Garante per la protezione dei dati personali (Italy) - 10102444
From GDPRhub
| Garante per la protezione dei dati personali - 10102444 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 4(15) GDPR Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 9 GDPR Article 32 GDPR Article 33 GDPR Article 58(2) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | 12.12.2024 |
| Fine: | 5,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10102444 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | ligialagev |
The DPA fined a health authority €5,000 for unlawfully disclosing patients' health data to several companies and external parties after a doctor shared a patients' list to justify work schedule changes.
English Summary
Facts
The Health Authority of South Tyrol, the controller, notified the DPA of a data breach. The data breach happened after one of its doctors sent an email, containing personal data, to several companies and external parties.
The email, which aimed at clarifying the doctor's working hours, included an attachment containing personal data of 13 patients, the data subjects, seen on a specific day. The disclosed information included the data subjects' names, dates of birth, residences, locations where services were provided, types of services received, payment status, exemption codes, tax ID numbers, and phone numbers.
Holding
First, the DPA found that the controller violated Articles 5(1)(c) and (f), 9, and 32 GDPR by processing health data without a proper legal basis and failing to ensure appropriate security of the processing.
Second, the DPA determined that while the doctor's goal of providing information about working hours was legitimate, it could have been achieved in compliance with the data minimization principle, as per Article 5(1)(c) GDPR, without transmitting patient documentation, including information about service types, locations, and exemption codes.
Third, the DPA found that the controller failed to implement appropriate technical and organizational measures as required by Article 32 GDPR. Specifically, the controller should have provided healthcare professionals with specific instructions on processing patient health data and emphasized the special protection required for such data.
Finally, the DPA held that the violation was aggravated by the fact that health data, as per Article 9(1) GDPR and Article 4(15) GDPR, was disclosed to multiple recipients without proper safeguards, even though some recipients were bound by professional secrecy.
On these grounds, the DPA deemed it appropriate to fine the controller €5,000 .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10102444] Provision of 12 December 2024 Register of provisions no. 770 of 12 December 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code”, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”); SEEN Legislative Decree no. 101 of 10 August 2018, containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”; HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Data Protection Authority, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Authority Regulation no. 1/2019”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Data Protection Authority Regulation no. 1/2000 on the organization and functioning of the office of the Data Protection Authority, web doc. no. 1098801; Rapporteur: Prof. Ginevra Cerrina Feroni; WHEREAS 1. Violation of personal data With note of XX, subsequently integrated with communication of XX, the Alto Adige Health Authority, hereinafter “Company” sent the Authority, pursuant to art. 33 of the Regulation, a notification of violation of personal data, in which it was declared that “a contracted doctor who works at the Health Authority’s clinics, in relation to the topic of “reduction of service hours”, wrote to various company and external subjects (info@ordinemedici.bz.it) attaching to his communication the list of patients visited on a given day. The communication was sent in clear text and contained the following data: name – surname – date of birth – residence of the patient as well as place of provision of the service, service provided, indication of paying patient, exempt (with indication of the exemption code), tax code and mobile number”. In the same communication, it was highlighted that "the author of the violation sent the attachment with the violated data to 15 different corporate structures and subjects, including the provincial medical association, in a single email communication" and that, as technical and organizational measures adopted (or proposed to be adopted) to remedy the violation and reduce its negative effects on the interested parties and to prevent similar future violations, the following were indicated: "Involvement of the DPO; Request to all structures and subjects that received the attachment to proceed with its deletion; Initiation of disciplinary proceedings; Initiation of the procedure for reporting the incident to the medical association"; "the Company has been provided with instructions on the correct method of sending the so-called sensitive data - these instructions are available on the intranet page, privacy section of the Company itself". The same Company has sent in attachment the documentation containing the aforementioned email, from which it can be deduced that the transmission of the list of patients (13) was carried out in order to provide clarifications regarding the working hours carried out (“hereby to underline that the hours written in the resolution concerning the day of Tuesday at the Laives clinic are not the actual ones with respect to the list of patients set by the CUP. See attached example”). 2. Notification of violations and defensive briefs With regard to the case described, the Office, on the basis of what was represented by the data controller in the notification of violation as well as subsequent assessments, notified the Company, with document no. XX of XX, pursuant to art. 166, paragraph 5, of the Code, the initiation of a procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, inviting the aforementioned owner to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). In particular, the Authority considered that the sending, by the healthcare professional who worked at the Company, to several subjects, including the Medical Association, of an email containing attached health data of 13 patients, entailed, on the part of the Company, data processing in the absence of a suitable legal basis. Therefore, with the aforementioned act no. XX of XX, the Authority considered that the Company, in its capacity as processor of the personal data in question, had violated the principles set out in art. 5, paragraph 1, letters c) and f) and 9 of the Regulation and the obligations