Garante per la protezione dei dati personali (Italy) - 9283014

From GDPRhub
- 9283014
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Article 2-ter (1)(3) of the Italian Privacy Code
Article 2-septies of the Italian Privacy Code
Type: Complaint
Outcome: Upheld
Started:
Decided: 31. 01. 2020
Published: n/a
Fine: 4 000 EUR
Parties: High school in Torre del Greco
National Case Number/Name: 9283014
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

The Italian Data Protection Authority (Garante) imposed a fine of EUR 4,000 on a high school for having published full lists of teachers on its official website. The data controller disseminated personal data of teachers, as well as data related to their health status, without appropriate legal grounds, as required by art. 6 GDPR and art 2-ter and 2-septies of the Italian Privacy Code, and going against the principles of fairness and minimisation set forth by art. 5 GDPR.

English Summary

Facts

The Garante examined a complaint submitted by a citizen against a high school based in municipality of Torre del Greco. The school disseminated a disproportionate amount of teachers' personal data, including email address, fiscal code and information related to health status, contained in some lists of teachers published in the official website. Indeed, the school inserted a specific sign next to the name of the teachers who are civilian disabled and invalids. However, then the school had already deleted the document when the Garante opened the proceeding.

Dispute

Based on the complaint, the Garante examined whether the dissemination of teachers' personal data was unlawful.

Holding

The Garante declared that the school, while having the right to publish the lists of teachers for transparency purposes, was required not to carry out disproportionate processing of personal data, in breach of art. 5(1) (a)(c) GDPR. Moreover, the dissemination of unnecessary information such as email address, fiscal code and health status is not in line with the guidelines issued by the DPA on the online processing of data carried out by public bodies for transparency purposes (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3134436 - ITA language). It also found that the data controller did not rely on appropriate legal grounds while processing teachers' personal data, as it was not based on the cases set forth by art. 6(1) (c)(e) GDPR. Furthermore, given that the school was not complying with a legal obligation, nor performing a task carried out in the public interest, the dissemination of personal data, included information related to health status, was unlawful according to art. 2-ter and 2-septies of the Italian Privacy Code. Eventually, the Garante imposed a fine of EUR 4.000, considering the amount and sensitiveness of disseminated data, and, on the other hand, the small budget of the school and the deletion of the document before the proceeding started.

Comment

Feel free to add your comment here

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.

to be completed