Garante per la protezione dei dati personali (Italy) - 9778996
Garante per la protezione dei dati personali - 9778996 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 6(2) GDPR Article 6(3) GDPR Article 17 GDPR Art. 19 d.lgs. n. 33 del 14 marzo 2013 Art. 2-ter d.lgs. 30 giugno 2003, n. 196 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.04.2022 |
Published: | |
Fine: | 3000 EUR |
Parties: | an unnamed data subject Comune di Monte Sant'Angelo |
National Case Number/Name: | 9778996 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
Initial Contributor: | Carloc |
The Italian DPA fined a municipality €3,000 for publishing the names of an excluded candidate of a competition procedure on its website without a legal basis and for rejecting the candidate's request for erasure.
English Summary
Facts
The municipality of Monte Sant'Angelo is the controller. The data subject is an excluded candidate from a competition procedure.
The municipality published the results for a competition procedure on its website. The information included the names of the candidates who were excluded from the procedure. The web page was indexed on search engines.
An excluded candidate asked the municipality to remove their name from the website. The municipality rejected the request. It claimed that public disclosure of the information was mandatory under Italian law (legislative decree 33/2013[1]).
The candidate later submitted a complaint to the Italian DPA.
The controller removed the data subject's name from its website after receiving an information request from the DPA.
Holding
The DPA held that the controller violated Article 5(1)(a) (principle of lawfulness) and 6 (lawfulness of processing) GDPR by processing personal data without a legal basis. Specifically, the controller violated paragraphs (1)(c), (1)(e), (2), and (3) of Article 6.
The DPA noted that legislative decree 33/2013[1], (and Italian administrative law in general) only require public administrations to publicly disclose the identity of the winners of competition procedures. The controller was under no legal obligation to disclose the name of the data subject, who was excluded from the procedure. The DPA pointed out that its own guidelines[2] and case law[3][4][5] endorse the same approach.
The DPA also held that the controller violated Article 2-ter(1)(3)[6] of the Italian Privacy Code. Article 2-ter provides rules for the processing of personal data by public administrations under paragraphs (1)(c) and (1)(e) of Article 6 GDPR. The violation of Article 2-ter of the Code is a direct consequence of the violation of Articles 5 and 6 GDPR.
Finally, the DPA held that the controller violated Article 17 GDPR by rejecting the data subject's request for erasure.
Comment
The DPA mentioned that the data was only erased 7 years after the initial disclosure. The DPA did not disclose the dates of the complaint and of the data subject's erasure request.
The Italian Privacy Code was amended in between the events and the DPA's decision. In accordance with the principles of Italian administrative law, the DPA referred to the version in force at the time of the violation (the 2018 version, modified by legislative decree 101/2018[7]). The Code was last amended in 2021 (d.l. 8 ottobre 2021, n. 139[8]) before the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9778996] Injunction order against the Municipality of Monte Sant'Angelo - April 28, 2022 Record of measures n. 151 of 28 April 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n.9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); Having seen the documentation in the deeds; Given the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n.1098801; Rapporteur the lawyer Guido Scorza; WHEREAS 1. The complaint. With a complaint of the XXth, the publication, on the institutional website of the municipality of Monte Sant'Angelo (hereinafter the "Municipality"), of the "rankings of those admitted subject to the pre-selection test and the list of those admitted and not admitted to the subsequent test was complained of written "of a selective procedure, in which the complainant had participated, which ended" in April XX with regular recruitment of suitable and winning candidates ", whose preselective test was held in September XX. These rankings were also indexed on search engines. Following an application for the exercise of the rights by the complainant, with which the same requested the cancellation of personal data referred to him, the Municipality, with a note of the XXth, informed the interested party that "from survey of the ranking approved with managerial determination , the sensitive data "of the complainant is not highlighted, stating that the Municipality was in any case required to observe the terms of publication of the documents in accordance with the provisions of Legislative Decree no. 33 of 14 March 2013. 2. The preliminary activity. With a note of the twentieth, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged as a result of the investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. a) and c), 6, paragraph 1, lett. c) and e), 2 and 3, lett. b) and art. 17 of the Regulations as well as art. 2-ter, paragraphs 1 and 3 of the Code (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint), inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law no. 689 of November 24, 1981). The Municipality sent its defense briefs, with note XX, representing that: - "on XX [the final ranking was published] of the public selection tests [in question] making the personal data of the candidates completely anonymous, including name and surname, since it is a small municipality in which even the initials alone would have resulted insufficient to not allow the identification of the interested parties "; - "The Municipality of Monte Sant'Angelo is a medium-small and peripheral body [...] which has just over ten thousand inhabitants: the staffing staff is barely sufficient to carry out the various functions of competence and the internal organization keeps account of the limited financial and instrumental resources "; - "the publication [in question in the complaint] concerned personal data and not particular data: the violation entailed a minor damage, considering that the personal data are not of a particular nature and do not concern crimes or convictions"; - "The [...] Municipality is currently evaluating the responsibilities of the secretary at the time in office both in relation to the incorrect response forwarded and repeated over time to the interested party, and to the lack of training on the processing of personal data of the same. This information was deleted in compliance with the data subject's cancellation rights [...] ". 