Garante per la protezione dei dati personali (Italy) - 9920292
|Garante per la protezione dei dati personali - 9920292|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(f) GDPR
Article 13 GDPR
|National Case Number/Name:||9920292|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la Protezione dei Dati Personali (in IT)|
Data collected for a risk assessment for vaccination against Monkeypox was considered a violation of the principles of lawfulness, fairness and transparency and of integrity and confidentiality (Article 5(1)(a), Article 5(1)(f) and Article 13 GDPR).
English Summary[edit | edit source]
Facts[edit | edit source]
A number of complaints were made to the Italian DPA by multiple data subjects against the Lazzaro Spallanzani National Institute for Infectious Diseases (hereinafter, the controller). The complaints were against the controller’s vaccination procedure for Monkeypox. The controller asked those interested in receiving vaccinations to fill out a questionnaire and send it to an internal email address. The data subjects were unable to book a vaccination appointment without filling the questionnaire.
The questionnaire asked questions such as:
- "Do you fall under one of the following definitions: gay - transgender – bisexual l - man who has sex with men (MSM)"
- "Have you had a recent history (last 3 months) with multiple sexual partners? "
- "Have your sexual partner(s) participated in group sex events?"
- " Have your sexual partner(s) had a recent sexually transmitted infection (syphilis, gonorrhoea, chlamydia) with at least one episode in the last year?"
- "Do you or your sexual partner(s) have a habit of associating sexual acts with the use of chemical drugs (Chemsex)?"
This information falls under the category of special personal data under Article 9 GDPR as it relates to both health data, and data concerning a person’s sexual orientation/ sex life. Article 13 GDPR imposes a duty upon controllers to provide data subjects with information regarding the processing, such as the purposes for the processing, the legal basis for processing and the amount of time the data will be stored for, amongst others. The controller, during this process, did not provide data subjects with information regarding the processing.
In its investigation of the complaints, the Italian DPA requested further information from Italy’s Ministry of Health on what its official approach was to the provision of Monkeypox vaccinations. The Ministry submitted that there was no instruction from them to the regional health institutes that there should be prior identification of those to be vaccinated, vaccinations were to be on an entirely voluntary basis.
On 25 October 2022, in response to the complaints the Italian DPA requested further information from the controller, asking them to demonstrate compliance with the principles of lawfulness and fairness, data minimisation, transparency and integrity and confidentiality (Articles 5(1)(a), (c) and (f) GDPR).
The controller replied that in the beginning of the Monkeypox virus breakout, there were more requests than vaccines available. Consequently, they needed to collect data subjects’ information in order to prioritise applicants due to the limited availability at the time. The controller also submitted that reservation emails from this first phase of reservations were deleted and no database was created with the information collected.
The controller additionally submitted that following the initial emergency outbreak period, the following steps were taken to change their vaccination system:
- They changed the internal email address used by data subjects to make vaccination requests.
- It was no longer necessary for those making a vaccination reservation to fill in the questionnaire in order to be able to receive the vaccine.
- Providing data subjects registering for the vaccine with the information necessitated by Article 13 GDPR.
Holding[edit | edit source]
Secondly, the Italian DPA additionally found that the means of processing were non-compliant with Article 5(1)(f) GDPR. Article 5(1)(f) GDPR asks that controllers ensure the “appropriate security” and “technical and organisational measures.” The DPA interpreted the controller’s data processing measures, through the use of a common internal email address during the initial outbreak period to have been insufficient to ensure appropriate levels of security.
The Italian DPA classified the violation as “minor” pursuant to Recital 148 GDPR and the WP 253 Guidelines, as the controller was updating its data processing system and proved cooperative during the complaints procedure. As a result, the DPA issued a warning to the controller under Article 58(2)(b) GDPR and Article 83(2) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.