Garante per la protezione dei dati personali (Italy) - 10102355
From GDPRhub
| Garante per la protezione dei dati personali - 10102355 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 37(7) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 12.12.2024 |
| Published: | |
| Fine: | 6,000 EUR |
| Parties: | Comune di Corte Franca |
| National Case Number/Name: | 10102355 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante (in IT) |
| Initial Contributor: | elu |
The DPA fined a municipality €6,000 after it uploaded an ex-employee's personal data on its website, including employment documents.
English Summary
Facts
The data subject, ex-employee of the controller, a municipality, advanced a complaint before the DPA.
The complaint concerned the publication, on the controller’s website of the data subject’s employment documents. The data published included information on the acknowledgement of the data subject’s resignation, data concerning their job title, the date of their last working day, the time and place of the working arrangements.
Holding
Legal basis
The DPA acknowledges that the public entities, like the controller, may rely on the legal basis on Article 6(1)(c) GDPR and Article 9(2)(b) GDPR, to process personal data in their role of employer.
With regards to the personal data disclosure, the DPA reiterated that, as considered in multiple decisions that the publication of employment documents in the website is not in line with the GDPR.
Thus, the DPA found a violation of Article 5 GDPR and Article 6 GDPR.
Personal data communication to the DPA
With regards to the late communication of the personal data, the DPA found that the GDPR violation continued until the DPA managed to contact the controller’s DPO. This exchange only happened much later than the complaint.
Thus, the DPA found a violation of Article 37(7) GDPR.
Fine
On the basis of the violations found, the DPA deemed it appropriate to fine the controller €6,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10102355] Provision of 12 December 2024 Register of provisions no. 768 of 12 December 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter the “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801; Rapporteur: lawyer Guido Scorza; WHEREAS 1. Introduction. With a complaint filed pursuant to art. 77 of the Regulation, Mr. XX complained about the online publication on the website of the Municipality of Corte Franca (hereinafter “Municipality”), where he worked, of resolution no. XX of XX containing his personal data, in particular, the information of the acknowledgement of his resignation, the data relating to his qualification, the date of the last working day, the hours worked and the office to which he belonged. The aforementioned resolution was easily viewable and downloadable through common search engines, by typing only the name and surname of the complainant. The publication of the resolution in question and its indexing on common search engines were ascertained by the Office on XX. The Office also represented to the Municipality that the communication of the contact details of the Data Protection Officer (hereinafter, “RPD”), as required by art. 37, paragraph 7 of the Regulation, was not in the records. 2. The investigation activity. With note of XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation activity, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having disseminated online resolution no. XX of XX containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname) of the complainant, the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the same, in violation of articles 5 and 6 of the Regulation and 2-ter of the Code. Furthermore, the absence of communication of the contact details of the DPO was noted, in violation of art. 37 of the Regulation. With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the law of 24 November 1981, no. 689). With a note of XX, the Municipality, which did not request to be heard, presented a defense brief, declaring, in particular, that: - “in XX, the Authority activated a new application platform for the management of administrative transparency. Following the recovery of data from the previous platform, the system probably proceeded to publish the G.C. resolution of XX in the administrative transparency session”. Only the person who ceased his service is involved in the violation”; - “it is assumed that it was not the intention of the operators at the time to violate the rules for publishing the data of a colleague. It is assumed that the resolution had been published according to an incorrect procedure of the Transparent Administration and following the change of the Application Platform”; - “the Authority proceeded to immediately remove the act subject to the dispute from the transparency portal by communicating with the software house and the DPO. The removal of the act from the DOCPLAYER Platform was also requested”; - “the Municipality […] became aware of the violation following the communication from the Guarantor Authority that received the report from the interested party”. 3. Outcome of the investigation. Applicable legislation. The personal data protection legislation provides that public bodies, even when they operate in the performance of their duties as employers, can process the personal data of workers, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by national sector regulations (articles 6, par. 1, letter c), 9, parr. 2, letter b), and 4, and 88 of the Regulation) or “for the performance of a task of public interest or connected to the exercise of public powers vested in the data controller” (article 6, par. 1, letter e), of the Regulation). More generally, European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (Article 6, paragraph 2 of the Regulation). In this regard, it is highlighted that the dissemination of personal data (such as online publication) by public bodies is permitted only when provided for by a law or, in the cases provided for by law, by regulation (Article 2-ter of the Code). The data controller is required to comply in any case with the principles of data protection (Article 5 of the Regulation). 