regarding the security of processing, set out in art. 32 of the same Regulation. The Company has submitted its defense briefs, pursuant to art. 166, paragraph 6, of the Code. In particular, with note of XX, it has clarified what was expressed in the notification of violation, declaring, among other things, that: - "the episode involved 13 interested parties"; - "the communication was sent specifically to the general medicine service, to the dental coordination/service, to the coordination of the reference district, to the Cup service, to the personnel office responsible for managing working hours, to the Health Services and Territorial Assistance Department as well as to the Bolzano Zonal Committee, all entities belonging to the Bolzano Health District, and finally to the medical association (general address of the association)"; - “the communication therefore reached both healthcare professionals and administrative staff of the Health Authority as well as external parties (health professionals and administrative staff), all of whom are required, depending on their professional role, to respect professional secrecy and/or official secrecy”; - “the Privacy Control Room proceeded to request the initiation of disciplinary proceedings. The doctor sent a note to the relevant manager in which he highlighted the following: «At that moment, I repeat WRONGLY, I did not reflect on the fact that I should have deleted the names of the patients. For me, it was the transmission of the patient list that did not contain data relating to the state of health of all the subjects included in the email sent to me that I thought needed this information for a purely organizational issue of work activity. Since the telephone communication was not sufficient, and I was asked to better explain the change in hours, making a mistake, I attached an explanatory example that showed the actual hours that were then corrected. Regretting my “carelessness” that triggered this problem, I have already deleted the email as requested and I offer my most sincere apologies"; - "the Company does not see the professional's actions as malicious behavior"; - the measures adopted to mitigate the effects of the violation for the interested parties were: "request to all the structures and subjects that received the attachment to proceed with its cancellation"; - "the Company had already sent its employees a specific note on the correct management of emails and attachments on XX, in this regard with a further communication on XX the Company has made available to its employees specific operational instructions on how to password protect attachments. These provisions were then made available on the company intranet page"; - "on XX the Company forwarded a note to all employees on the correct identification of the interested parties (users, patients of the Health Company). The purpose of the note is to remind all collaborators that, regardless of their professional role, it is everyone's responsibility to ensure that each communication sent on paper or electronically is done after correct identification of the recipient"; - "the Health Authority has always promptly responded to the various requests of the Guarantor Authority in the proceedings involving it before the Authority". On XX, the hearing requested by the party was held, during which the party specified that: - "despite the instructions provided to operators regarding compliance with the regulations on the protection of personal data, a doctor of the Company sent a communication to multiple recipients containing the list of patients he would have visited"; - "disciplinary proceedings were started immediately after the event against the Sumaist doctor, with subsequent communication to the relevant professional association and the Company took the opportunity to reiterate the instructions already provided in the past"; - “none of the interested parties have formally filed a complaint or grievance against the Company, which became aware of the event following a report by employees of the Company itself”; - “the Company has asked the recipients of the email to delete the data improperly received”; - “in April, the Company activated mass training for all employees through FAD methods; to date, 4,026 employees have registered, of whom 2,426 have already taken the course; it is intended to activate a further edition of the same course in the next 2 months which will involve another 5,000 employees, with the aim, in any case, of training all employees, including future ones, who carry out their professional activity at the Company”; - “the owner is planning more specific training involving only healthcare professionals, also targeting non-employee workers, such as the doctor involved in the data breach”; - “the Company has issued several circulars regarding the protection of personal data addressed to employees and published on the Company’s intranet”. 3. The outcome of the investigation Having taken note of what was represented by the Company during the proceedings, it is noted that: “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)” and “health data” means “data relating to the state of health of the data subject that reveal information connected to the past, present or future state of physical or mental health of the same. These include information on the natural person collected during his/her registration for the purpose of receiving health care services or the related provision referred to in Directive 2011/24/EU of the European Parliament and of the Council; a number, symbol or specific element attributed to a natural person to uniquely identify him/her for health purposes” (Article 4, paragraph 1, nos. 1 and 15 of the Regulation; Council No. 35); the Court of Cassation held that “the very fact of communicating the need for health treatment and, therefore, the existence of a “disease” in a broad sense – understood therefore as a situation that makes health treatment necessary – relates to health data: that is, for this purpose, it is not necessary to specify which treatment or which disease it is” (Sent. n. 28417/2023; see also, press release of the Court of Justice of the European Union n. 159/24, in relation to the judgment of 4 October 2024, in case C-21/23); “communication” means “giving knowledge of personal data to one or more specific subjects other than the interested party, the representative of the controller in the territory of the European Union, the manager or his representative in the territory of the European Union, the persons authorised, pursuant to art. 2-quaterdecies, to the processing of personal data under the direct authority of the controller or the processor, in any form, including by making them available, consulting