Garante per la protezione dei dati personali (Italy) - 9920292

From GDPRhub
Garante per la protezione dei dati personali - 9920292
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.07.2023
Published: 07.08.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 9920292
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

Data collected for a risk assessment for vaccination against Monkeypox was considered a violation of the principles of lawfulness, fairness and transparency and of integrity and confidentiality (Article 5(1)(a), Article 5(1)(f) and Article 13 GDPR).

English Summary

Facts

A number of complaints were made to the Italian DPA by multiple data subjects against the Lazzaro Spallanzani National Institute for Infectious Diseases (hereinafter, the controller). The complaints were against the controller’s vaccination procedure for Monkeypox. The controller asked those interested in receiving vaccinations to fill out a questionnaire and send it to an internal email address. The data subjects were unable to book a vaccination appointment without filling the questionnaire.

The questionnaire asked questions such as:

  • "Do you fall under one of the following definitions: gay - transgender – bisexual l - man who has sex with men (MSM)"
  • "Have you had a recent history (last 3 months) with multiple sexual partners? "
  • "Have your sexual partner(s) participated in group sex events?"
  • " Have your sexual partner(s) had a recent sexually transmitted infection (syphilis, gonorrhoea, chlamydia) with at least one episode in the last year?"
  • "Do you or your sexual partner(s) have a habit of associating sexual acts with the use of chemical drugs (Chemsex)?"

This information falls under the category of special personal data under Article 9 GDPR as it relates to both health data, and data concerning a person’s sexual orientation/ sex life. Article 13 GDPR imposes a duty upon controllers to provide data subjects with information regarding the processing, such as the purposes for the processing, the legal basis for processing and the amount of time the data will be stored for, amongst others. The controller, during this process, did not provide data subjects with information regarding the processing.

In its investigation of the complaints, the Italian DPA requested further information from Italy’s Ministry of Health on what its official approach was to the provision of Monkeypox vaccinations. The Ministry submitted that there was no instruction from them to the regional health institutes that there should be prior identification of those to be vaccinated, vaccinations were to be on an entirely voluntary basis.

On 25 October 2022, in response to the complaints the Italian DPA requested further information from the controller, asking them to demonstrate compliance with the principles of lawfulness and fairness, data minimisation, transparency and integrity and confidentiality (Articles 5(1)(a), (c) and (f) GDPR).

The controller replied that in the beginning of the Monkeypox virus breakout, there were more requests than vaccines available. Consequently, they needed to collect data subjects’ information in order to prioritise applicants due to the limited availability at the time. The controller also submitted that reservation emails from this first phase of reservations were deleted and no database was created with the information collected.

The controller additionally submitted that following the initial emergency outbreak period, the following steps were taken to change their vaccination system:

  • They changed the internal email address used by data subjects to make vaccination requests.
  • It was no longer necessary for those making a vaccination reservation to fill in the questionnaire in order to be able to receive the vaccine.
  • Providing data subjects registering for the vaccine with the information necessitated by Article 13 GDPR.

Holding

The Italian DPA found a breach of Article 13 GDPR, Article 5(1)(a) GDPR and Article 5(1)(f) GDPR. This ruling was on the following bases:

Firstly, Article 13 GDPR when read in line with Article 5(1)(a) GDPR, requires that personal data must be processed in a lawful and transparent manner. Therefore, while the controller’s collection of data in order to prioritise vaccination applicants was not in itself unlawful, the lack of transparency surrounding the processing was unlawful. The controller did not provide data subjects with the relevant information as required by Article 13 GDPR regarding the processing. This failure to communicate was seen as a violation of the principle of transparency under Article 5(1)(a) and a breach of the duties outlined in Article 13. For the purposes of the GDPR, requesting sensitive date for the prioritisation of higher risk patients is not unlawful. However, this ought to have been communicated in the privacy policy.

Secondly, the Italian DPA additionally found that the means of processing were non-compliant with Article 5(1)(f) GDPR. Article 5(1)(f) GDPR asks that controllers ensure the “appropriate security” and “technical and organisational measures.” The DPA interpreted the controller’s data processing measures, through the use of a common internal email address during the initial outbreak period to have been insufficient to ensure appropriate levels of security.

The Italian DPA classified the violation as “minor” pursuant to Recital 148 GDPR and the WP 253 Guidelines, as the controller was updating its data processing system and proved cooperative during the complaints procedure. As a result, the DPA issued a warning to the controller under Article 58(2)(b) GDPR and Article 83(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.