3. Outcome of the preliminary investigation. 3.1 The regulatory framework. The personal data protection discipline provides that public subjects may process the personal data of the interested parties, even when they operate in the context of insolvency and personnel selection procedures, if the processing is necessary "to fulfill a legal obligation to which the data controller "or" for the execution of a task in the public interest or connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c) and e) of Regulation). The national legislation has also introduced more specific provisions to adapt the application of the rules of the Regulation, determining, with greater precision, specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing (Article 6, par. 2, of the Regulation) and, in this context, has provided that the processing operations, and among these the "dissemination" of personal data, are permitted only when provided for by a law or, in the cases provided for by law, by regulation (Article 2-ter, paragraphs 1 and 3, of the Code in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts which are the subject of the complaint). The data controller is then, in any case, required to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "minimization", on the basis of which personal data must be "Processed in a lawful, correct and transparent manner towards the interested party" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c ) of the Regulation). 3.2 The dissemination of personal data. Preliminarily it is represented that "personal data" means "any information concerning an identified or identifiable natural person", having to consider "identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name [... ] "(Art. 4, par. 1, no. 1). Given the above, with regard to the publicity of the results of the competition tests, it is noted that the sector regulations establish, in general, the publicity of the final provisions of the selection procedures, providing that only the final rankings of the winners of the competition are published and not the '' list of those admitted and not admitted to the selection or intermediate tests (see Article 7, Presidential Decree 10 January 1957, no. 3; as well as Article 15, Presidential Decree 9 May 1994, no. 487, in particular, paragraphs 5, 6 and 6 bis and, more generally, on the advertising of the procedures for the recruitment of public administration personnel, Article 35, paragraph 3, of Legislative Decree no. 165 of March 30, 2001). The administration must, in fact, comply with the applicable sector regulations that regulate the times and forms of advertising (e.g. posting at the headquarters of the public body, publication in the administration bulletin or, for local authorities, on the praetorian register) "Of the results of the competition tests and of the final rankings - as well as, in the cases (and with the modalities) provided for, of the results of intermediate tests - of public competitions and selections", for the sole purpose "of allowing interested parties to activate the forms of protection of one's rights and control of the legitimacy of insolvency or selective procedures "(on this point, see provision of 15 May 2014 n. 243 web doc. n. 3134436" Guidelines on the processing of personal data, also contained in documents and administrative documents, carried out for the purposes of advertising and transparency on the web by public entities and other obliged entities "). In addition, Article 19 of Legislative Decree. March 14, 2013, n. 33 provides that, for transparency purposes, "without prejudice to the other legal publicity obligations, the public administrations publish [...] the final rankings, updated with the possible scrolling of suitable non-winners". In this context, as recently reiterated by the Guarantor (see provision of 25 November 2021 n.407, web doc 9732406 as well as provisions 29 April 2021, n. 170, web doc. 9681778; 25 March 2021, n . 106, web doc. N. 9584421 and 11 March 2021, n. 89, web doc. N. 9581028), legislative decree 14 March 2013, n. 33, also referred to by the Municipality in the note sent to the complainant, does not constitute an appropriate legal basis for the online dissemination of personal data contained in the lists of candidates admitted or not admitted to the selective tests. It is also noted that, both with regard to the regulations applicable at the time the data were published and to the one currently in force, art. 23, paragraph 1, lett. c) of the legislative decree n. 33/2013 (moreover, repealed by art. 22, paragraph 1, letter a), n. 3), of d. lgs. 25 May 2016, n. 97 and relating to the publication of only summary elements of the final provisions and not of the rankings formed at the end of the procedure, nor of information concerning any intermediate tests), nor art. 19 of the aforementioned decree (in force from 1 January 2020 and which provides for the publication of the final rankings only, updated with the possible scrolling of suitable non-winners). Therefore, since the publication is not due pursuant to Legislative Decree no. 33, the Municipality, given the lack of the legal prerequisite to disseminate such personal data, should not even have indexed the page of its website, which housed the list of candidates invited to the selective tests, on generalist search engines; in this regard, it should therefore be noted that art. 9 of the legislative decree 14 March 2013, n. 33, which prohibits public administrations from "arranging filters and other technical solutions to prevent web search engines from indexing and searching within the transparent administration section", does not apply. 