pdf document attached to the content was removed from the Internet following the request for removal”;

“upon expiry of the publication deadline in the Transparent Administration section, identified pursuant to art. 19 of Legislative Decree 33/2013 […] the ranking was removed from that section of the institutional website, without also being eliminated from the “News” section of the same”;

“the factor that misled [the] Municipality when providing the previous feedback to the Guarantor […] is the presence in the link address of the document in question of the portion of text “compass”. In fact, the previous platform used by the Authority had the commercial name “Compass” (subsequently changed to MyCity), therefore the links of the documents in pdf. and images in jpg. uploaded to the platform automatically assumed the aforementioned name. This nomenclature led the Municipality to assume that the document was a residue left online after the transition from the old to the new version of the platform whose management was entrusted to the company Grafiche E. Gaspari S.r.l.”;

“the publication of the ranking in question in the “News” section of the institutional website, accessible via the link: https://..., and the concurrent indexing on search engines, took place from 3 February 2015 to 18 February 2022, without an appropriate legal basis for such processing of personal data”.

With the same note, the Municipality produced a copy of an agreement signed on 3 November 2022 with the aforementioned Company pursuant to art. 28 of the Regulation.

As can be seen from the technical report drawn up by Grafiche E. Gaspari S.r.l., which the Municipality had entrusted with the general management of the institutional website, the “Amministrazione Trasparente” portal was instead entrusted to “a company other than Gaspari”. In this regard, the Authority therefore asked the Municipality to produce in the documents a copy of the service contract signed with Grafiche E. Gaspari S.r.l., to which the aforementioned data protection agreement referred, as well as the details of the supplier to whom the Municipality had entrusted the management of the “Amministrazione Trasparente” portal section of its institutional website, attaching a copy of the related service contract, as well as a copy of the data protection agreement signed pursuant to art. 28 of the Regulation with that supplier.

Subsequently, the Municipality, with a note dated March 30, 2023, as subsequently integrated on May 16, 2023, specified that, in any case, "the publications in the "Transparent Administration" section of the institutional website, pursuant to Legislative Decree 22/2013, are carried out directly by the Municipality staff, while [the aforementioned Company] is primarily responsible for any assistance relating to the operation of the software", and attached a copy of the requested documentation.

With a note dated October 13, 2023, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality of Nepi, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having the aforementioned Municipality:

- disseminated online the personal data of the complainant and of the interested parties indicated in the ranking, in the absence of an appropriate regulatory basis, in violation of articles 5, par. 1, letter a), 6, par. 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text);

- processed the personal data of the users of the website and of the other interested parties whose data were published on the same website, without having regulated the relationship with Grafiche E. Gaspari S.r.l., the contractor of the instrumental service aimed at managing the institutional website of the Municipality, in violation of art. 28 of the Regulation and, as a result, making personal data available to the aforementioned Company in the absence of a suitable regulatory basis, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation and Article 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021 and in the text currently in force).

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note dated November 14, 2023, the Municipality of Nepi, which did not request to be heard, submitted a defense brief, declaring, in particular, that:

- “the dissemination concerned only common data, i.e. the name and surname of the participant in the competition, with the indication of the score obtained and the outcome of the test (“admitted” or “not admitted”) and involved a limited number of interested parties, equal to 33 participants admitted to the subsequent test, and 178 not admitted”;

- “it was an isolated and non-systematic episode, following which no legal action was taken by the interested parties against the Municipality, not even by the complainant herself, Mrs. XX. The Municipality therefore believes that the dissemination of the data on the institutional website did not cause damage to the interested parties”;

- the “Municipality, by publishing the pre-selection ranking of the public competition, in which Mrs. XX participated, was inspired, in good faith, by the principle of total accessibility of documents held by public administrations pursuant to art. 1 of Legislative Decree 33/2013 and the provisions of art. 10 of Legislative Decree 267/2000, which provides, in general, that all acts of the municipal administration are public”;

- “the Municipality of Nepi is a small entity (just over 9,000 inhabitants), which is in a constant state of staff shortage; the latter, not integrated, is overloaded with tasks.