3.1. The dissemination of personal data. From the elements acquired and the facts that emerged in the context of the investigation, it is ascertained that the Municipality has published on its institutional website resolution no. XX of XX, easily viewable and downloadable also through common search engines, containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname), the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the same, in violation of articles 5 and 6 of the Regulation and 2-ter of the Code. Furthermore, the absence of communication of the contact details of the DPO was noted, in violation of art. 37 of the Regulation. In this regard, in confirming that the regulatory framework on the protection of personal data requires for any processing operation (art. 4, point 2 of the Regulation) including dissemination (art. 2-ter paragraph 4 letter b) of the Code) the need to have an appropriate legal basis, it is recalled that the Guarantor has provided indications since 2007 regarding the prerequisites (and, if these are used, the specific methods) for the lawful publication of deeds and documents containing personal data of employees, specifying, in particular, that it is not lawful to disseminate personal information relating to individual workers, concerning, as in the case in question, data relating to the qualification of the interested party, the office to which he belongs, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the same (see paragraph 6.3 of the "Guidelines on the processing of personal data of workers for purposes of managing the employment relationship in the public sector" of 14 June 2007, web doc. n. 1417809; see also provision of 15 May 2014 no. 243 “Guidelines on the processing of personal data, including those contained in administrative deeds and documents, carried out for purposes of advertising and transparency on the web by public bodies and other obliged entities” web doc. no. 3134436). During the investigation, the Municipality stated that it had “activated a new application platform for the management of administrative transparency. Following the recovery of data from the previous platform, the system probably proceeded to publish the G.C. resolution of the XX in the administrative transparency session” leading the scope of the processing in question to the fulfillment of publication obligations for "transparency" purposes. However, this regulation does not establish anything with regard to the publication of the resolution that is the subject of this investigation containing information relating to the complainant's employment relationship. In this regard, the Guarantor has clarified on numerous occasions that even the presence of a specific advertising regime cannot lead to any automaticity with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see, among many, most recently provision of 4 July 2024, no. 404, web doc. 10050145 and previous ones cited therein). Therefore, also with regard to publication in the "Transparent Administration" section of the institutional website, the Municipality must always verify, on the basis of a responsible and careful evaluation, which data and information to publish in application of the sector legislation that regulates the methods, times and forms of advertising. In numerous decisions also regarding the obligations arising from art. 124 of Legislative Decree 267/2000, the Guarantor has reiterated that all the limits set by the principles of personal data protection also apply to the publications on the online Notice Board of acts or resolutions, taking into account first of all the existence of suitable conditions for the lawfulness of the online dissemination of the personal data contained therein, even before any minimization of the same. This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is provided that the data controller must implement "appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" - in light of the principle of "accountability" - that it has done so (Articles 5, paragraph 2; 24 and 25, paragraph 2, Regulation). Therefore, where the online publication of documents involves the processing of personal data and therefore their dissemination, the publicity needs pursued must be appropriately balanced with the fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to protection of personal data, identifying as a priority the existence of a suitable legal basis for the dissemination of data (see, most recently, provisions no. 366 of 10 November 2022, web doc. no. 9834986 and no. 299, of 15 September 2022, web doc. no. 9815665). For the above reasons, the publication by the Municipality on its institutional website of resolution no. XX of XX, viewable and downloadable also through common search engines, containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname) of the complainant, the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the complainant, has given rise to a dissemination of the complainant's personal data in the absence of an appropriate legal basis, in violation of articles 5, 6 of the Regulation, as well as 2-ter of the Code. 3.2 The delay in communicating the contact details of the DPO to the Authority. Pursuant to art. 37, par. 7, of the Regulation, “the data controller […] publishes the contact details of the data protection officer and communicates them to the supervisory authority” (see par. 2.6 of the “Guidelines on data protection officers”, adopted by the Art. 29 Working Party on 5 April 2017, WP 243 rev. 01, endorsed by the European Data Protection Board with “Endorsement 1/2018”, as well as par. 7 of the “Guideline document on the designation, position and tasks of the Data Protection Officer (RPD) in the public sector”, attached to the provision of 29 April 2021, no. 186, web doc. no. 9589104). In this regard, during the investigation it was ascertained that the communication of the contact details of the RPD to the Authority took place only on XX and, therefore, up until that date the Municipality acted in violation of art. 37, par. 7, of the Regulation. 