3.3 Unsuitable response to the request for cancellation of personal data. The data controller recipient of requests to exercise the rights referred to in articles 15-22 of the Regulation, must provide feedback to the interested parties within the terms and in the manner provided for by the Regulation. Pursuant to art. 17 of the Regulation "the interested party has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if [...] i personal data have been unlawfully processed "(see Article 17 paragraph 1, letter d) unless the processing is necessary" for the fulfillment of a legal obligation that requires processing provided for by Union or Member State law to which the data controller is subject or for the execution of a task carried out in the public interest or in the exercise of public authority vested in the data controller "(see Article 17 paragraph 3, letter b). With regard to the exercise of the right to the cancellation of personal data by the complainant, the Municipality - albeit on the erroneous assumption that an obligation of publicity and transparency existed in this case in relation to the aforementioned lists - did not allow the interested party to satisfy their right, in violation of art. 17 of the Regulation. 4. conclusions. In light of the aforementioned assessments, taking into account the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ it is noted that the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this procedure, not resorting to moreover, some of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. As a preliminary point, it is noted that, even if the conduct began before the date of full application of the Regulation, in order to determine the applicable rule in terms of time, the principle of legality referred to in art. 1, paragraph 2, of law no. 689 of 11/24/1981 which establishes as "Laws that provide for administrative sanctions are applied only in the cases and times considered in them" (principle of the tempus regit actum). This determines the obligation to take into consideration the provisions in force at the time of the committed violation. Therefore, in the present case, considering the permanent nature of the conduct in question, the applicable discipline appears to be that of the Regulation and the Code, following the amendments made by Legislative Decree no. 101 of 10 August 2018. The processing of the data of the interested parties, which occurred in violation of the regulations on the processing of personal data, began, in fact, with the online publication of the list of those admitted and not admitted to the preselection test in September XX for which the data breach personal data, which led to the online dissemination of the same, lasted until the twentieth, date on which the owner declared that he had removed the aforementioned list from the site. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted for having disseminated, keeping online the list of those admitted and not admitted to the public selection in question, causing undue disclosure of personal data, in violation of articles 5, 6 and 17 of the Regulation and art. 2-ter of the Code in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139, in force at the time of the facts which are the subject of the complaint. The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation and art. 166, paragraph 2, of the Code. In this context, considering, in any case, that the conduct has exhausted its effects, given that the Municipality has declared that it has removed the aforementioned list (see note of XX), the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation. In relation to the aforementioned elements, it was considered that the dissemination of personal data, in the absence of a legal basis, lasted for a considerable period of time (about 7 years) and that the data controller operated in the mistaken belief that he could prosecute , in this way, purposes of transparency of the administrative action, without taking into account the current regulatory framework and the indications provided over time by the Guarantor to all public subjects on the subject (both with the "Guidelines on the processing of personal data , also contained in administrative deeds and documents, carried out for the purposes of advertising and transparency on the web by public entities and other obliged entities "mentioned above, both with numerous decisions on individual cases). On the other hand, the nature of the personal data disclosed, which does not include particular categories of data, was considered and that the Municipality, a small entity with limited resources, collaborated with the Authority during the investigation by removing the personal data of the interested. It was also favorably taken into account that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation. Based on the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction, in the amount of three thousand euros (3,000) for the violation of Articles 5, § 1, lett. a), 6, § 1, lett. e) and 17 of the Regulations and art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139), as an administrative pecuniary sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Taking into account the time frame during which the aforementioned data were made available on the network, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR pursuant to art. 57, par. 1, lett. f), of