Furthermore, at the time of the incident, the Head of the Transparency, Anti-Corruption and Privacy Sector had been transferred to another entity and his position had been vacant for a considerable period of time”;

- “with regard to the objection that the aforementioned documents are “devoid of contractual references in force between this Municipality and the company Grafiche E. Gaspari S.r.l.”, it is noted that the contract for the management of the website of the Municipality of Nepi is the only contract in force with the company Grafiche E. Gaspari S.r.l.”;

- “following the complaint presented by Mrs. XX, the undersigned Municipality, with the assistance of the Data Protection Officer, organized a series of meetings, held on 3 November 2022, 23, 24 and 28 February 2023, 24 March 2023 and 17 April 2023, with the managers of each service aimed at raising awareness and increasing awareness of compliance with the rules on the protection of personal data”;

- the “Municipality has maintained a high degree of cooperation with the Guarantor, to remedy the violation and mitigate its possible negative effects”.

It should also be noted that, within the scope of the same investigation, specific elements were also acquired from Grafiche E. Gaspari S.r.l., against which an autonomous and separate proceeding was initiated for the profiles attributable to the responsibility of the same.

3. Outcome of the investigation. Applicable legislation.

As a preliminary matter, it is stated that this provision concerns exclusively the treatments carried out by the Municipality of Nepi and, on its behalf, by the Company and not instead distinct treatments possibly carried out on behalf of the Municipality or the Company itself also in the scope of the provision, by other subjects, of additional services, even if connected, to those covered by this investigation, any assessment regarding the occurrence of the conditions for initiating separate proceedings remaining in any case unprejudiced.

The personal data protection regulation provides that public bodies, even when they operate in the performance of competitive, selective or in any case evaluative procedures, preliminary to the establishment of the employment relationship, can process the personal data of the interested parties (art. 4, no. 1, of the Regulation) if the processing is necessary "to comply with a legal obligation to which the data controller is subject" (think of specific obligations provided for by national legislation "for recruitment purposes", art. 6, par. 1, letter c), 9, parr. 2, letter b) and 4; 88 of the Regulation) or "for the performance of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, par. 1, letter c) and e), of the Regulation and art. 2-ter of the Code).

Such processing must, however, be based on Union or Member State law that must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the performance of a task carried out in the public interest or connected to the exercise of public authority vested in the data controller (see art. 6, par. 3, of the Regulation and 2-ter of the Code).

National legislation has introduced more specific provisions to adapt the application of the provisions of the Regulation, determining more precisely specific requirements for processing, as well as other measures to ensure lawful and correct processing (art. 6, par. 2, of the Regulation) and, in this context, has provided that the legal basis provided for by art. 6, par. 3, letter b), of the Regulation, consists exclusively of the regulatory sources indicated in art. 2-ter of the Code.

The data controller is required to comply in any case with the principles of data protection (art. 5 of the Regulation).

In general, although the data controller, who determines the purposes and methods of data processing, has a “general responsibility” for the processing carried out (see art. 5, par. 2, so-called “accountability”, and 24 of the Regulation), even when these are carried out by other subjects “on his behalf” (cons. 81, art. 4, point 8), and 28 of the Regulation), the Regulation has regulated the obligations and other forms of cooperation to which the data processor is subject and the scope of the related responsibilities (see art. 30, 32, 33, par. 2, 82 and 83 of the Regulation).

The data processor is entitled to process the data of the interested parties “only upon documented instructions from the controller” (Article 28, paragraph 3, letter a), of the Regulation) and the relationship between the controller and the processor is governed by a contract or other legal act, stipulated in writing, which, in addition to mutually binding the two figures, allows the controller to give instructions to the processor also in terms of data security and provides, in detail, what the subject matter is, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the controller and the processor. Furthermore, the data processor must assist the controller in ensuring compliance with the obligations deriving from the data protection regulations, “taking into account the nature of the processing” and the specific regime applicable to it (Article 28, paragraph 3, letter f), of the Regulation).