4. Conclusions. In light of the assessments referred to above, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding pursuant to the combined provisions of arts. 11 and 14 of the Regulation of the Guarantor no. 1/2019. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the conduct of the Municipality is noted, for having acted in violation of arts. 5, 6 and 37, par. 7, of the Regulation, as well as 2-ter of the Code. The violation of the aforementioned provisions occurred as a result of two distinct conducts, relating to the dissemination of personal data (see par. 3.1) and the failure to communicate the contact details of the DPO (see par. 3.2). 5. Warning (art. 58, par. 2, letter b), of the Regulation). The Guarantor, pursuant to art. 58, par. 2, letter b), of the Regulation, has the power to "address warnings to the controller or processor where the processing has violated the provisions of the […] regulation". With regard to the specific case, the late communication to the Authority of the contact details of the DPO (see par. 3.2) can be considered a single and distinct conduct. That said, it is necessary to take into account certain elements, including contextual ones, that emerged during the investigation, which are essential for the purposes of the concrete assessment of the extent of the violations found and the harmfulness of the overall conduct (see recital 148 of the Regulation). In particular, given that: - the Municipality is a small entity (approximately 7,000 inhabitants); - the violation, although negatively impacting the possibility for the Authority to contact the DPO easily and directly, emerged following investigations ordered by the Authority ex officio and no complaints or reports have been received relating to the failure to communicate the DPO's contact details to the interested parties; the circumstances of the specific case lead to qualifying the same as a "minor violation", pursuant to recital 148, art. 83, paragraph 2, of the Regulation and the "Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018. In light of all of the above and the overall terms of the matter in question, it is therefore considered sufficient to warn the Municipality for the violation of art. 37, par. 7, of the Regulation. In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist. Finally, it is noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 exist. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this case, the Municipality has implemented a distinct sanctionable conduct, in addition to the conduct referred to in the previous paragraph 5, which must be considered separately for the purposes of quantifying the administrative sanction to be applied as illustrated below. In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation. Taking into account that: the dissemination of personal data concerns only one interested party, even if the publication of the resolution occurred for an extremely long period of time and viewable on common search engines (see art. 83, par. 2, letter a), of the Regulation); the conduct of the Municipality is negligent in nature given that the Municipality declared that the contested resolution was published "according to an incorrect procedure of the Transparent Administration" (see art. 83, par. 2, letter b), of the Regulation); the publication did not concern personal data belonging to the special categories referred to in art. 9 of the Regulation or data relating to criminal convictions or offences (see art. 83, par. 2, letter g), of the Regulation), it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account: there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation); the Municipality offered good cooperation with the Authority during the investigation (see art. 83, par. 2, letter f), of the Regulation). In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 6,000 (six thousand) for the violation of arts. 5 and 6 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the specific circumstance that resolution no. XX of XX, although referring to a single interested party, was published online for a considerable period of time (about 10 years). In this context, considering, in any case, that the conduct has exhausted its effects, given that the Municipality, as soon as it became aware of it following the notification of the violation by the Guarantor (note of XX), proceeded to remove resolution no. XX of XX from its institutional website, the conditions for the adoption of further corrective measures pursuant to art. 58, paragraph 2, of the Regulation do not exist. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter f) and 83, of the Regulation, notes the unlawfulness of the processing carried out by the Municipality of Corte Franca for violation of art. 5 and 6 of the Regulation, as well as 2-ter of the Code, in the terms set out in the reasons; pursuant to art. 58, par. 2, letter b) of the Regulation, warns the Municipality for having violated art. 37, par. 7, of the Regulation, as described above ORDERS to the Municipality of Corte Franca, in the person of its legal representative pro-tempore, with registered office in Piazza Di Franciacorta 1 - 25040 Corte Franca (BS) - C.F. 00789430170, to pay the sum of Euro 6,000 (six thousand) as an administrative fine for the violations indicated in the reasons; ORDERS the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 6,000 (six thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that, pursuant to art. 166, paragraph 8, of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011, provided for the filing of the appeal as indicated below; ORDERS a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority; c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to Articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE REPORTER Scorza THE DEPUTY SECRETARY GENERAL Filippi [web doc. no. 10102355] Provision of 12 December 2024 Register of provisions no. 768 of 12 December 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING SEEN Legislative Decree no. 30 June 2003 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”); SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Authority Regulation no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801; Rapporteur: lawyer Guido Scorza; WHEREAS 1. Introduction. With a complaint filed pursuant to art. 77 of the Regulation, Mr. XX complained about the online publication on the website of the Municipality of Corte Franca (hereinafter “Municipality”), where he worked, of resolution n. XX of XX containing his personal data, in particular, the information of the acknowledgement of his resignation, the data relating to his qualification, the date of the last working day, the hours worked and the office he belongs to. The aforementioned resolution was easily viewable and downloadable through common search engines, by typing only the name and surname of the complainant. The publication of the resolution in question and its indexing on common search engines were ascertained by the Office on XX. The Office also informed the Municipality that the communication of the contact details of the Data Protection Officer (hereinafter, “RPD”), as required by art. 37, paragraph 7 of the Regulation, was not in the records. 2. The preliminary investigation. With a note of XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having disseminated online resolution no. XX of XX containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname) of the complainant, the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the same, in violation of articles 5 and 6 of the Regulation and 2-ter of the Code. Furthermore, the absence of communication of the contact details of the DPO was noted, in violation of art. 37 of the Regulation. With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the law of 24 November 1981, no. 689). With a note of XX, the Municipality, which did not request to be heard, presented a defense brief, declaring, in particular, that: - “in XX, the Authority activated a new application platform for the management of administrative transparency. Following the recovery of data from the previous platform, the system probably proceeded to publish the G.C. resolution of XX in the administrative transparency session”. Only the person who ceased his service is involved in the violation”; - “it is assumed that it was not the intention of the operators at the time to violate the rules for publishing the data of a colleague. It is assumed that the resolution had been published according to an incorrect procedure of the Transparent Administration and following the change of the Application Platform”; - “the Authority proceeded to immediately remove the act subject to the dispute from the transparency portal by communicating with the software house and the DPO. The removal of the act from the DOCPLAYER Platform was also requested”; - “the Municipality […] became aware of the violation following the communication from the Guarantor Authority that received the report from the interested party”. 3. Outcome of the investigation. Applicable legislation. The personal data protection legislation provides that public bodies, even when they operate in the performance of their duties as employers, can process the personal data of workers, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by national sector regulations (articles 6, par. 1, letter c), 9, parr. 2, letter b), and 4, and 88 of the Regulation) or “for the performance of a task of public interest or connected to the exercise of public powers vested in the data controller” (article 6, par. 1, letter e), of the Regulation). More generally, European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in accordance with paragraph 1, points (c) and (e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (Article 6, paragraph 2 of the Regulation). In this regard, it is highlighted that the dissemination of personal data (such as online publication) by public bodies is permitted only when provided for by a law or, in the cases provided for by law, by a regulation (Article 2-ter of the Code). The data controller is required to comply in any case with the principles of data protection (art. 5 of the Regulation). 3.1. The dissemination of personal data. From the elements acquired and the facts that emerged during the investigation, it is established that the Municipality published on its institutional website resolution no. XX of XX, easily viewable and downloadable also through common search engines, containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname), the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the complainant, in violation of arts. 5 and 6 of the Regulation and 2-ter of the Code. Furthermore, the absence of communication of the contact details of the DPO was noted, in violation of art. 37 of the Regulation. In this regard, in confirming that the regulatory framework on the protection of personal data requires for any processing operation (art. 4, point 2 of the Regulation) including dissemination (art. 2-ter paragraph 4 letter b) of the Code) the need to have an appropriate legal basis, it is recalled that the Guarantor has provided indications since 2007 