Garante per la protezione dei dati personali (Italy) - 9815665

From GDPRhub
Garante per la protezione dei dati personali - 9815665
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 124 D. lgs. n. 267
Article 2-ter D.Lgs. n.196 "Code on the Protection of Personal Data"
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.09.2022
Published: 15.09.2022
Fine: 3,000 EUR
Parties: Municipality of Thiene
National Case Number/Name: 9815665
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Vilma Margarit

The Italian DPA imposed a €3,000 fine on a municipality for publishing on a public notice board a matriculation number, which allowed for the identification of the data subject.

English Summary

Facts

The municipality (the controller) published on its online Public Notice Board, as well in a press release, information about the data subject's dismissal from work. The publication contained a matriculation number, which made the data subject identifiable.

Subsequently, the data subject decided to file a complaint with the Italian DPA. The DPA initiated proceedings and requested more information from the controller.

The controller argued that the information had been put through pseudonymisation first and only employees knew how to decrypt it. Furthermore, the online Notice Board was not indexed in search engines. With regards to the press release, the controller argued that the text was anonymous and did not allow for the identification of the data subject.

Holding

Firstly, the Italian DPA held that the dissemination of personal data (such as publications on the Internet) by public entities is permitted, when provided for by law. Secondly, the matriculation number is considered an identification number, as it allows third parties to trace the identity of the data subject, and not authorised personnel only. Consequently, the DPA held that a matriculation number on online publications falls under the definition of "personal data" in Article 4(1) GDPR.

The DPA reminded the controller that, as defined in Recital 26 GDPR, pseudonymisation is a mere technical measure and still makes it possible to trace the identity of a data subject in an indirect way or through use of additional information. With regards to the press release, the DPA held that there was no derogation from the principles on the protection of personal data. The DPA also reiterated that the principles of lawfulness and data minimisation apply to publication on online public notice boards, as clarified in the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for the purposes of publicity and transparency on the web by public entities and other obligated entities".

The DPA found a violation of Article 2-ter of the Code on the Protection of Personal Data, as the provisions cited by the controller did not meet the requirement of a valid legal basis. Furthermore, the DPA found a breach of Articles 5(1)(a)(c) and 6 GDPR because the online dissemination of the data subject's personal data lacked an appropriate legal basis. The DPA confirmed that the controller did not meet the requirement of lawful processing of personal data.

In conclusion, the DPA imposed a €3,000 fine on the controller for the violation of Articles 5(1)(a)(c) and 6 GDPR.

Comment

The decision is however not new, in this case the Italian DPA has only reiterated the obligations of public authorities arising under Article 124 D. lgs. n. 267 "Publications of deliberations". Numerous decisions have been passed in this regard.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9815665]

Injunction order against the Municipality of Thiene - 15 September 2022

Record of measures
n. 299 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4 April 2019, published in the Official Gazette n. 106 of 8 May 2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Having seen the documentation in the deeds;

Given the observations made by the secretary general pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Speaker Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

The Authority received a complaint complaining about the publication, in the online Praetorian Register of the Municipality of Thiene (hereinafter, the "Municipality"), of resolution no. 742 of October 16, 2019, concerning "employee matr. [...] - acknowledgment of termination of service for dismissal ", containing information on the dismissal of the complainant, identified with his / her registration number, following disciplinary proceedings, as well as a press release relating to the matter.