3.1. The unlawful dissemination of personal data of participants in the pre-selection test

From the elements acquired and the facts that emerged during the investigation, it is established that the Municipality of Nepi published on its institutional website the note prot. n. 1983 of 2 February 2015, with which, in the context of a public competition for the filling of two positions for the profile of supervisory instructor, the ranking of the pre-selection test was approved, with the list of candidates admitted (n. 33) and not admitted (n. 178) to the written test, among which, as she was not admitted, also the appellant.

The document in question, as ascertained in the investigation and confirmed by the Municipality, was published both in the "Transparent Administration" section of its institutional website from 28 September 2016 until 31 December 2021 and in the "News" section of its institutional website from 3 February 2015 until 18 February 2022 (first on the old version of the site and then on the current version of the same).

In this regard, the regulatory provisions that establish, in general, the publicity of the rankings of competitions and selective tests (see, in particular, Presidential Decree 10 January 1957, no. 3; as well as art. 15 et seq. of Presidential Decree 9 May 1994, no. 487 "Regulation containing rules on access to employment in public administrations and the procedures for conducting competitions, single competitions and other forms of hiring in public employment", also following the amendments introduced with Presidential Decree 16 June 2023, no. 82 and, more generally, on the publicity of recruitment procedures for public administration personnel, art. 35 Legislative Decree 30 March 2001, no. 165) perform the function of allowing interested parties, participating in competitive or selective procedures, to activate the forms of protection of own rights and control of the legitimacy of the administrative action. In fact, based on the aforementioned regulatory framework, the publication of the ranking in the official bulletins of the respective bodies (and on their institutional websites) was notified by means of a notice in the Official Journal of the Republic and the deadline for any appeals ran from the date of the aforementioned publication (see art. 15, paragraph 6 of Presidential Decree 9 May 1994, no. 487, in the text prior to the amendments made by Presidential Decree 82/2023 applicable to the case in question, which currently provides that the publication takes place on the Single Recruitment Portal referred to in art. 35-ter of Legislative Decree 30 March 2001, no. 165, and on the website of the administration concerned and that the terms for appeals run from the date of such publication).

The above-mentioned rules, however, provide that only the final rankings of the competition winners are published and not also the results of the intermediate tests or the personal data of the non-winning or non-admitted competitors (see art. 15, paragraph 6, of the Presidential Decree cited).

The provisions on administrative transparency also provide for specific publication obligations in the "Transparent Administration" section of the institutional website of the administrations. In fact, based on the provisions of Legislative Decree 14 March 2013, no. 33, "without prejudice to other legal advertising obligations, public administrations publish the competition notices for the recruitment, in any capacity, of personnel for the administration, as well as the evaluation criteria of the Commission, the test outlines and the final rankings, updated with the possible scrolling of the eligible non-winners. Public administrations publish and constantly update the data referred to in paragraph 1” (art. 19, paragraphs 1 and 2; see Memorandum of the President of the Authority for the Protection of Personal Data on the 2020 budget bill, 5th Committee, Budget, of the Senate of the Republic, dated 12 November 2019, web doc. 9184376; see, lastly, provision of 11 April 2024 no. 235, web doc. no. 10019523 as well as provisions of 23 March 2023, no. 83, web doc. no. 9888096, and of 28 April 2022, no. 151, web doc. no. 9778996, and the previous provisions referred to therein, including, in particular, the provision of 25 November 2021 n. 407, web doc. n. 9732406).

These provisions define, from the point of view of data protection, the scope of permitted processing and constitute its legal basis by establishing limits, conditions and prerequisites for the online publication of personal data in the context of competitive procedures.

