Garante per la protezione dei dati personali (Italy) - 9917900

From GDPRhub
Garante per la protezione dei dati personali - 9917900
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 9 GDPR
Article 83 GDPR
Article 85 GDPR
Section 10 of the Deontological Rules - Official Gazette of 4 January 2019, No. 3
Section 137(1) of the Legislative Decree No. 196 of 30 June 2003
Section 137(3) of the Legislative Decree No. 196 of 30 June 2003
Section 7 of the Codes of Conduct accompanying the Legislative Decree No. 196 of 30 June 2003, Governing the Processing of Personal Data in the Exercise of Journalistic Activities
Type: Complaint
Outcome: Upheld
Started: 29.12.2021
Decided: 08.06.2023
Published: 18.07.2023
Fine: 30,000 EUR
Parties: n/a
National Case Number/Name: 9917900
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA issued a fine of €30,000 to a local newspaper for publishing a minor’s data.

English Summary

Facts

On 29 December 2021 and 28 Jan 2022, two complaints were filed by two data subjects against a newspaper company (the controller), for having published the news of their child’s death and images of his funeral without their consent. In addition to publishing the news of their child’s death, the newspaper also published the alleged illness that the child had been suffering from, his age and date of birth, as well as the name and surname of his one-year old sibling. To add to this, the newspaper also published the data subjects’ names, place of residence and occupation. This information had been published on the newspaper’s front page, their promotional posters and on their online website.

In response to the data subject’s complaints, the controller made submissions arguing that the “veil of confidentiality” had been lifted, as the news of the child’s death was well-known in the local community. They argued that the death had been disseminated to the community by the local parish priest at a church service, and thus, given that the information was in the public domain, they were not in violation of the GDPR. Article 85 GDPR governs the reconciliation of journalistic freedom with data protection. However, the GDPR leaves this task to the legislatures of each Member State, consequently the laws governing this area are domestic laws.

The applicable Italian domestic laws referenced by the DPA in this case are as follows:

  • Section 137(3) of the Legislative Decree No. 196 of 30 June 2003, and Sections 5 and 6 of the Deontological Rules (Official Gazette of 4 January 2019, No. 3). These provisions restrict the dissemination of personal data by the press, by establishing a test which asks that the information published must be of “an essential nature (…) to the public interest.”
  • Section 7 of the Codes of Conduct accompanying the Legislative Decree No. 196 of 30 June 2003, which govern the processing of personal data in the exercise of journalistic activities. Section 7 provides that in order to protect a minor’s personality, journalists shall not publish the names of minors involved in news events, nor shall they provide details capable of leading to their identification. Section 7 is supplemented by the Treviso Charter.
  • Section 8 of the Charter of Treviso states that “(…) in the case of minors (…) who have died due to illness, their memory must be protected by avoiding the diffusion of their personal details, images and any other identifying elements unless the persons entitled to them give their consent.”
  • Section 10 of the Deontological Rules (Official Gazette of 4 January 2019, No. 3), which provides that in relation to “serious or terminal illness referable to an identified or identifiable person, a journalist must respect the dignity, confidentiality and personal decency of that person and to refrain from publishing analytical data of strictly clinical interest.”

Holding

The Italian DPA held that the controller’s processing was unlawful for the purposes of Articles 5(1)(a), 5(1)(c), 5(1)(d) GDPR, Article 9 GDPR, and Article 85 GDPR when read in line with domestic legislation. This was decided on the following grounds:

Firstly, the nature of the controller’s processing violated Article 5(1)(a), 5(1)(c) and 5(1)(d) GDPR. The publication of the late child’s personal details, as well as the name and age of the younger sibling and the data subjects’ personal information was in breach of the principle of data minimisation. The Italian DPA found that the publication of this information was not essential to the public interest, and in actuality was excessive and irrelevant.

Secondly, the publication of the deceased minor’s health data was a violation of Article 9 GDPR. To clarify, the scope of the GDPR extends only to living natural persons (Article 2 GDPR). However, the data subjects in this case were the parents of the deceased minor, who made a claim in their own right as parents exercising parental authority over the minor and his data. Consequently, the DPA accepted the data subjects’ submission that the publication of the health data was in breach of Article 9 GDPR.

Thirdly, the controller’s processing was in violation of Article 85 GDPR and the aforementioned domestic laws governing journalistic freedom in the context of data protection. The Italian DPA concluded that the disclosure of a minor’s details did not fall within the scope of the test of essentiality. Noting that “the protection of the dignity of sick and deceased persons is to be considered further strengthened in the case of a minor, in this case, a five-year old child, also, in order to protect his family unit and his memory and that, therefore, the public interest parameter of the alleged illness from which he was suffering cannot be considered essential.”

Consequently, the Italian DPA made an order under Article 58(2)(f) GDPR, prohibiting further processing. In addition, the DPA issued a fine of €30,000. The maximum applicable fine in this case was €20 million on the basis of the controller’s annual turnover. However, given that the controller had not previously committed any similar infringements, the Italian DPA decided to fine them 0.15% of the maximum fineable amount, at €30,000.

Comment

http://www.privacy.it/archivio/privacycode-en.html#annexa1

http://www.privacy.it/archivio/privacycode-en.html#sect137

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.