2. The preliminary activity.

With a note of the XX (prot. N. XX) the Municipality, in response to a request for information formulated by the Office, stated, in particular, that:

- "the purpose of the processing of personal data - put in place through the publication in the praetorian notice of the managerial provision which acknowledged the dismissal of the employee - is inherent in the ratio legis of art. 124 of the TUEL, that is in the legal knowledge for the generality of citizens ";

- "with reference to the methods of processing the data in question, [...], it should be noted that the owner makes use of persons authorized to process the data as defined by art. 29 GDPR, identified according to a functional principle: all employees for whom the processing itself is necessary for the performance of the tasks to which they are assigned within the organization of the entity are authorized for a specific treatment ";

- "although in the presence of a legal title that legitimizes - indeed makes it mandatory - the publication of the provision in the online register and the absence, within the provision, of particular categories of data, the entity has taken care to guarantee respect for the dignity [of the person concerned], providing for the pseudonymisation of the personal details [of the complainant], identifying [the same] by means of the serial number only and avoiding highlighting other elements that, even indirectly, could allow to trace [the same] ";

- “it was considered that the encryption system used meets the pseudonymisation requirements since the alphanumeric code used, even if not generated for this purpose, is in any case created randomly; the decryption algorithm is known exclusively - according to the functional principle of strict necessity - by the same employees of the personnel department who - each for the performance of their duties - have legitimately processed the employee's personal data ";

- "the Municipality has published the online register within the time limits provided for by the relevant legislation (Article 124 of Legislative Decree 18 August 2000, n. 267): precisely the deed was published from 17 October 2019 to 31 October 2019. No data contained in the deeds published on the online register of the municipality can be indexed, at any time, on the municipality's website through general search engines. Even more, the online register of the municipality of Thiene is not indexed in general search engines ”;

- in relation to the press release issued by the Municipality, “it is a completely anonymous press release. The purpose that was intended to be pursued, through this press release, was to prevent the dissemination of distorted and / or incomplete information, as it was learned that the XX would publish an article on the matter the next day. Consequently, in order not to create disturbance and disorientation in the users, the Administration considered it appropriate to clarify that the problem that arose was immediately resolved, first with the suspension, and subsequently with the dismissal [of the complainant], without any economic prejudice for the users. of the service ".

With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, the verifications carried out and the facts that emerged as a result of the investigation, notified the Owner, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. a) and c) and 6, of the Regulations as well as art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, n.139), inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as art.18, paragraph 1, of the l. 24 November 1981, n. 689).

With a note of the XX (prot.n.XX), the Municipality presented a defensive brief, declaring, in particular, that:

- "in the present case, the assumption of lawfulness of data processing is constituted by the following rules: art. 2 paragraph 1 of Law 241/1990; art. 124 of Legislative Decree 18 August 2000, n. 267 (TUEL); art. 59, paragraph 9, n. 2 of the CCNL Local Functions of 21.05.2018; articles 94 ss of the Internal Regulations for the organization of offices and services, adopted by the Entity by virtue of the regulatory autonomy recognized to the Municipality by Article 117 co. 6 of the Republican Constitution ";

- “in particular, pursuant to art. 2, paragraph 1, Law 241/90, the Public Administration is obliged to conclude the proceedings, initiated ex officio or at the request of a party, with an express provision, unless a formal, unchallenged administrative resolution has already been adopted. and there have been no changes in the factual or legal situation, or the questions are manifestly absurd or totally unfounded or illegal ";

- “with reference instead to the alleged processing of personal data carried out through the publication of the provision - given however that the latter does not contain any personal data intelligible to anyone - the basis of lawfulness, pursuant to the aforementioned art. 124 TUEL, is not to be found in the object of the determination but in its provisional nature: each determination is published in the praetorian notice, regardless of the subject matter ";

- "the Municipality has published the online register within the time limits provided for by the relevant legislation (Article 124 of Legislative Decree 18 August 2000, n. 267): precisely the deed was published from 17 October 2019 to 31 October 2019. No data contained in the deeds published on the online register of the municipality can be indexed, at any time, on the municipality's website using general search engines ";

- “the Municipality, having ascertained the existence of the formal requirement pursuant to the aforementioned art. 124 TUEL, in consideration of the principles of necessity, proportionality and relevance, verified the absence of particular categories of data within the provision and proceeded from the design of the treatment, in compliance with the minimization principle pursuant to art. 5 of Regulation EU / 2016/679, to the pseudonymisation of the personal details [of the employee], immediately identifying [the complainant] by means of the registration number only and avoiding highlighting other elements that, not even indirectly, could allow to trace the person who has been subjected to disciplinary proceedings ";