regarding the prerequisites (and, if these are used, the specific methods) for the lawful publication of deeds and documents containing personal data of employees, specifying, in particular, that it is not lawful to disseminate personal information relating to individual workers, concerning, as in the case in question, data relating to the qualification of the interested party, the office to which he belongs, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the same (see paragraph 6.3 of the "Guidelines on the processing of personal data of workers for purposes of managing the employment relationship in the public sector" of 14 June 2007, web doc. n. 1417809; see also provision of 15 May 2014 no. 243 “Guidelines on the processing of personal data, including those contained in administrative deeds and documents, carried out for purposes of advertising and transparency on the web by public bodies and other obliged entities” web doc. no. 3134436). During the investigation, the Municipality stated that it had “activated a new application platform for the management of administrative transparency. Following the recovery of data from the previous platform, the system probably proceeded to publish the G.C. resolution of the XX in the administrative transparency session” leading the scope of the processing in question to the fulfillment of publication obligations for "transparency" purposes. However, this regulation does not establish anything with regard to the publication of the resolution that is the subject of this investigation containing information relating to the complainant's employment relationship. In this regard, the Guarantor has clarified on numerous occasions that even the presence of a specific advertising regime cannot lead to any automaticity with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see, among many, most recently provision of 4 July 2024, no. 404, web doc. 10050145 and previous ones cited therein). Therefore, also with regard to the publication in the "Transparent Administration" section of the institutional website, the Municipality must always verify, on the basis of a responsible and careful assessment, which data and information to publish in application of the sector legislation that regulates the methods, times and forms of advertising. In numerous decisions also regarding the obligations deriving from art. 124 of Legislative Decree 267/2000, the Guarantor reiterated that all the limits set by the principles of personal data protection also apply to publications on the online Notice Board of acts or resolutions, taking into account first of all the existence of suitable conditions for the lawfulness of the online dissemination of the personal data contained therein, even before any minimization of the same. This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is provided that the data controller must implement "appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" - in light of the principle of "accountability" - that it has done so (Articles 5, paragraph 2; 24 and 25, paragraph 2, Regulation). Therefore, where the online publication of documents involves the processing of personal data and therefore their dissemination, the publicity needs pursued must be appropriately balanced with the fundamental rights and freedoms, as well as the dignity of the interested party, with particular reference to confidentiality, personal identity and the right to protection of personal data, identifying as a priority the existence of a suitable legal basis for the dissemination of data (see, most recently, provisions no. 366 of 10 November 2022, web doc. no. 9834986 and no. 299, of 15 September 2022, web doc. no. 9815665). For the above reasons, the publication by the Municipality on its institutional website of resolution no. XX of XX, viewable and downloadable also through common search engines, containing numerous personal data of the complainant, in particular, in addition to the identification data (name and surname) of the complainant, the office to which the complainant belongs, the data relating to his/her qualification, the hours worked, the date of the last working day and the indication of the acknowledgement of the resignation of the complainant, has given rise to a dissemination of the complainant's personal data in the absence of an appropriate legal basis, in violation of articles 5, 6 of the Regulation, as well as 2-ter of the Code. 3.2 The delay in communicating the contact details of the DPO to the Authority. Pursuant to art. 37, par. 7, of the Regulation, “the data controller […] publishes the contact details of the data protection officer and communicates them to the supervisory authority” (see par. 2.6 of the “Guidelines on data protection officers”, adopted by the Art. 29 Working Party on 5 April 2017, WP 243 rev. 01, endorsed by the European Data Protection Board with “Endorsement 1/2018”, as well as par. 7 of the “Guideline document on the designation, position and tasks of the Data Protection Officer (RPD) in the public sector”, attached to the provision of 29 April 2021, no. 186, web doc. no. 9589104). In this regard, during the investigation it was ascertained that the communication of the contact details of the RPD to the Authority took place only on XX and, therefore, up until that date the Municipality acted in violation of art. 37, par. 7, of the Regulation. 4. Conclusions. In light of the assessments referred to above, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding pursuant to the combined provisions of arts. 11 and 14 of the Regulation of the Guarantor no. 1/2019. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the conduct of the Municipality is noted, for having acted in violation of arts. 5, 6 and 37, par. 7, of the Regulation, as well as 2-ter of the Code. The violation of the aforementioned provisions occurred as a result of two distinct conducts, relating to the dissemination of personal data (see par. 3.1) and the failure to communicate the contact details of the DPO (see par. 3.2). 