the Regulations, declares unlawful the conduct of the Municipality of Monte Sant’Angelo described in the terms set out in the motivation, consisting in the violation of Articles 5, § 1, lett. a), 6, § 1, lett. e) and 17 of the Regulations and art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, n.139), in the terms set out in the motivation; ORDER pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the Regulation and 166, paragraph 2, of the Code to the Municipality of Monte Sant'Angelo, in the person of the pro-tempore legal representative, with registered office in Piazza Municipio, 2 - 71037 Monte Sant'Angelo (FG), Tax Code: 83000870713, to pay the sum of three thousand (3,000) euros as a pecuniary administrative sanction for the violations indicated in the motivation; INJUNCES to the aforementioned Municipality to pay the sum of three thousand euros (3,000) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981. In this regard, it is recalled that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011); HAS - the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see Article 16 of the Guarantor Regulation No. 1/2019); - the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see article 17 of Regulation no. 1/2019). Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, April 28, 2022 THE VICE-PRESIDENT Cerrina Feroni THE RAPPORTEUR Peel THE SECRETARY GENERAL Mattei [doc. web n. 9778996] Injunction order against the Municipality of Monte Sant’Angelo - April 28, 2022 Record of measures n. 151 of 28 April 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); Having seen the documentation in the deeds; Given the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n.1098801; Rapporteur the lawyer Guido Scorza; WHEREAS 1. The complaint. With a complaint of the XXth, the publication, on the institutional website of the municipality of Monte Sant'Angelo (hereinafter the "Municipality"), of the "rankings of those admitted subject to the pre-selection test and the list of those admitted and not admitted to the subsequent test was complained of written "of a selective procedure, in which the complainant had participated, which ended" in April XX with the regular recruitment of suitable and winning candidates ", the preselective test of which took place in September XX. These rankings were also indexed on search engines. Following an application for the exercise of the rights by the complainant, with which the same requested the cancellation of personal data referred to him, the Municipality, with a note of the XXth, informed the interested party that "from survey of the ranking approved with managerial determination , the sensitive data "of the complainant is not highlighted, stating that the Municipality was in any case required to observe the terms of publication of the documents in accordance with the provisions of Legislative Decree no. 33 of 14 March 2013. 2. The preliminary activity. With a note of the twentieth, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged as a result of the investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. a) and c), 6, paragraph 1, lett. c) and e), 2 and 3, lett. b) and art. 17 of the Regulations as well as art. 2-ter, paragraphs 1 and 3 of the Code (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint), inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law no. 689 of November 24, 1981). The Municipality sent its defense briefs, with note XX, representing that: - "on XX [the final ranking was published] of the public selection tests [in question] making the personal data of the candidates completely anonymous, including name and surname, since it is a small municipality in which even the initials alone would have resulted insufficient to not allow the identification of the interested parties "; - "The Municipality of Monte Sant'Angelo is a medium-small and peripheral body [...] which has just over ten thousand inhabitants: the staffing staff is barely sufficient to carry out the various functions of competence and the internal organization keeps account of the limited financial and instrumental resources "; - "the publication [in question in the complaint] concerned personal data and not particular data: the violation entailed a minor damage, considering that the personal data are not of a particular nature and do not concern crimes or convictions"; - "The [...] Municipality is currently evaluating the responsibilities of the secretary at the time in office both in relation to the incorrect response forwarded and repeated over time to the interested party, and to the lack of training on the processing of personal data of the same. This information has been deleted in compliance with the data subject's cancellation rights [...] ". 3. Outcome of the preliminary investigation. 3.1 The regulatory framework. The personal data protection discipline provides that public subjects may process the personal data of the interested parties, even when they operate in the context of insolvency and personnel selection procedures, if the processing is necessary "to fulfill a legal obligation to which the data controller "or" for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c) and e) of Regulation). The national legislation has also introduced more specific provisions to adapt the application of the rules of the Regulation, determining, with greater precision, specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing (Article 6, par. 2, of the Regulation) and, in this context, has provided that the processing operations, and among these the "dissemination" of personal data, are allowed only when provided for by a law or, in the cases provided for by law, by regulation (Article 2-ter, paragraphs 1 and 3, of the Code in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts which are the subject of the complaint). The data controller is then, in any case, required to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "minimization", on the basis of which personal data must be "Processed in a lawful, correct and transparent manner towards the interested party" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c ) of the Regulation). 