- “it was considered that the encryption system used meets the pseudonymisation requirements since the alphanumeric code used, even if not generated for this purpose, is in any case created randomly; the decryption algorithm is known exclusively - according to the functional principle of strict necessity - by the personnel department entitled to process the personal data [of the employee] for the purpose of providing the remuneration. There is therefore no way to trace the data [of the same], nor for any other person, neither internal nor external to the Administration, to know the decryption algorithm. Therefore, there is no possibility through the matriculation code, to identify [the complainant], not even potentially by means of identification, correlation and deduction, with the exception of employees who were already aware, ratione officii, of the incident ";

- “finally, with reference to the press release, it is noted that its issue did not involve any processing of personal data as the text is completely anonymous. The purpose that was intended to be pursued, through this press release, was to prevent the dissemination of distorted and / or incomplete information, as it was learned that the XX would publish an article on the matter. Consequently, in order not to create disturbance and disorientation in users, the Administration considered it appropriate to clarify that the problem that arose was immediately resolved, first with the suspension, and subsequently with the dismissal, without any economic prejudice for the users of the service ".

3. Outcome of the preliminary investigation.

3.1 The regulatory framework.

The personal data protection discipline provides that public subjects, in the context of the work context, may process the personal data of the interested parties, also relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship. and to fulfill specific obligations or tasks provided for by the law or the law of the Union or of the Member States (art. 6, par. 1, lett. c), 9, par. 2, lett. b) and 4 and 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task of public interest or connected to the exercise of public authority vested in the data controller" (Article 6, paragraph 1, letter e ), 2 and 3, and art. 9, par. 2, lett. g), of the Regulations; art. 2-ter of the Code, in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139).

European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of the [...] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] ”(Article 6, par. 2, of the Regulation). In this regard, it should be noted that the dissemination of personal data (such as publication on the Internet) by public entities is permitted only when provided for by a law or, in the cases provided for by law, by regulation (cf. . art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the changes made by the legislative decree 8 October 2021, n. 139).
The data controller is required, in any case, to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", on the basis of which personal data must be "processed in a lawful, correct and transparent manner towards the data subject" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).

3.2 The dissemination of personal data.

As is clear from the deeds and declarations made by the data controller, as well as from the assessment made on the basis of the elements acquired as a result of the investigation and subsequent assessments of this Department, the Municipality has published, on the institutional website, section Albo Pretorio , the determination n.742 of October 16, 2019, containing the information of the dismissal of the complainant, identified with his / her registration number.

Although, as claimed by the Municipality, the determination in question did not expressly mention the name and surname of the complainant, the latter was in any case identifiable through his / her registration number, therefore having to consider the information contained in the determination, relating to the complainant. , as "personal data" pursuant to art. 4, par. 1, no. 1, of the Regulation.

In fact, "personal data" means "any information concerning an identified or identifiable natural person", having to consider "identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as [...] a number of identification […] ”(art. 4, par. 1, n. 1) of the Regulations) as the registration number which, in the case of determination no. 742 of 16 October 2019, is uniquely associated with the interested party. The serial number is, therefore, to be considered an identification number certainly suitable to allow the identity of the interested party to be traced, not only by the authorized personnel of the Municipality, but also by any third parties, with whom the interested party has able, over time, to share this number (think, for example, of colleagues and family members). Moreover, the pseudonymisation carried out by the Municipality through the insertion of the registration number, constitutes a mere technical measure that allows, in any case, to trace the identity of the interested party, albeit indirectly and / or through the use of additional information (see Article 4, paragraph 1, No. 5 of the Regulation and in this regard, also see Recital No. 26 of the Regulation on the basis of which personal data subjected to pseudonymisation must be considered information on an identifiable natural person).