In this context, the Guarantor has, over time, provided specific indications to public administrations regarding the precautions to be adopted for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action, in particular, in 2014, with the “Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for publicity and transparency purposes on the web by public bodies and other obliged entities” (provision n. 243 of 15 May 2014, web doc. n. 3134436, part I and II, spec. par. 3.b).

For the above reasons, the publication by the Municipality of Nepi on its institutional website of note prot. no. 1983 of 2 February 2015, with which, within the aforementioned competitive procedure, the ranking of the pre-selection test was approved, with the list of candidates admitted (no. 33) and not admitted (no. 178) to the written test, among whom, as not admitted, also the appellant, gave rise to a dissemination of personal data in the absence of an appropriate legal basis, in violation of articles 5, 6 of the Regulation, as well as 2-ter of the Code, as confirmed by the Municipality itself during the investigation (see "without an appropriate legal basis for such processing of personal data", note of 11 November 2022 cited).

3.2. The failure to regulate the relationship with the service provider pursuant to art. 28 of the Regulation

In order to comply with the legislation on the protection of personal data, it is necessary, as a preliminary step, to precisely identify the subjects who, in different capacities, can process personal data and clearly define their respective responsibilities, in particular that of data controller and data processor and the subjects who operate under the direct responsibility of these (Article 4, points 7 and 8, 28 and 29 of the Regulation).

In this context, the data controller, in the context of the preparation of technical and organizational measures that meet the requirements established by the Regulation, also in terms of security (Articles 24 and 32 of the Regulation), may avail himself of a data processor to carry out certain processing activities, to whom he gives specific instructions (see recital 81 of the Regulation).

In this case, the controller “shall use only processors providing sufficient guarantees to implement appropriate [the aforementioned measures] in such a way that the processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subjects” (Article 28, paragraph 1, of the Regulation), regulating the relevant relationship with a contract or another legal act, having written form, and providing documented instructions regarding the processing (Article 28, paragraphs 3 and 9, of the Regulation). This is also in order to avoid processing (communication to third parties) in the absence of a suitable basis for lawfulness (given the notion of “third party” referred to in Article 4, point 10, of the Regulation; see Article 2-ter, paragraphs 1 and 4, letter a), of the Code, with regard to the definition of “communication”).

The data controller is, in any case, entitled to process the data of the interested parties "only upon documented instructions from the controller" (art. 28, par. 3, letter a), of the Regulation; in this regard, see Cass., Sez. I Civ., order no. 21234 of 23 July 2021, which confirmed a provision of the Guarantor, albeit with reference to a different processing context and to the previous regulatory framework), having to assist the latter in ensuring compliance with the obligations deriving from the data protection discipline (art. 28, par. 3, letter f), of the Regulation). These principles have also been confirmed by the Court of Cassation, which, among other aspects, recently stated that the processing of personal data carried out by the subject delegated by the owner in the absence of formal investiture in the role of manager is unlawful (see Cass., Sez. I Civ., sentence no. 35256 of 18 December 2023, which confirmed the provision of 22 July 2021, no. 294, web doc. no. 9698597).

That said, in light of what emerged from the preliminary investigation and the statements made by the Municipality, also taking into account the elements acquired in the context of the separate investigation conducted against the Company, it is established that the functions carried out for an extended period of time by the Company, on behalf of and in the interest of the Municipality (see municipal determination of service assignment no. 861 and statements made by the Company), have involved the processing of personal data of a plurality of interested parties (users of the website and other interested parties whose data are published in specific sections of the website), with respect to which the Municipality is in any case the owner, processing them on the basis of legal obligations and for the pursuit of its institutional purposes, determining the means and methods of processing, as well as the main terms of the performance of the service on the basis of the contracts stipulated with the supplier. It appears, in this sense, that the Municipality, "having ascertained the unavailability [of the aforementioned deed, proceeded to] draft the document" obtaining the relative signature of the Company only on 3 November 2022 (see note of 11 November 2022). This means that, by not having regulated the relationship with the aforementioned supplier in terms of data protection up to the aforementioned date, the Municipality operated in violation of art. 28 of the Regulation.