3.2 The dissemination of personal data. Preliminarily it is represented that "personal data" means "any information concerning an identified or identifiable natural person", having to consider "identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name [... ] "(Art. 4, par. 1, no. 1). Given the above, with regard to the publicity of the results of the competition tests, it is noted that the sector regulations establish, in general, the publicity of the final provisions of the selection procedures, providing that only the final rankings of the winners of the competition are published and not the '' list of those admitted and not admitted to the selection or intermediate tests (see Article 7, Presidential Decree 10 January 1957, no. 3; as well as Article 15, Presidential Decree 9 May 1994, no. 487, in particular, paragraphs 5, 6 and 6 bis and, more generally, on the advertising of the procedures for the recruitment of public administration personnel, Article 35, paragraph 3, of Legislative Decree no. 165 of March 30, 2001). The administration must, in fact, comply with the applicable sector regulations that regulate the times and forms of advertising (e.g. posting at the headquarters of the public body, publication in the administration bulletin or, for local authorities, on the praetorian register) "Of the results of the competition tests and of the final rankings - as well as, in the cases (and with the modalities) provided for, of the results of intermediate tests - of public competitions and selections", for the sole purpose "of allowing interested parties to activate the forms of protection of one's rights and control of the legitimacy of insolvency or selective procedures "(on this point, see provision of 15 May 2014 n. 243 web doc. n. 3134436" Guidelines on the processing of personal data, also contained in documents and administrative documents, carried out for the purposes of advertising and transparency on the web by public entities and other obliged entities "). In addition, Article 19 of Legislative Decree. March 14, 2013, n. 33 provides that, for transparency purposes, "without prejudice to the other legal publicity obligations, the public administrations publish [...] the final rankings, updated with the possible scrolling of suitable non-winners". In this context, as recently reiterated by the Guarantor (see provision of 25 November 2021 n.407, web doc 9732406 as well as provisions 29 April 2021, n. 170, web doc. 9681778; 25 March 2021, n . 106, web doc. N. 9584421 and 11 March 2021, n. 89, web doc. N. 9581028), legislative decree 14 March 2013, n. 33, also referred to by the Municipality in the note sent to the complainant, does not constitute an appropriate legal basis for the online dissemination of personal data contained in the lists of candidates admitted or not admitted to the selective tests. It is also noted that, both with regard to the regulations applicable at the time the data were published and to the one currently in force, art. 23, paragraph 1, lett. c) of the legislative decree n. 33/2013 (moreover, repealed by art. 22, paragraph 1, letter a), n. 3), of d. lgs. 25 May 2016, n. 97 and relating to the publication of only summary elements of the final provisions and not of the rankings formed at the end of the procedure, nor of information concerning any intermediate tests), nor art. 19 of the aforementioned decree (in force from 1 January 2020 and which provides for the publication of the final rankings only, updated with the possible scrolling of suitable non-winners). Therefore, since the publication is not due pursuant to Legislative Decree no. 33, the Municipality, given the lack of the legal prerequisite to disseminate such personal data, should not even have indexed the page of its website, which housed the list of candidates invited to the selective tests, on generalist search engines; in this regard, it should therefore be noted that art. 9 of the legislative decree 14 March 2013, n. 33, which prohibits public administrations from "arranging filters and other technical solutions to prevent web search engines from indexing and searching within the transparent administration section", does not apply. 3.3 Unsuitable response to the request for cancellation of personal data. The data controller recipient of requests to exercise the rights referred to in articles 15-22 of the Regulation, must provide feedback to the interested parties within the terms and in the manner provided for by the Regulation. Pursuant to art. 17 of the Regulation "the interested party has the right to obtain from the data controller the cancellation of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay, if [...] i personal data have been unlawfully processed "(see Article 17 paragraph 1, letter d) unless the processing is necessary" for the fulfillment of a legal obligation that requires processing provided for by Union or Member State law to which the data controller is subject or for the execution of a task carried out in the public interest or in the exercise of public authority vested in the data controller "(see Article 17 paragraph 3, letter b). With regard to the exercise of the right to the cancellation of personal data by the complainant, the Municipality - albeit on the erroneous assumption that an obligation of publicity and transparency existed in this case in relation to the aforementioned lists - did not allow the interested party to satisfy their right, in violation of art. 17 of the Regulation. 