As specified by the Municipality itself, this identification number was not generated exclusively to indicate the complainant in correlation with the determination to be published, but constituted an identification associated with the interested party in the context of the employment relationship, also "for the purpose of disbursement of the economic treatment "(see note of the Municipality of the 20th cited above).

In any case, the Municipality has not proven the existence of a specific law that obliges the body to publish the determination of acknowledgment of the disciplinary dismissal of an employee, recalling in the defensive writings the national regulations relating to publications on the Praetorian Register of Local Authorities (Article 124, paragraph 1, of Legislative Decree No. 267 of August 18, 2000). In this regard, it should be noted that this Authority, on several occasions, has clarified that even the presence of a specific advertising regime cannot entail any automatism with respect to the online dissemination of personal data and information, nor an exception to the principles regarding the protection of personal data (see provision of February 25, 2021, n.68, web doc 9567429). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is envisaged that the data controller must "put in place adequate technical and organizational measures to ensure that, by default, only the personal data necessary for each specific purpose of the processing "and must be" able to demonstrate "- in light of the principle of" accountability "- to have done so (articles 5, par. 2; 24 and 25, par. 2, Regulation). In numerous decisions regarding the obligations deriving from art. 124 of Legislative Decree 267/2000, invoked by the Municipality, in fact, the Guarantor reiterated that all the limits set by the principles of data protection with regard to the lawfulness and minimization of data apply to publications in the online praetorian register. (see part II, par. 3.a. of the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities" ).

In the resolution to be published, therefore, no personal data of the complainant should have been reported (in this case the registration number), which in any case could have allowed the identification of the same, resorting, if necessary, to the technique of " omissis "or other data anonymization measures (see, on this point, provisions of 27 January 2021, no. 34, web doc. 9549165, 2 July 2020, no. 118, web doc. 9440025 and 2 July 2020, n. 119, web doc. 9440042).

The publication of the determination in question, with this expedient, would not, however, compromise the principle of conclusion of the procedure referred to in art. 2 of the l. 241/1990, since the full version of the same would have remained, in any case, in the records of the Municipality and would have been accessible, by qualified persons, in the ways and within the limits established by law.

Nor can the provisions of the CCNL Local Functions of 21.05.2018 (and other internal provisions relating to the organization of municipal offices), reported in the defensive writings of the Municipality, be considered relevant, also with regard to the quality and content of the source. These provisions, which in any case do not meet the requirements of an appropriate legal basis pursuant to art. 2-ter, paragraphs 1 and 3 of the Code in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139, are limited, in fact, to indicate the cases and methods of the disciplinary procedure, but do not envisage, nor could they justify, the online dissemination of the resolution acknowledging the disciplinary dismissal of an employee.

The disclosure of the complainant's personal data, contained in determination no. 742 of 16 October 2019, therefore occurred in a manner that did not comply with the principles of data protection and in the absence of an appropriate legal basis, in violation of Articles 5, par. 1, lett. a) and c), and 6 of the Regulations, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

4. Conclusions.

In light of the aforementioned assessments, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to respond pursuant to art. 168 of the Code ˗ although worthy of consideration, they do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this procedure, however, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having disseminated, through online publication, the determination n.742 of October 16, 2019, containing personal data relating to the dismissal of the complainant for disciplinary reasons, in the absence of a legal basis, in violation of Articles 5, par. 1, lett. a) and c), 6 of the Regulations as well as Article 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139). On the other hand, given the absence of personal data in the press release, it is considered to archive the profile concerning the publication of the same.

The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation, as also referred to by art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects - given that the dissemination of the data ceased on October 31, 2019 - the conditions for the adoption of further corrective measures pursuant to art . 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, it was considered that the detected conduct had as its object the dissemination of personal data relating to events related to the employment relationship referring to a disciplinary procedure against an employee, despite the numerous indications given by the Guarantor to all public entities since 2014 with the aforementioned guidelines (see also "Guidelines on the processing of personal data of workers for the purpose of managing the employment relationship in the public sphere" of June 14, 2007, web doc. no. 1417809 ).