Nor can these findings, however, be considered overcome in light of the documents subsequently transmitted by the Municipality, given that these are documents not signed by the parties, not dated and without references to the contractual relationships in place between the Municipality and the Company (see notes of 30 March 2023 and 16 May 2023, in the documents).

As previously clarified by the Guarantor with regard to similar cases (see provision of 18 July 2023, no. 313 and 314, web doc. nos. 9920645 and 9920664; provision of 21 July 2022, nos. 268, 269 and 270, web doc. nos. 9811271, 9813326 and 9811732; provision of 17 September 2020, nos. 160 and 161, web doc. nos. 9461168 and 9461321; provision of 11 February 2021, no. 49, web doc. no. 9562852, provision of 17 December 2020, nos. 280, 281 and 282, web doc. nos. 9524175, 9525315 and 9525337, as well as provision of 10 February 2022, nos. 43 and 44, web doc. no. 9751498; see also “Guidelines 07/2020 on the concepts of data controller and data processor in the GDPR”, adopted on 7 July 2021 by the European Data Protection Committee, esp. note 42) and, lastly, confirmed by the legitimate case law referred to above, in the event of failure to sign an agreement pursuant to art. 28 of the Regulation (and if there are no other independent conditions that could legitimise the processing of personal data by a supplier), the processing must be considered to be carried out in the absence of an appropriate legal basis and in violation of the principle of lawfulness (see Cass., Sez. I Civ., sentence no. 35256 of 18 December 2023 cited, where it is stated that “in the absence of "designation" [… pursuant to art. 28 of the Regulation] with a specific contract or other equivalent act, nor having identified other conditions that could legitimise the processing of the personal data of the users of the service in question, their processing, by […], must be considered to be carried out in the absence of an appropriate legal basis and, therefore, in violation of art. 5, par. 1, letter a), and 6 of the Regulation”; see also Cass., Sez. I Civ., order no. 21234 of 23 July 2021).

In light of the above considerations, given the lack of regulation of the relationship with the Company in terms of data protection, it must be concluded that the Municipality has made available to the Company the personal data of the users of the website and of the other interested parties whose data were published there in the absence of an appropriate legal basis, giving rise to an unlawful processing of personal data, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation and Article 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021 and in the current text).

4. Conclusions.

In light of the above considerations, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which one can be held accountable pursuant to Article 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply.

In order to determine the applicable rule, from a temporal perspective, it is necessary to recall, in particular, the principle of legality referred to in art. 1, paragraph 2, of law no. 689/1981, pursuant to which the laws that provide for administrative sanctions apply only in the cases and times considered therein. This determines the obligation to take into consideration the provisions in force at the time of the violation, which – given the permanent nature of the contested offences – must be identified at the time of cessation of the conduct. It is believed that the Regulation and the Code constitute the legislation in light of which to evaluate the treatments in question.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality of Nepi is noted, for the aforementioned Municipality:

- disseminated online the personal data of the complainant and the interested parties indicated in the ranking, in the absence of a suitable regulatory basis, in violation of Articles 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text);

- processed the personal data of the users of the website and of the other interested parties whose data were published on the same website, without having regulated the relationship with Grafiche E. Gaspari S.r.l., the contractor of the instrumental service aimed at managing the institutional website of the Municipality, in violation of Article 28 of the Regulation, making personal data available to the aforementioned Company, for the purpose, in the absence of a suitable regulatory basis, in violation of Articles 5, paragraph 1, letter a), and 6 of the Regulation and Article 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021 and in the text currently in force).

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letters i and 83 of the Regulation; Article 166, paragraph 7, of the Code).

The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, two distinct conducts are identified (one in relation to the dissemination of personal data of the participants in the pre-selection test and the other relating to the failure to regulate the relationships with the aforementioned Company in terms of data protection) attributable to the Municipality of Nepi, which must therefore be considered separately for the purposes of quantifying the administrative sanctions to be applied.