5. Warning (art. 58, par. 2, letter b), of the Regulation). The Guarantor, pursuant to art. 58, par. 2, letter b), of the Regulation, has the power to "address warnings to the controller or processor where the processing has violated the provisions of the […] regulation". With regard to the specific case, the late communication to the Authority of the contact details of the DPO (see par. 3.2) can be considered a single and distinct conduct. That said, it is necessary to take into account certain elements, including contextual ones, that emerged during the investigation, which are essential for the purposes of the concrete assessment of the extent of the violations found and the harmfulness of the overall conduct (see recital 148 of the Regulation). In particular, given that: - the Municipality is a small entity (approximately 7,000 inhabitants); - the violation, although negatively impacting the possibility for the Authority to contact the DPO easily and directly, emerged following investigations ordered by the Authority ex officio and no complaints or reports have been received relating to the failure to communicate the DPO's contact details to the interested parties; the circumstances of the specific case lead to qualifying the same as a "minor violation", pursuant to recital 148, art. 83, paragraph 2, of the Regulation and the "Guidelines on the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Party on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018. In light of all of the above and the overall terms of the matter under examination, it is therefore considered sufficient to warn the Municipality for the violation of art. 37, par. 7, of the Regulation. In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist. Finally, it is noted that the conditions set out in Article 17 of Regulation No. 1/2019 are met. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letters i and 83 of the Regulation; Article 166, paragraph 7, of the Code). The Guarantor, pursuant to Articles 58, paragraph 2, letters i) and 83 of the Regulation as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this case, the Municipality has implemented a distinct sanctionable conduct, in addition to the conduct referred to in the previous paragraph 5, which must be considered separately for the purposes of quantifying the administrative sanction to be applied as illustrated below. In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the administrative pecuniary sanction provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation. Taking into account that: the dissemination of personal data concerns only one interested party, even if the publication of the resolution occurred for an extremely long period of time and viewable on common search engines (see art. 83, par. 2, letter a), of the Regulation); the conduct of the Municipality is negligent in nature given that the Municipality declared that the contested resolution was published "according to an incorrect procedure of the Transparent Administration" (see art. 83, par. 2, letter b), of the Regulation); the publication did not concern personal data belonging to the special categories referred to in art. 9 of the Regulation or data relating to criminal convictions or offences (see art. 83, par. 2, letter g), of the Regulation), it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account: there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the facts of the complaint, or previous measures referred to in art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation); the Municipality offered good cooperation with the Authority during the investigation (see art. 83, par. 2, letter f), of the Regulation). In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 6,000 (six thousand) for the violation of articles 5 and 6 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the specific circumstance that resolution no. XX of XX, although referring to a single interested party, was published online for a considerable period of time (about 10 years). In this context, considering, in any case, that the conduct has exhausted its effects, given that the Municipality, as soon as it became aware of it following the notification of the violation by the Guarantor (note of XX), proceeded to remove resolution no. XX of XX from its institutional website, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation do not exist. Finally, it is noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 exist. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letter f) and 83, of the Regulation, notes the unlawfulness of the processing carried out by the Municipality of Corte Franca due to violation of art. 5 and 6 of the Regulations, as well as 2-ter of the Code, in the terms set out in the reasons; pursuant to art. 58, par. 2, letter b) of the Regulations, warns the Municipality for having violated art. 37, par. 7, of the Regulations, as described above ORDERS the Municipality of Corte Franca, in the person of its legal representative pro-tempore, with registered office in Piazza Di Franciacorta 1 - 25040 Corte Franca (BS) - C.F. 00789430170, to pay the sum of Euro 6,000 (six thousand) as an administrative pecuniary sanction for the violations indicated in the reasons; ORDERS the aforementioned Municipality, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 6,000 (six thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that, pursuant to art. 166, paragraph 8, of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below; ORDERS a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website; c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE REPORTER Scorza THE VICE SECRETARY GENERAL Filippi