them or by interconnecting them” (art. 2-ter, paragraph 4, letter a) of the Code); information on the state of health can be communicated only to the data subject and can be communicated to third parties only on the basis of an appropriate legal basis (art. 9 of the Regulation); the data controller is required to comply with the principles of data protection, including those of “minimization” and “integrity and confidentiality”, according to which personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” and “processed in a manner that ensures appropriate security (…), including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures” (art. 5, paragraph 1, letter c) and f) of the Regulation). The adequacy of such measures must be assessed by the data controller with respect to the nature of the data, the object, the purposes of the processing and the risk for the fundamental rights and freedoms of the data subjects, taking into account the risks arising from the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed (Article 32, paragraphs 1 and 2 of the Regulation). 4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation In light of the above, it emerges that the doctor's conduct was aimed, as stated by him, at providing clarifications regarding his working hours. This purpose could have been achieved, in compliance with the aforementioned principle of minimization, without transmitting the documentation relating to the patients, including information on the type and location of the service and on the exemption code. Furthermore, in compliance with the principle of integrity and confidentiality of data and the obligation to adopt adequate technical and organizational measures to guarantee a level of security appropriate to the risk, in consideration of the particular category of data processed, the Company should have provided specific instructions to healthcare professionals who process health data of patients of the Company and draw attention to the regulations on the protection of personal data and the greater protection that health data deserve, which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, considering that the context of their processing could create significant risks for fundamental rights and freedoms. In light of the above assessments, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false documents or deeds shall be liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor” the elements provided by the data controller in the defense statement referred to above and during the hearing do not allow to overcome the findings notified by the Office with the aforementioned act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply. In light of the above, it is noted that the described conduct of the healthcare professional (sending to several subjects, including the Medical Association, an email containing attached health data of 13 patients of the Company) resulted in the same Company communicating health data in the absence of a suitable legal basis; this, in violation of the principles set out in art. 5, par. 1, letter c) and f) and 9 of the Regulation and the obligations regarding the security of processing, set out in art. 32 of the same Regulation. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). The violation of arts. 5, par. 1, letter c), f), 9 and 32 of the Regulation, caused by the conduct carried out by the Company, is subject to the application of the administrative pecuniary sanction pursuant to art. 83, par. 4 and 5 of the Regulation. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18, law 24 November 1981 n. 689), in relation to the processing of personal data carried out by the Company, which has been ascertained to be unlawful, in the terms set out above. Considering it necessary to apply par. 3 of art. 83 of the Regulation where it provides that "if, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5. In light of the above and, in particular, of the category of personal data affected by the violation which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60), despite the non-intentional nature of the violation. Having said this, having assessed certain elements as a whole and, in particular, that: - the Guarantor has become aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation and no complaints or reports have been received in relation to the violation which is the subject of this provision (art. 83, par. 2, letters h) and k) of the Regulation); - the owner, in order to avoid a repetition of the event that occurred, has activated an intense training activity for the staff, planning a more specific one for healthcare professionals only, and has cooperated with the Authority in every phase of the investigation, in order to remedy the violation and mitigate its possible negative effects, also asking the recipients of the email to delete the data improperly received (art. 83, par. 2, letters c) and f) of the Regulation); - the owner has already been the recipient of a sanctioning provision from the Guarantor for previous relevant violations (provision of 22 February 2024, no. 97, web doc. no. 10001279); it is believed that the amount of the pecuniary sanction provided for by art. 83, par. 5 of the Regulation should be determined in the amount of €5,000.00 (five thousand) for the violation of the articles. 5, 9 and 32 of the same Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the type of personal data subject to unlawful processing and the processing operation carried out on them. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to arts.57, par. 1, letter f) and 83, of the Regulation, finds the unlawfulness of the processing carried out by the Azienda Sanitaria dell'Alto Adige, with registered office in Bolzano, via Thomas Alva Edison, 10 D, 39100, C.F. – P.I. n. 00773750211, for the violation of the basic principles of processing pursuant to art. 5, par. 1, letter c), f), 9 of the Regulation and the obligations pursuant to art. 32 of the same Regulation, within the terms set out in the reasons; ORDERS pursuant to art. 58, par. 2, letter i) of the Regulation, to the Azienda Sanitaria dell'Alto Adige, to pay the sum of Euro 5,000.00 (five thousand/00) as an administrative pecuniary sanction, for the violation indicated in this provision; ORDER the aforementioned Company to pay the sum of Euro 5,000.00 (five thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that, pursuant to art. 166, paragraph 8, of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below; ORDERS a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website; c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 12 December 2024 THE PRESIDENT Stanzione THE REPORTER Cerrina Feroni THE VICE SECRETARY GENERAL Filippi