In any case, considering that the conducts have exhausted their effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation, do not exist.

5.1. The conduct referred to in paragraph 3.1 of this provision

Taking into account that the violation of the provisions cited in the previous paragraph 3.1 of this provision, due to the dissemination of personal data of the participants in the pre-selection test, including the complainant herself, took place as a result of a single conduct (same processing or processing linked to each other), art. 83, par. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns Articles 5, par. 1, letter a), 6, par. 1, letter c) and e), of the Regulation, as well as 2-ter of the Code, subject to the administrative sanction provided for by Article 83, par. 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to EUR 20,000,000.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, par. 2, of the Regulation.

With specific regard to the nature, gravity and duration of the infringement (art. 83, par. 2, letter a), of the Regulation), it is necessary to consider, in particular, the significant number of interested parties involved (over two hundred) and the circumstance that the ranking was published online for a particularly long period of time, i.e. from 3 February 2015 to 18 February 2022, the day on which the aforementioned content was definitively removed. On the other hand, with regard to the subjective profile of the violation (art. 83, par. 2, letter b), of the Regulation), it must be taken into account that it was "an isolated and non-systematic episode", due to "a mere human error resulting from the mistaken belief of the need to disseminate the pre-selection ranking" (see note of 14 November 2023), the Municipality having operated in the mistaken belief of being able to pursue the purpose of transparency of administrative action, without however taking into account the current regulatory framework and the indications provided over time by the Guarantor to all public bodies in this matter (both with the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for purposes of advertising and transparency on the web by public bodies and other obliged entities" cited above, and with numerous decisions on individual cases). It is also believed that, in any case, it should be considered that the publication did not concern personal data belonging to the special categories referred to in art. 9 of the Regulation or data relating to criminal convictions or offences (Article 83, paragraph 2, letter g), of the Regulation).

In light of these circumstances, it is considered that, in this case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

That said, the following mitigating circumstances must be considered in favour of the data controller:

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in Article 58 of the Regulation (Article 83, paragraph 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having also represented that it had removed the aforementioned content, albeit following the initiation of the investigation by the Guarantor (art. 83, par. 2, letter f), of the Regulation);

- the Municipality of Nepi is a territorial entity of modest size (just over 9,000 inhabitants; art. 83, par. 2, letter k), of the Regulation).
In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of 8,000 (eight thousand) euros for the violation of art. 5, par. 1, letter a), 6, par. 1, letter c) and e), of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account, in particular, the extended period of time during which the aforementioned data were published online on the institutional website of the Municipality, it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 exist.

5.2. The conduct referred to in paragraph 3.2 of this provision

Taking into account that the violation of the provisions cited in the previous paragraph 3.2 of this provision, as a result of the failure to regulate the relationship with Grafiche E. Gaspari S.r.l. from the point of view of data protection and the consequent provision of data to the Company itself in the absence of a suitable basis for lawfulness, took place in the context of a single conduct (same processing or processing operations linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns (in addition to Article 28 of the Regulation) Articles 5, paragraph 1, letter a) and 6 of the Regulation, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, paragraph 2, of the Regulation.

With specific regard to the nature, gravity and duration of the violation (art. 83, paragraph 2, letter a), of the Regulation), it must be considered, in particular, that the processing in question concerned personal data of all users of the institutional website of the Municipality as well as other interested parties whose personal data were published therein and that the Municipality, which had outsourced the management of the website for an extended period of time (see municipal determination of service assignment no. 861 and declarations made by the Company), entered into an agreement with the Company pursuant to art. 28 of the Regulation only on 3 November 2022. It is also considered that the violation did not involve personal data relating to special categories of data (Article 9 of the Regulation) or criminal convictions and offences (Article 10 of the Regulation) (Article 83, paragraph 2, letter g), of the Regulation).