On the other hand, it was favorably taken into consideration that the violation did not concern particular categories of personal data and that it involved only one interested party. Furthermore, the publication in the Praetorian Register of the determination in question took place for a short period of time and without any indexing on generalist sites. Furthermore, there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

The Municipality of Thiene falls within the demographic dimension of just over 23,000 inhabitants.

Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of € 3,000 (three thousand) for the violation of Articles 5, par. 1, lett. a) and c), 6, as well as 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139), as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account that the deed to be disseminated online contained references to a delicate personal story of the interested party, regarding dismissal for disciplinary reasons, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by the 'art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing carried out by the Data Controller for violation of Articles 5, par. 1, lett. a) and c), 6 of the Regulations, as well as 2-ter of the Code (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021), within the terms set out in the motivation;

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Municipality of Thiene, in the person of the pro-tempore legal representative, with registered office in Piazza Ferrarin 1 - 36016 Thiene (VI), C.F. 00170360242, to pay the sum of € 3,000 (three thousand) as a pecuniary administrative sanction for the violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

INJUNCES

to the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 3,000 (three thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981;

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see Article 16 of the Guarantor Regulation No. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see art.17 of the Guarantor Regulation no. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei

[doc. web n. 9815665]

Injunction order against the Municipality of Thiene - 15 September 2022

Record of measures
n. 299 of 15 September 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4 April 2019, published in the Official Gazette n. 106 of 8 May 2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Having seen the documentation in the deeds;

Given the observations made by the secretary general pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Speaker Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

The Authority received a complaint complaining about the publication, in the online Praetorian Register of the Municipality of Thiene (hereinafter, the "Municipality"), of resolution no. 742 of October 16, 2019, concerning "employee matr. [...] - acknowledgment of termination of service for dismissal ", containing information on the dismissal of the complainant, identified with his / her registration number, following disciplinary proceedings, as well as a press release relating to the matter.

2. The preliminary activity.

With a note of the XX (prot. N. XX) the Municipality, in response to a request for information formulated by the Office, stated, in particular, that:

- "the purpose of the processing of personal data - put in place through the publication in the praetorian notice of the managerial provision which acknowledged the dismissal of the employee - is inherent in the ratio legis of art. 124 of the TUEL, that is in the legal knowledge for the generality of citizens ";

- "with reference to the methods of processing the data in question, [...], it should be noted that the owner makes use of persons authorized to process the data as defined by art. 29 GDPR, identified according to a functional principle: all employees for whom the processing itself is necessary for the performance of the tasks to which they are assigned within the organization of the entity are authorized for a specific treatment ";

- "although in the presence of a legal title that legitimizes - indeed makes it mandatory - the publication of the provision in the online register and the absence, within the provision, of particular categories of data, the entity has taken care to guarantee respect for the dignity [of the person concerned], providing for the pseudonymisation of the personal details [of the complainant], identifying [the same] by means of the serial number only and avoiding highlighting other elements that, even indirectly, could allow to trace [the same] ";

- “it was considered that the encryption system used meets the pseudonymisation requirements since the alphanumeric code used, even if not generated for this purpose, is in any case created randomly; the decryption algorithm is known exclusively - according to the functional principle of strict necessity - by the same employees of the personnel department who - each for the performance of their duties - have legitimately processed the employee's personal data ";

- "the Municipality has provided for the publication in the online register within the time limits provided for by the relevant legislation (art. 124 of the d. lgs. 18 August 2000, n. 267): precisely the deed was published from 17 October 2019 to 31 October 2019. No data contained in the deeds published in the online register of the municipality can be indexed, at any time, on the municipality's website through general search engines. Even more, the online register of the municipality of Thiene is not indexed in general search engines ”;

- in relation to the press release issued by the Municipality, “it is a completely anonymous press release. The purpose that was intended to be pursued, through this press release, was to prevent the dissemination of distorted and / or incomplete information, as it was learned that the XX would publish an article on the matter the next day. Consequently, in order not to create disturbance and disorientation in the users, the Administration considered it appropriate to clarify that the problem that arose was immediately resolved, first with the suspension, and subsequently with the dismissal [of the complainant], without any economic prejudice for the users. of the service ".