4. conclusions. In light of the aforementioned assessments, taking into account the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ it is noted that the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this procedure, not resorting to moreover, some of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. As a preliminary point, it is noted that, even if the conduct began before the date of full application of the Regulation, in order to determine the applicable rule in terms of time, the principle of legality referred to in art. 1, paragraph 2, of law no. 689 of 11/24/1981 which establishes as "Laws that provide for administrative sanctions are applied only in the cases and times considered in them" (principle of the tempus regit actum). This determines the obligation to take into consideration the provisions in force at the time of the committed violation. Therefore, in the present case, considering the permanent nature of the conduct in question, the applicable discipline appears to be that of the Regulation and the Code, following the amendments made by Legislative Decree no. 101 of 10 August 2018. The processing of the data of the interested parties, which occurred in violation of the regulations on the processing of personal data, began, in fact, with the online publication of the list of those admitted and not admitted to the preselection test in September XX for which the data breach personal data, which led to the online dissemination of the same, lasted until the 20th, the date on which the owner declared that he had removed the aforementioned list from the site. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted for having disseminated, keeping online the list of those admitted and not admitted to the public selection in question, causing undue disclosure of personal data, in violation of articles 5, 6 and 17 of the Regulation and art. 2-ter of the Code in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139, in force at the time of the facts which are the subject of the complaint. The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation and art. 166, paragraph 2, of the Code. In this context, considering, in any case, that the conduct has exhausted its effects, given that the Municipality has declared that it has removed the aforementioned list (see note of XX), the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation. In relation to the aforementioned elements, it was considered that the dissemination of personal data, in the absence of a legal basis, lasted for a considerable period of time (about 7 years) and that the data controller operated in the mistaken belief that he could prosecute , in this way, purposes of transparency of the administrative action, without taking into account the current regulatory framework and the indications provided over time by the Guarantor to all public subjects on the subject (both with the "Guidelines on the processing of personal data , also contained in administrative deeds and documents, carried out for the purposes of advertising and transparency on the web by public entities and other obliged entities "mentioned above, both with numerous decisions on individual cases). On the other hand, the nature of the personal data disclosed, which does not include particular categories of data, was considered and that the Municipality, a small entity with limited resources, collaborated with the Authority during the investigation by removing the personal data of the interested. It was also favorably taken into account that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation. Based on the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction, in the amount of three thousand euros (3,000) for the violation of Articles 5, § 1, lett. a), 6, § 1, lett. e) and 17 of the Regulations and art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139), as a withheld administrative fine, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Taking into account the time frame during which the aforementioned data were made available on the network, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR pursuant to art. 57, par. 1, lett. f) of the Regulations, declares unlawful the conduct of the Municipality of Monte Sant’Angelo described in the terms set out in the motivation, consisting in the violation of Articles 5, § 1, lett. a), 6, § 1, lett. e) and 17 of the Regulations and art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, n.139), in the terms set out in the motivation; ORDER pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the Regulation and 166, paragraph 2, of the Code to the Municipality of Monte Sant'Angelo, in the person of the pro-tempore legal representative, with registered office in Piazza Municipio, 2 - 71037 Monte Sant'Angelo (FG), Tax Code: 83000870713, to pay the sum of three thousand (3,000) euros as a pecuniary administrative sanction for the violations indicated in the motivation; INJUNCES to the aforementioned Municipality to pay the sum of three thousand euros (3,000) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981. In this regard, it is recalled that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011); HAS - the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see Article 16 of the Guarantor Regulation No. 1/2019); - the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see article 17 of Regulation no. 1/2019). Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, April 28, 2022 THE VICE-PRESIDENT Cerrina Feroni THE RAPPORTEUR Peel THE SECRETARY GENERAL Mattei
- ↑ 1.0 1.1 https://www.gazzettaufficiale.it/eli/id/2013/04/05/13G00076/sg
- ↑ https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3134436
- ↑ https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9581028
- ↑ https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9681778
- ↑ https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9732406
- ↑ https://www.gazzettaufficiale.it/dettaglio/codici/datiPersonali/1_0_1
- ↑ https://www.gazzettaufficiale.it/eli/id/2018/09/04/18G00129/sg
- ↑ https://www.gazzettaufficiale.it/eli/id/2021/10/08/21G00153/sg