In light of these circumstances, it is considered that, in this case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

That said, the following mitigating circumstances must be considered in favour of the data controller:

- there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having reached, during the investigation, the stipulation of an agreement pursuant to art. 28 of the Regulation with the Company (art. 83, par. 2, letter f), of the Regulation);

- the Municipality of Nepi is a territorial entity of modest size (just over 9,000 inhabitants; art. 83, par. 2, letter k), of the Regulation).
In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of Euro 12,000 (twelve thousand) for the violation of art. 55, par. 1, letter a),

6, par. 1, letter c) and e), of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account, in particular, the extended period of time during which the relationship between the Municipality and the Company remained without adequate regulation in terms of data protection, it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f), of the Regulation, the unlawfulness of the processing carried out by the Municipality of Nepi for violation of articles 5, par. 1, letter a), 6, and 28 of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the legislative decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text), in the terms set out in the reasons;

ORDERS

the Municipality of Nepi, in the person of its legal representative pro-tempore, with registered office in Piazza Comune 20 - 01036 Nepi (VT), C.F. 00088940564, to pay the sum of 20,000 (twenty thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000 (twenty thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor Regulation no. 1/2019);

- the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of the Regulation of the Guarantor no. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 June 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei

[web doc. no. 10039471]

Provision of 20 June 2024

Register of provisions
n. 372 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur: lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint filed pursuant to art. 77 of the Regulation, Ms. XX complained about the online publication, at the address “https://...”, as well as the indexing on search engines of a ranking drawn up following the pre-selection test of a public competition announced by the Municipality of Nepi, containing the list of candidates admitted and not admitted.

The complainant also complained that, despite multiple requests for removal of the aforementioned ranking addressed to the aforementioned Municipality, the same continued to be available online - a circumstance that was ascertained by the Authority on 10 February 2022.

During the investigation, the Authority also noted the failure to regulate, pursuant to art. 28 of the Regulation, the relationship with the company Grafiche E. Gaspari S.r.l. (hereinafter also “Company”), which has been responsible for managing the institutional website and its contents on behalf of and in the interest of the Municipality for many years.

2. The investigation activity.

In response to a request for information formulated by the Authority pursuant to art. 157 of the Code, the Municipality of Nepi, with a note dated March 2, 2022, declared, in particular, that:

it “promptly took action to resolve the problem” and “immediately contacted [its] external supplier soc. Gaspari srl […] for the removal of the page” indicated above;

“the assistance [… has] proceeded to permanently eliminate the indicated data, which also concern an obsolete address and is no longer reachable from the official portal of the Municipality”;

the Municipality itself has “therefore verified that the page no longer appears at the indicated link” and therefore believes “to have definitively resolved the problem”.

In response to a subsequent request from the Authority, aimed at acquiring both the information already requested, but not received, and certain additional information, with a note dated 13 June 2022 the aforementioned Municipality declared, in particular, that:

it was “urgently requested from the managers [of the competent Municipal Offices] […] the maximum collaboration in providing a detailed report on all the activities undertaken […]”;

the “Municipality has identified the legal basis of the processing, which would have justified the online dissemination of the ranking of the public competition in which the [complainant] participated, in art. 19 of Legislative Decree 33/2013, as well as in art. 15, Presidential Decree 9 May 1994, no. 487. The Authority was inspired, in good faith, by the principle of total accessibility of documents held by public administrations pursuant to art.1 of the aforementioned decree. In the belief of the Authority, the legislation on the obligations of publicity, transparency and dissemination of information by public administrations would have allowed it to publish the ranking in question for a period of 5 years, starting from 1 January of the year following the year from which the alleged obligation of publication began”;

“the ranking in question was published in the “Transparent Administration” section [of] the Municipality on 28 September 2016, and was intended for publication on the institutional website until 31 December 2021, pursuant to art. 8 of Legislative Decree 33/2013 […]. The indexing of the site took place in application of art. 9 of Legislative Decree 33/2013 […]”;

the “previous institutional website, on which the ranking was originally published, was removed from the Internet by the supplier, Gaspari S.r.l., and replaced with a new website […]”;