With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, the verifications carried out and the facts that emerged as a result of the investigation, notified the Owner, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. a) and c) and 6, of the Regulations as well as art. 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, n.139), inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as art.18, paragraph 1, of the l. 24 November 1981, n. 689).

With a note of the XX (prot.n.XX), the Municipality presented a defensive brief, declaring, in particular, that:

- "in the present case, the assumption of lawfulness of data processing is constituted by the following rules: art. 2 paragraph 1 of Law 241/1990; art. 124 of Legislative Decree 18 August 2000, n. 267 (TUEL); art. 59, paragraph 9, n. 2 of the CCNL Local Functions of 21.05.2018; articles 94 ss of the Internal Regulations for the organization of offices and services, adopted by the Entity by virtue of the regulatory autonomy recognized to the Municipality by Article 117 co. 6 of the Republican Constitution ";

- “in particular, pursuant to art. 2, paragraph 1, Law 241/90, the Public Administration is obliged to conclude the proceedings, initiated ex officio or at the request of a party, with an express provision, unless a formal, unchallenged administrative resolution has already been adopted. and there have been no changes in the factual or legal situation, or the questions are manifestly absurd or totally unfounded or illegal ";

- “with reference instead to the alleged processing of personal data carried out through the publication of the provision - given however that the latter does not contain any personal data intelligible to anyone - the basis of lawfulness, pursuant to the aforementioned art. 124 TUEL, is not to be found in the object of the determination but in its provisional nature: each determination is published in the praetorian notice, regardless of the subject matter ";

- "the Municipality has published the online register within the time limits provided for by the relevant legislation (Article 124 of Legislative Decree 18 August 2000, n. 267): precisely the deed was published from 17 October 2019 to 31 October 2019. No data contained in the deeds published on the online register of the municipality can be indexed, at any time, on the municipality's website using general search engines ";

- “the Municipality, having ascertained the existence of the formal requirement pursuant to the aforementioned art. 124 TUEL, in consideration of the principles of necessity, proportionality and relevance, verified the absence of particular categories of data within the provision and proceeded from the design of the treatment, in compliance with the minimization principle pursuant to art. 5 of Regulation EU / 2016/679, to the pseudonymisation of the personal details [of the employee], immediately identifying [the complainant] by means of the registration number only and avoiding highlighting other elements that, not even indirectly, could allow to trace the person who has been subjected to disciplinary proceedings ";

- “it was considered that the encryption system used meets the pseudonymisation requirements since the alphanumeric code used, even if not generated for this purpose, is in any case created randomly; the decryption algorithm is known exclusively - according to the functional principle of strict necessity - by the personnel department entitled to process the personal data [of the employee] for the purpose of providing the remuneration. There is therefore no way to trace the data [of the same], nor for any other person, neither internal nor external to the Administration, to know the decryption algorithm. Therefore, there is no possibility through the matriculation code, to identify [the complainant], not even potentially by means of identification, correlation and deduction, with the exception of employees who were already aware, ratione officii, of the incident ";

- “finally, with reference to the press release, it is noted that its issue did not involve any processing of personal data as the text is completely anonymous. The purpose that was intended to be pursued, through this press release, was to prevent the dissemination of distorted and / or incomplete information, as it was learned that the XX would publish an article on the matter. Consequently, in order not to create disturbance and disorientation in users, the Administration considered it appropriate to clarify that the problem that arose was immediately resolved, first with the suspension, and subsequently with the dismissal, without any economic prejudice for the users of the service ".