“subsequent to the publication of the new website, the ranking in question was published, by mistake, on the website https://.., no longer accessible from the new portal of the Authority”;

“upon receipt of the request from the [complainant], the Municipality mistakenly assumed that the publication of the ranking was necessary until 31 December 2021”;

“following the request for information, notified by the Guarantor […] on 14 February [2022], the Municipality promptly contacted the supplier’s assistance service to request the removal of the ranking and then verified that the indicated link no longer linked to any web page”;

“the Municipality has taken steps to subsequently transmit the copy of the agreement on the protection of personal data stipulated by the Authority and the company Gaspari S.r.l. pursuant to art. 28 of the Regulation […]”;

the Municipality “will promptly proceed, as soon as it has obtained all the documentation and has been aware, to promptly inform the authority […] of the removal of the ranking formed following the pre-selection test of a public competition announced by the Municipality of Nepi”.

Subsequently, with a note dated 11 November 2022, following a further request for elements by the Authority, the Municipality declared, in particular, that:

“subsequent to the publication of the new site, the ranking in question was still published, by mistake, on the site https://..., no longer accessible from the new portal of the Authority”;

after contacting the supplier's assistance service, “the Authority then verified that the indicated link can no longer be traced back to any web page”;

“the aforementioned article (content) was published on the institutional website on 3 February 2015, in the “News” section (albeit with a different nomenclature and respective access link), and subsequently migrated to the new version of the platform, without undergoing any substantial modification (with the exception of the links through which the contents were accessible in 2015) until 18 February 2022, when the .pdf document attached to the content was removed from the Internet following the request for removal”;

“upon expiry of the publication deadline in the Transparent Administration section, identified pursuant to art. 19 of Legislative Decree 33/2013 […] the ranking was removed from that section of the institutional website, without also being eliminated from the “News” section of the same”;

“the factor that misled [the] Municipality when providing the previous feedback to the Guarantor […] is the presence in the link address of the document in question of the portion of text “compass”. In fact, the previous platform used by the Authority had the commercial name “Compass” (subsequently changed to MyCity), therefore the links of the documents in pdf. and images in jpg. uploaded to the platform automatically assumed the aforementioned name. This nomenclature led the Municipality to assume that the document was a residue left online after the transition from the old to the new version of the platform whose management was entrusted to the company Grafiche E. Gaspari S.r.l.”;

“the publication of the ranking in question in the “News” section of the institutional website, accessible via the link: https://..., and the concurrent indexing on search engines, took place from 3 February 2015 to 18 February 2022, without an appropriate legal basis for such processing of personal data”.

With the same note, the Municipality produced a copy of an agreement signed on 3 November 2022 with the aforementioned Company pursuant to art. 28 of the Regulation.

As can be seen from the technical report drawn up by Grafiche E. Gaspari S.r.l., which the Municipality had entrusted with the general management of the institutional website, the “Amministrazione Trasparente” portal was instead entrusted to “a company other than Gaspari”. In this regard, the Authority therefore asked the Municipality to produce in the documents a copy of the service contract signed with Grafiche E. Gaspari S.r.l., to which the aforementioned data protection agreement referred, as well as the details of the supplier to whom the Municipality had entrusted the management of the “Amministrazione Trasparente” portal section of its institutional website, attaching a copy of the related service contract, as well as a copy of the data protection agreement signed pursuant to art. 28 of the Regulation with that supplier.

Subsequently, the Municipality, with a note dated March 30, 2023, as subsequently integrated on May 16, 2023, specified that, in any case, "the publications in the "Transparent Administration" section of the institutional website, pursuant to Legislative Decree 22/2013, are carried out directly by the Municipality's staff, while [the aforementioned Company] is primarily responsible for any assistance relating to the operation of the software", and attached a copy of the requested documentation.