3. Outcome of the preliminary investigation.

3.1 The regulatory framework.

The personal data protection discipline provides that public subjects, in the context of the work context, may process the personal data of the interested parties, also relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship. and to fulfill specific obligations or tasks provided for by the law or the law of the Union or of the Member States (art. 6, par. 1, lett. c), 9, par. 2, lett. b) and 4 and 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task of public interest or connected to the exercise of public authority vested in the data controller" (Article 6, paragraph 1, letter e ), 2 and 3, and art. 9, par. 2, lett. g), of the Regulations; art. 2-ter of the Code, in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139).

European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of the [...] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] ”(Article 6, par. 2, of the Regulation). In this regard, it should be noted that the dissemination of personal data (such as publication on the Internet) by public entities is permitted only when provided for by a law or, in the cases provided for by law, by regulation (cf. . art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the changes made by the legislative decree 8 October 2021, n. 139).
The data controller is required, in any case, to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", on the basis of which personal data must be "processed in a lawful, correct and transparent manner towards the data subject" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).

3.2 The dissemination of personal data.

As is clear from the deeds and declarations made by the data controller, as well as from the assessment made on the basis of the elements acquired as a result of the investigation and subsequent assessments of this Department, the Municipality has published, on the institutional website, section Albo Pretorio , the determination n.742 of October 16, 2019, containing the information of the dismissal of the complainant, identified with his / her registration number.

Although, as claimed by the Municipality, the determination in question did not expressly mention the name and surname of the complainant, the latter was in any case identifiable through his / her registration number, therefore having to consider the information contained in the determination, relating to the complainant. , as "personal data" pursuant to art. 4, par. 1, no. 1, of the Regulation.

In fact, "personal data" means "any information concerning an identified or identifiable natural person", having to consider "identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as [...] a number of identification […] ”(art. 4, par. 1, n. 1) of the Regulations) as the registration number which, in the case of determination no. 742 of 16 October 2019, is uniquely associated with the interested party. The serial number is, therefore, to be considered an identification number certainly suitable to allow the identity of the interested party to be traced, not only by the authorized personnel of the Municipality, but also by any third parties, with whom the interested party has able, over time, to share this number (think, for example, of colleagues and family members). Moreover, the pseudonymisation carried out by the Municipality through the insertion of the registration number, constitutes a mere technical measure that allows, in any case, to trace the identity of the interested party, albeit indirectly and / or through the use of additional information (see Article 4, paragraph 1, No. 5 of the Regulation and in this regard, also see Recital No. 26 of the Regulation on the basis of which personal data subjected to pseudonymisation must be considered information on an identifiable natural person).

As specified by the Municipality itself, this identification number was not generated exclusively to indicate the complainant in correlation with the determination subject to publication, but constituted an identification associated with the interested party in the context of the employment relationship, also "for the purpose of disbursement of the economic treatment "(see note of the Municipality of the 20th cited above).

In any case, the Municipality has not proven the existence of a specific law that obliges the body to publish the determination of acknowledgment of the disciplinary dismissal of an employee, recalling in the defensive writings the national regulations relating to publications on the Praetorian Register of Local Authorities (Article 124, paragraph 1, of Legislative Decree No. 267 of August 18, 2000). In this regard, it should be noted that this Authority, on several occasions, has clarified that even the presence of a specific advertising regime cannot entail any automatism with respect to the online dissemination of personal data and information, nor an exception to the principles regarding the protection of personal data (see provision of February 25, 2021, n.68, web doc 9567429). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is envisaged that the data controller must "put in place adequate technical and organizational measures to ensure that, by default, only the personal data necessary for each specific purpose of the processing "and must be" able to demonstrate "- in light of the principle of" accountability "- to have done so (articles 5, par. 2; 24 and 25, par. 2, Regulation). In numerous decisions regarding the obligations deriving from art. 124 of Legislative Decree 267/2000, invoked by the Municipality, in fact, the Guarantor reiterated that all the limits set by the principles of data protection with regard to the lawfulness and minimization of data apply to publications in the online praetorian register. (see part II, par. 3.a. of the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities" ).

In the resolution to be published, therefore, no personal data of the complainant should have been reported (in this case the registration number), which in any case could have allowed the identification of the same, resorting, if necessary, to the technique of " omissis "or other data anonymization measures (see, on this point, provisions of 27 January 2021, no. 34, web doc. 9549165, 2 July 2020, no. 118, web doc. 9440025 and 2 July 2020, n. 119, web doc. 9440042).

The publication of the determination in question, with this expedient, would not, however, compromise the principle of conclusion of the procedure referred to in art. 2 of the l. 241/1990, since the full version of the same would have remained, in any case, in the records of the Municipality and would have been accessible, by qualified persons, in the ways and within the limits established by law.

Nor can the provisions of the CCNL Local Functions of 21.05.2018 (and other internal provisions relating to the organization of municipal offices), reported in the defensive writings of the Municipality, be considered relevant, also with regard to the quality and content of the source. These provisions, which in any case do not meet the requirements of an appropriate legal basis pursuant to art. 2-ter, paragraphs 1 and 3 of the Code in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139, are limited, in fact, to indicate the cases and methods of the disciplinary procedure, but do not envisage, nor could they justify, the online dissemination of the resolution acknowledging the disciplinary dismissal of an employee.

The disclosure of the complainant's personal data, contained in determination no. 742 of 16 October 2019, therefore occurred in a manner that did not comply with the principles of data protection and in the absence of an appropriate legal basis, in violation of Articles 5, par. 1, lett. a) and c), and 6 of the Regulations, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

4. Conclusions.

In light of the aforementioned assessments, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to respond pursuant to art. 168 of the Code ˗ although worthy of consideration, they do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this procedure, however, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having disseminated, through online publication, the determination n.742 of October 16, 2019, containing personal data relating to the dismissal of the complainant for disciplinary reasons, in the absence of a legal basis, in violation of Articles 5, par. 1, lett. a) and c), 6 of the Regulations as well as Article 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139). On the other hand, given the absence of personal data in the press release, it is considered to archive the profile concerning the publication of the same.

The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation, as also referred to by art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects - given that the dissemination of the data ceased on October 31, 2019 - the conditions for the adoption of further corrective measures pursuant to art . 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, it was considered that the detected conduct had as its object the dissemination of personal data relating to events related to the employment relationship referring to a disciplinary procedure against an employee, despite the numerous indications given by the Guarantor to all public entities since 2014 with the aforementioned guidelines (see also "Guidelines on the processing of personal data of workers for the purpose of managing the employment relationship in the public sphere" of June 14, 2007, web doc. no. 1417809 ).

On the other hand, it was favorably taken into consideration that the violation did not concern particular categories of personal data and that it involved only one interested party. Furthermore, the publication in the Praetorian Register of the determination in question took place for a short period of time and without any indexing on generalist sites. Furthermore, there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

The Municipality of Thiene falls within the demographic dimension of just over 23,000 inhabitants.

Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of € 3,000 (three thousand) for the violation of Articles 5, par. 1, lett. a) and c), 6, as well as 2-ter of the Code (in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139), as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account that the deed to be disseminated online contained references to a delicate personal story of the interested party, regarding dismissal for disciplinary reasons, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by the 'art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing carried out by the Data Controller for violation of Articles 5, par. 1, lett. a) and c), 6 of the Regulations, as well as 2-ter of the Code (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021), within the terms set out in the motivation;

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Municipality of Thiene, in the person of the pro-tempore legal representative, with registered office in Piazza Ferrarin 1 - 36016 Thiene (VI), C.F. 00170360242, to pay the sum of € 3,000 (three thousand) as a pecuniary administrative sanction for the violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

INJUNCES

to the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 3,000 (three thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981;

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see Article 16 of the Guarantor Regulation No. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see art.17 of the Guarantor's Regulation no. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, September 15, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei