Garante per la protezione dei dati personali (Italy) - 9983210

From GDPRhub
Garante per la protezione dei dati personali - 9983210
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started: 13.04.2023
Decided: 11.01.2024
Published: 14.02.2024
Fine: 8000 EUR
Parties: David S.r.l.
National Case Number/Name: 9983210
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: im

The Italian DPA imposed a fine in the amount of €8,000 on a private health facility for unlawful processing of sensitive data on their Instagram account.

English Summary

Facts

A data subject who was filmed during an aesthetic medicine procedure in the Dvora Aesthetic Center, the controller, filed a complaint with the Italian DPA claiming an unlawful dissemination of his personal data on the Instagram account of the controller.

In response to the complaint, the controller presented evidence that the data subject provided a tacit consent for the processing and publication of their data and images on social networks.

However, the data subject argued that he did not consent to filming of a video in which his face would be recognizable together with his enlarged pores which, he argues, relate to his health status.

Holding

Article 9(2)(a) says that processing of special categories of personal data, also called sensitive data, may take place only is data subject has given explicit consent to the processing for specified purposes. In this case, the data subject claims that filming of his enlarged pores during the aesthetic procedure was unlawful since he has not provided required explicit consent under the above mentioned Article.

Considering the findings, the Italian DPA clarified that the sensitive nature of a piece of information must also be assessed in relation to the context of reference. Even though there is no explicit reference made to the pathology possibly suffered by the data subject, the DPA considered recording the facial imperfections of the data subject as health data because the controller claimed to carry out a "non-surgical rhinoplasty", a procedure relating to a health status of a person. For this reason, the so-called "tacit" consent of the data subject cannot be considered validly given because the processing falls under the exceptions to the prohibition of the processing of sensitive categories of data under Article 9(2)(a) GDPR provided that they can be processed only on the basis of an explicit consent of the data subject. Therefore, even though the data subject was aware of filming of the health service they were undergoing, such circumstance does not amount to having acquired from the data subject an informed, specific and explicit consent as to how the data subjected to the same recording would be processed and, in the present case, even disseminated on a social channel.

Additionally, the controller provided information to the data subject that was inadequate and lacked the essential elements referred to in Article 13 GDPR.

For these reasons, the processing of personal data carried out by the controller is in violation of Articles 5(1)(a), Article 6, Article 9, Article 12 and Article 13 GDPR.

The Italian DPA ordered the controller to bring processing operations into conformity with the provisions of GDPR and imposed a fine of €8,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Newsletter of February 14, 2024



[doc. web no. 9983210]

Provision of 11 January 2024

Register of measures
n. 10 of 11 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data” (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Ginevra Cerrina Feroni;

PREMISE

1. The preliminary investigation activity.

In March 2023, this Authority received a complaint complaining about the diffusion on the social media Instagram, in the public profile "DvoraAncona" of the David S.r.l. company. (Dvora Aesthetic Center), of a video in which the complainant was filmed during an aesthetic medicine procedure (non-surgical Rhinoplasty) carried out by Dr. Ancona, legal representative of the David S.r.l. Company. to which the Dvora Beauty Center belongs (hereinafter the “Company”).

According to the complainant, this dissemination occurred in the absence of a valid legal basis, as the information provided and the expression of consent signed by the interested party would not comply with the regulations on the protection of personal data.

In support of the complaint, the complainant produced the documentation relating to the aforementioned video, which was subsequently removed at the request of the complainant himself from the aforementioned social media.

In relation to the aforementioned complaint, the Office started a preliminary investigation and requested information from the Company (note dated 13 April 2023, protocol no. 61380), which, with note dated 12 May 2023, in response to the aforementioned request for information , represented, in particular, that:

“on the occasion of - and prior to the - treatments to which the (...) [complainant] was subjected by the exponent, the (...) [complainant] signed and issued a document with which he expressed his free and unconditional consent to the processing of your data”;

“the consent issued by the (…) [complainant] contained the express warning and clear provision that the data and images acquired during the treatments would also be used for publication on social networks for informative/scientific/advertising purposes, as per art. 1 of the aforementioned information signed by the interested party”;

the aforementioned consent "is therefore specific and authorizes the publication of data and images on social networks, as well as validly granted (also in written form)";

“as per the film [sent by registered mail and the documents of the proceedings acquired], during the filming, it was expressly represented [to the complainant] that, in accordance with the consent given, the treatment would be filmed live and sent in so-called live story on Instagram, as can be seen from the fact that during the treatment two video recording lamps were installed and clearly visible, that the filming was carried out manually via mobile phones in front of witnesses and that the exponent openly and explicitly greeted the Instagram users connected live . The [complainant], perfectly aware of what was happening and of the processing that was being carried out at that moment on his personal data, expressed (tacit) consent, or in any case, objected nothing";

with his behavior, the interested party has at least induced the representative to believe that he had consented "to the particular type of processing of his personal data";

“the treatment to which the [complainant] was subjected was carried out in 2 sessions lasting a total of over half an hour each; the video recordings referred to in the published video [...], are limited in total to 34 seconds, that is to say, only the data that was adequate and which was really needed to achieve the declared purposes of the processing were processed (i.e. publication of an article (which in the language of social media is defined as "Post") on social networks, about the effects of the treatment) and limited to those strictly necessary";

during the filming "the subject was lying down with his beard and hair pulled back [...] and that a good part of the small visible portion of the face remained covered by the exponent's hands and equipment [...] it is therefore believed that the filming conditions are such as to guarantee the non-identifiable nature of the person involved";

“at the simple request of the interested party, the video was promptly removed from the [only] social network [Instagram, on which it had been published]. [...] the personal data were not disclosed through other methods" and the video "is not accessible in any way, not even following specific research";

“the only device on which the video was stored was that of the exponent, with which it was created (in addition to a backup copy, in the exclusive availability of the exponent)”;

this being said, given the valid consent freely expressed by the interested party and that "social networks constitute, to date, the first tool for disseminating information, including scientific information, this is so true that according to a report by the European Commission, the so-called Eurobarometer 2021, in European countries 29% of the population keeps informed about science and technology through new digital media including social networks. In this context, social media offer themselves to scientists and academics as a means to develop both their professional profile and their public communication activities, with the promise of amplifying the contents of their research and extending the pool of users involved in conversations about science and technology [...] it is believed that the representative believed in good faith to have received valid and express consent from the interested party to the processing of data and to their publication";

in order to take advantage of the findings expressed by the Authority, the Company also represented that it had undertaken a process of verifying the conformity of the processing carried out with the regulations on the protection of personal data by implementing specific actions, in particular it declared that it had :

• organized specific training courses attended by employees and collaborators involved in data processing and to have started a review process of all internal procedures, the completion of which will be brought forward compared to the date previously indicated at the end of the current year;

• appointed, starting from 1 May 2023, an "external DPO and subject matter expert";

• already before receiving the communication regarding the start of this procedure, modified the "documents with which consent to the processing of patient data is requested, adopting specific provisions on the use of health data for the purposes of presentations, publications or disclosures scientific, also on social media”;

• provided for the further verification by a "third-party specialized company, with respect to the editors of these new models [...] (second opinion) of the conformity of this documentation with the applicable regulations, also conforming to the indications that will be valid in the matter taking into account the 'adoption of the code of conduct for the use of data for educational purposes and scientific publications […]”;

• planned, with the help of the appointed DPO, the further "reworking of the forms to express informed consent and consent to data processing, with specific indications regarding the publication of photos and videos on social networks (with express indication of Instagram and others)";

• being evaluated the "adoption of specific verification and modification tools and/or which automatically make the subjects who undergo the processing non-identifiable (anonymisation/pseudonymisation) subject, in any case, to verification that all data have been provided by the interested parties the authorizations required by sector regulations".

In relation to what emerged from the documentation in the documents, the Office notified the aforementioned Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981) (note of 16 June 2023, protocol no. 94136).

In this act, the Office found that the Company processed personal data in a manner that did not comply with the principles of "lawfulness, correctness and transparency" in violation of the articles. 5, par. 1, letter. a), 12 and 13 of the Regulation; in the absence of a suitable regulatory basis, in violation of the articles. 2-septies, paragraph 8 of the Code, 6 and 9 of the Regulation.

With a note dated 14 July 2023, the Company sent its defense briefs, not asking to be heard at a hearing.

In particular, the Company, in referring in full to what is contained in the written defense produced in response to the aforementioned request for information from the Office, represented that:

“what was operated on the appellant was a mere aesthetic application, in particular, the treatment of enlarged nose pores; it was therefore not clarified what information relating to the applicant's state of health would be disseminated. In other words, in the present proceeding the existence of a logical assumption is taken for granted which is, in fact, not at all obvious: i.e. that health data has been processed. However, it appears that this is not the case, given that the possible presence of dilated pores (the presence of which concerns 100% of the world population) in itself reveals nothing about the subject's health";

"the processing in question of the [complainant's] data took place on the basis of a written and express consent which the representative, entirely in good faith, considered perfectly valid, mentioning the said consent also the social networks and therefore the tool on which the footage was (for a very short time) published”;

"has taken good note of the observations of this excellent Authority, with which it is already complying" by producing specific documentation in this regard, including the statement of the elements referred to in the art. 83, par. 2 of the Regulation, acquired in the proceedings.

With specific reference to this last document, the Company represented that:

“The alleged violation involved a single person: the appellant; the representative, David S.r.l., acted believing he had written and verbal consent; the time in which the appellant is recognizable is limited from the second 0:24 to the second 0:25, his face was always covered by Dr. Ancona's hands in order to carry out the service; the time the video remained on social media was limited to 45 days with very few views; a few minutes passed from the request for cancellation by the appellant to the actual cancellation; the subject has not been tagged (reference of the image to his specific person and/or his social account)”;

“the representative, David S.r.l., acted in the full belief that the subject was aware of and consented to the resumption and dissemination of the treatment on Instagram. Both to the exponent and to the bystanders (1 medical assistant present there and 2 people who prepared the video) this seemed clear and indeed they believed, completely in good faith, that the subject was pleased with this";

“upon simple request and without raising any objections, even on the assumption of having acted correctly, the exponent immediately proceeded with the definitive deletion of the video from Instagram”;

“the representative had already provided specific training to his staff on the correct processing of personal data; furthermore, following the event the representative reformulated all the consent forms and provided new training to the staff";

“Full collaboration. In any case, there was no need, given that the video has been removed and is not available in any way”;

“processed data does not reveal any state of health. All that can be deduced is that the subject underwent an aesthetic treatment for the dilated pores of the nose";

[…] it was a single violation; the cost of the intervention was 350.00 (three hundred and fifty) euros; David srl is a small aesthetic medicine company, despite this it is implementing quality certification systems, including correct data management".

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in the documents and in the defense briefs, it is noted that:

pursuant to the Regulation, "personal data" means "any information relating to an identified or identifiable natural person ("data subject")". Furthermore, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical, physiological, genetic, mental, economic, cultural or social identity" (art. 4, no. 1 of the Regulation) and "health data" is considered to be personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to your state of health (art. 4, par. 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services";

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner towards the interested party ("lawfulness, correctness and transparency")" and must be collected for specific, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with these purposes ("purpose limitation principle") (art. 5, par. 1, letter a), and b) of the Regulation);

with specific reference to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on the processing of such data unless one of the specific exemptions referred to in paragraph 2 occurs;

in this regard, the Guarantor has repeatedly highlighted that with the full application of the Regulation, unlike in the past, the healthcare professional, subject to professional secrecy, must no longer request the patient's consent for the treatments necessary for the healthcare service requested by the interested party, regardless of whether you work as a freelancer (in a medical practice) or within a public or private healthcare facility (see provision "Clarifications on the application of the regulations for the processing of health-related data in the healthcare sector" of 7 March 2019, web doc. no. 9091942);

in cases where the processing is not strictly necessary for treatment purposes and the legal basis is represented by the consent of the interested party, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, such consent must be provided through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (art. 9, par. 2 letter a) of the Regulation and par. 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020). This consent, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, cannot in fact be tacit, but must be explicit (art. 9, par. 2 letter a) of the Regulation and par . 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020);

it is also stated that the Regulation gives Member States the power to introduce further conditions, including limitations, with regard to the processing of genetic, biometric or health-related data (art. 9, par. 4 of the Regulation). The national legislator has implemented these provisions, as far as is relevant here through the art. 2-septies of the Code according to which it is provided that information on the state of health cannot be disseminated (see also art.166, paragraph 2, of the Code) and can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself following written authorization from the latter (art. 9 Regulation);

the Authority, since 2014, in compliance with art. 22, paragraph 8, of the Code in force at the time, represented that "the publication of any information from which the state of illness or the existence of pathologies of the interested parties can be deduced, including any reference to the conditions of invalidity, disability or physical and/or mental handicaps. For this purpose, starting from the drafting stage of the deeds and documents subject to publication, in compliance with the principle of adequate motivation, no "excessive", "irrelevant", "non-essential" (and, even less so, “prohibited”). Otherwise, it is necessary, in any case, to provide for the relevant blackout" (see Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purposes of advertising and transparency on the web by public entities and other bodies obliged, part II, par. 1, dated 15.5.2014, web doc. no. 3488002);

the principles of transparency and correctness imply that the interested party is informed of the existence of the processing and its purposes and that the personal data are processed by providing the interested parties with the information referred to in the art. 13 of the Regulation (recital no. 60 and art. 5, par. 1 letter a) of the Regulation). The information must then be provided in a concise, transparent, intelligible and easily accessible form, with simple and clear language (Recital 58 and art. 12 of the Regulation).

in case of collection of personal data from the interested party, the data controller must provide him, at the moment in which the personal data are obtained, all the information indicated in the art. 13 of the Regulation.

it is then stated that the regulations regarding the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify the said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014). An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference):

with specific reference to the publication of clinical cases, the Code of medical ethics approved by the National Federation of Orders of Surgeons and Dentists in 2014 (as amended in 2016 and 2017) provides that "the doctor ensures the non-identifiable nature of the subjects involved in scientific publications or disclosures of data and clinical studies” (art. 11 - Confidentiality of personal data);

in this regard, the Code of Conduct for the use of health data for educational and scientific publication purposes approved with the Guarantor's provision no. 7 of 14 January 2021 (web doc. no. 9535354), expressly provides that in the event that it is not possible to proceed with the anonymization of the data, the data controller must acquire specific consent, after which the data must in any case be subjected to pseudonymisation.

From the documentation produced in the documents, it is noted that:

the Company, on the basis of the provisions mentioned above, in making a 34-second video in which the face of the appellant is recognizable during an aesthetic medicine procedure, aimed at removing physiological imperfections of the interested party, defined in the same video as a " non-surgical rhinoplasty”, processed data on the health of the interested party. In numerous provisions, the Guarantor has clarified that the "sensitive" nature (now "particular" pursuant to art. 9 of the Regulation) of information must also be assessed in relation to the reference context and, therefore, a piece of data can be considered relative to the state of health of the interested party even if no explicit reference is made to the pathology suffered, but only to information related to it (see ex multis: provision of 11 April 2019, web doc. no. 9113830; general provision of 9 November 2005, web doc. no. 1191411; provision dated 27 February 2002, web doc. 1063639; point 2, "Guidelines regarding the processing of personal data, also contained in administrative deeds and documents, carried out for the purposes of publicity and transparency on the web by public entities and other obliged bodies" web doc. no. 3134436);

has disseminated information on the state of health of the complainant in a manner that does not comply with the regulations on the protection of personal data which provides for an explicit prohibition (art. 2-septies of the Code) through the publication of a video on the social media Instagram, in the profile public “DvoraAncona” in which he is portrayed during an aesthetic medicine procedure;

according to what has already been noted by the Authority in the aforementioned Code of Conduct, the aforementioned and asserted informative-scientific purposes pursued by the Company through the publication of the aforementioned video should have, if necessary, been pursued through the processing of anonymized data in light of the Opinion 05/2014 of WP29; if it was not possible to proceed with the anonymisation of the data (e.g. due to the peculiarities of the clinical case represented), specific and informed consent would have to be obtained from the interested party, after which the data would still have to be subjected to pseudonymisation;

in any case, the consent acquired by the complainant during the aesthetic medicine treatments to which the interested party underwent cannot be considered valid, as it is not explicit, specific and not informed regarding the purpose in question (see the aforementioned Code of conducted for the use of health data for educational and scientific publication purposes). In fact, the information used by the owner, in the section entitled "Purpose of the processing", bears a generic reference "to the publication of articles on social media and magazines" not specifying that data on the health of the interested party would have been disclosed on the public profile "DvoraAncona ” of the Company's Instagram, without any pseudonymisation of the same;

nor can it be considered - from the video acquired in the proceedings - that the complainant has de facto consented to the processing of his/her data - including health data - for the creation of a film to be published on the aforementioned social profile of the Company. In fact, the so-called consent cannot be considered validly given. "tacit" of the interested party, this is because the Regulation, in identifying the exceptions to the prohibition on the processing of particular categories of data, including health data, provides that they can be processed, among other things, on the basis of the explicit consent of the interested party (art. 9, par. 2, letter a)). Therefore, the fact that the health service to which the interested party was undergoing was registered without the knowledge of the interested party does not equate to having acquired from the same an informed, specific and explicit consent regarding the ways in which the data object of the same shot would have been treated and, in this case, even disseminated on a social channel;

the Company provided information to the complainant that was not suitable and lacked the essential elements referred to in the art. 13 of the Regulation:

Dr. Ancona and not the company David S.r.l. being erroneously indicated as the data controller, of which the latter is the legal representative (art. 13, par. 1, letter a) of the Regulation and Guidelines 07/2020 on concepts of data controller and processor pursuant to GDPR Version 2.0, adopted on 7 July 2021, point 2.1.1);

the purposes of the processing being indicated in a contradictory way, as - at the outset - the interested parties are represented that "all personal data and images collected during the interventions of the Dvora medical center will be used for the organization and management of the events and of conferences for the advertising of medical instruments and for the publication of articles on social media, magazines" and - to follow - that "all treatments carried out by the Dvora medical center as owner are aimed solely at the correct carrying out of the activities necessary for the provision of aesthetic medicine treatments or other medical services requested by you";

as all the purposes of the processing are not indicated, in particular that which is the object of dispute and consists in the dissemination of the aforementioned video on the social media Instagram, which in any case is not permitted except within the limits highlighted above (art. 13, par. 1, letter c) of the Regulation);

as the different legal bases of the processing carried out are not indicated (art. 13, par. 1, letter c) of the Regulation);

the consent of the interested party being erroneously foreseen as the legal basis for the processing of data for treatment purposes, no longer provided for by the art. 9 par. 2 lett. h) of the Regulation;

as the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation is not indicated, for processing based on this condition of lawfulness (art. 13, par. 2, letter c) ) of the Regulation);

as all third parties who could receive them consistently with the purposes indicated (such as for example the owners of social media platforms) are not indicated among the recipients (art. 13, par. 1, letter e of the Regulation).

3. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the owner during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the deed to be overcome to start the procedure, since none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, we note the illicit nature of the processing of personal data carried out by the Company David S.r.l., in the terms set out in the motivation, in violation of the articles. of the articles 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation and 2-septies, paragraph 8, of the Code.

4. Corrective measures

The art. 58, par. 2, provides for the Guarantor a series of corrective powers, of a prescriptive and sanctioning nature, to be exercised in the event that illicit processing of personal data is ascertained. Among these powers, art. 58, par. 2, letter. d) of the Regulation, provides for the power to "order the data controller or data processor to conform the processing to the provisions of this regulation, if appropriate, in a specific manner and within a specific deadline".

In light of the assessments mentioned above, it is deemed necessary to order the Company, pursuant to the aforementioned art. 58, par. 2, letter. d) Regulation, to adopt the following corrective measures within ninety days of notification of this provision:

revise the document called “Information on the processing of personal data pursuant to art. 13 and 14 of EU Regulation 2016/679 for the processing of personal data dedicated to audio, video and photographic recordings":

1. eliminating the irrelevant reference to the art. 14 of the Regulation, which applies only in the event that the personal data are not obtained from the interested party;

2. eliminating the reference to the contact details of the Data Controller and inserting those of the Data Protection Officer who the Company declared to have appointed starting from last May. This is because the art. 13, par. 1, letter. b) refers to the contact details of the Data Protection Officer, pursuant to art. 37 et seq. of the Regulation, a very different figure from the aforementioned data controller, governed by art. 28 of the Regulation (see also art. 4, point 8) of the Regulation);

3. clarifying in the section called "Purpose of processing" that the personal data being disseminated will not be health data, taking into account the prohibition on dissemination of this type of data (art. 2-septies, paragraph 8 of the Code) and integrating this section with the indication of the legal basis of the processing (art. 13, par. 1, letter c) of the Regulation);

4. modifying the "obligatory consent" section as it is misleading and contradictory considering that on the one hand it is indicated that "the provision of your data is optional, if not strictly related to the functioning of the activity or the proposed service" and on the other that “lack of consent will not allow the use of the images and/or audiovisual footage of the interested party for the purposes indicated above”;

5. correcting the typo in the section “Communications to third parties and publication/dissemination of data”, where it is written that: “Within the limits pertinent to the purposes of the processing indicated, personal data, images and audiovisual recordings may (will not) be subject to communication, publication and dissemination […];

6. integrating the "Rights of interested parties" section with the right of access to data and the right to withdraw the consent given by the interested party, which can be exercised at any time.
In this context, considering that the aforementioned video has been removed from the aforementioned Instagram profile, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation and 2-septies, paragraph 8, of the Code, caused by the conduct carried out by the David S.r.l. Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, 5, of the Regulation and art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

the processing carried out involved the dissemination for 45 days on the social network Instagram of a video recording lasting 34 seconds of the interested party's face during an aesthetic medicine procedure, information suitable for detecting the state of health of a single interested party (art. 83, par. 2, letters a) and g), of the Regulation);

from the point of view of the subjective element, an intentional attitude on the part of the data controller does not emerge as the violation occurred in good faith (art. 83, par. 2, letter b) of the Regulation);

at the request of the complainant, the data controller acted proactively to remedy the violation, having promptly removed the video from his Instagram profile (art. 83, par. 2, letter c) of the Regulation).

There are no previous relevant violations committed by the data controller nor have measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e) of the Regulation);

the Company collaborated fully with the Authority during the investigation and this proceeding by implementing some measures aimed at bringing the processing of personal data into compliance with the current regulatory framework on the protection of personal data, although the profiles of non-compliance persist compliance highlighted above (par. 4). In particular, the Company:

organized specific training courses attended by employees and collaborators involved in data processing and launched a review process of all internal procedures, the completion of which will be brought forward compared to the date previously indicated at the end of the current year;

has appointed, with effect from 1 May 2023, an "external DPO and subject matter expert";

already before receiving the communication regarding the start of the sanctioning procedure by the Office, it modified the "documents with which consent to the processing of patient data is requested, adopting specific provisions on the use of health data for the purposes of presentations, publications or scientific disclosures, including on social media” ((art. 83, par. 2, letter f) of the Regulation);

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) and b), of the Regulation, in the amount of 8,000 (eight thousand) euros for the violation of the articles. 5, par.1, letter. a), 6, 9, 12, 13 of the Regulation, 2 septies, paragraph 8 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Company David S.r.l. for the violation of the articles. 5, par.1, letter. a), 6, 9, 12, 13 of the Regulation, 2 septies, paragraph 8 of the Code within the terms set out in the motivation.

ORDER

pursuant to the articles 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, to the company David S.r.l., with headquarters in Milan, Via Paolo Lomazzo 19, C.F. 06835980969, in the person of the legal representative pro tempore, to pay the sum of 8,000 (eight thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000 (eight thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981;

pursuant to art. 58, par. 2, letter. d), of the Regulation, to conform the processing to the provisions of the Regulation, adopting within ninety days of notification of this provision, the corrective measure of revising the document called "Information on the processing of personal data pursuant to art. 13 and 14 of EU Regulation 2016/679 for the processing of personal data dedicated to audio, video and photographic recordings":

1. eliminating the irrelevant reference to the art. 14 of the Regulation, which applies only in the event that the personal data are not obtained from the interested party;

2. eliminating the reference to the contact details of the Data Controller and inserting those of the Data Protection Officer who the Company declared to have appointed starting from last May. This is because the art. 13, par. 1, letter. b) refers to the contact details of the Data Protection Officer, pursuant to art. 37 et seq. of the Regulation, a very different figure from the aforementioned data controller, governed by art. 28 of the Regulation (see also art. 4, point 8) of the Regulation);

3. clarifying in the section called "Purpose of processing" that the personal data being disseminated will not be health data, taking into account the prohibition on dissemination of this type of data (art. 2-septies, paragraph 8 of the Code) and integrating this section with the indication of the legal basis of the processing (art. 13, par. 1, letter c) of the Regulation);

4. modifying the "obligatory consent" section as it is misleading and contradictory considering that on the one hand it is indicated that "the provision of your data is optional, if not strictly related to the functioning of the activity or the proposed service" and on the other that “lack of consent will not allow the use of the images and/or audiovisual footage of the interested party for the purposes indicated above”;

5. correcting the typo in the section “Communications to third parties and publication/dissemination of data”, where it is written that: “Within the limits pertinent to the purposes of the processing indicated, personal data, images and audiovisual recordings may (will not) be subject to communication, publication and dissemination […];

6. integrating the "Rights of interested parties" section with the right of access to data and the right to withdraw the consent given by the interested party, which can be exercised at any time.

Failure to comply with an order formulated pursuant to art. 58, par. 2, of the Regulation, is punished with the administrative sanction referred to in the art. 83, par. 6, of the Regulation;

pursuant to art. 58, par. 1, letter. a), of the Regulation and of the art. 157 of the Code, to communicate what initiatives have been undertaken in order to implement what is prescribed in the aforementioned par. 6, and to provide feedback, adequately documented, no later than 20 days from the expiry of the deadline indicated above. Failure to respond to a request made pursuant to art. 157 of the Code is punished with an administrative sanction, pursuant to the combined provisions of articles. 83, par. 5 of the Regulation and 166 of the Code.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2024

PRESIDENT
Stantion

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

SEE ALSO: Newsletter of February 14, 2024



[doc. web no. 9983210]

Provision of 11 January 2024

Register of measures
n. 10 of 11 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data” (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Ginevra Cerrina Feroni;

PREMISE

1. The preliminary investigation activity.

In March 2023, this Authority received a complaint complaining about the diffusion on the social media Instagram, in the public profile "DvoraAncona" of the David S.r.l. company. (Dvora Aesthetic Center), of a video in which the complainant was filmed during an aesthetic medicine procedure (non-surgical Rhinoplasty) carried out by Dr. Ancona, legal representative of the David S.r.l. Company. to which the Dvora Beauty Center belongs (hereinafter the “Company”).

According to the complainant, this dissemination occurred in the absence of a valid legal basis, as the information provided and the expression of consent signed by the interested party would not comply with the regulations on the protection of personal data.

In support of the complaint, the complainant produced the documentation relating to the aforementioned video, which was subsequently removed at the request of the complainant himself from the aforementioned social media.

In relation to the aforementioned complaint, the Office started a preliminary investigation and requested information from the Company (note dated 13 April 2023, protocol no. 61380), which, with note dated 12 May 2023, in response to the aforementioned request for information , represented, in particular, that:

“on the occasion of - and prior to the - treatments to which the (...) [complainant] was subjected by the exponent, the (...) [complainant] signed and issued a document with which he expressed his free and unconditional consent to the processing of your data”;

“the consent issued by the (…) [complainant] contained the express warning and clear provision that the data and images acquired during the treatments would also be used for publication on social networks for informative/scientific/advertising purposes, as per art. 1 of the aforementioned information signed by the interested party”;

the aforementioned consent "is therefore specific and authorizes the publication of data and images on social networks, as well as validly granted (also in written form)";

“as per the film [sent by registered mail and the documents of the proceedings acquired], during the filming, it was expressly represented [to the complainant] that, in accordance with the consent given, the treatment would be filmed live and sent in so-called live story on Instagram, as can be seen from the fact that during the treatment two video recording lamps were installed and clearly visible, that the filming was carried out manually via mobile phones in front of witnesses and that the exponent openly and explicitly greeted the Instagram users connected live . The [complainant], perfectly aware of what was happening and of the processing that was being carried out at that moment on his personal data, expressed (tacit) consent, or in any case, objected nothing";

with his behavior, the interested party has at least induced the representative to believe that he had consented "to the particular type of processing of his personal data";

“the treatment to which the [complainant] was subjected was carried out in 2 sessions lasting a total of over half an hour each; the video recordings referred to in the published video [...], are limited in total to 34 seconds, that is to say, only the data that was adequate and which was really needed to achieve the declared purposes of the processing were processed (i.e. publication of an article (which in the language of social media is defined as "Post") on social networks, about the effects of the treatment) and limited to those strictly necessary";

during the filming "the subject was lying down with his beard and hair pulled back [...] and that a good part of the small visible portion of the face remained covered by the exponent's hands and equipment [...] it is therefore believed that the filming conditions are such as to guarantee the non-identifiable nature of the person involved";

“at the simple request of the interested party, the video was promptly removed from the [only] social network [Instagram, on which it had been published]. [...] the personal data were not disclosed through other methods" and the video "is not accessible in any way, not even following specific research";

“the only device on which the video was stored was that of the exponent, with which it was created (in addition to a backup copy, in the exclusive availability of the exponent)”;

this being said, given the valid consent freely expressed by the interested party and that "social networks constitute, to date, the first tool for disseminating information, including scientific information, this is so true that according to a report by the European Commission, the so-called Eurobarometer 2021, in European countries 29% of the population keeps informed about science and technology through new digital media including social networks. In this context, social media offer themselves to scientists and academics as a means to develop both their professional profile and their public communication activities, with the promise of amplifying the contents of their research and extending the pool of users involved in conversations about science and technology [...] it is believed that the representative believed in good faith to have received valid and express consent from the interested party to the processing of data and to their publication";

in order to take advantage of the findings expressed by the Authority, the Company also represented that it had undertaken a process of verifying the conformity of the processing carried out with the regulations on the protection of personal data by implementing specific actions, in particular it declared that it had :

• organized specific training courses attended by employees and collaborators involved in data processing and to have started a review process of all internal procedures, the completion of which will be brought forward compared to the date previously indicated at the end of the current year;

• appointed, starting from 1 May 2023, an "external DPO and subject matter expert";

• already before receiving the communication regarding the start of this procedure, modified the "documents with which consent to the processing of patient data is requested, adopting specific provisions on the use of health data for the purposes of presentations, publications or disclosures scientific, also on social media”;

• provided for the further verification by a "third-party specialized company, with respect to the editors of these new models [...] (second opinion) of the conformity of this documentation with the applicable regulations, also conforming to the indications that will be valid in the matter taking into account the 'adoption of the code of conduct for the use of data for educational purposes and scientific publications […]”;

• planned, with the help of the appointed DPO, the further "reworking of the forms to express informed consent and consent to data processing, with specific indications regarding the publication of photos and videos on social networks (with express indication of Instagram and others)";

• being evaluated the "adoption of specific verification and modification tools and/or which automatically make the subjects who undergo the processing non-identifiable (anonymisation/pseudonymisation) subject, in any case, to verification that all data have been provided by the interested parties the authorizations required by sector regulations".

In relation to what emerged from the documentation in the documents, the Office notified the aforementioned Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981) (note of 16 June 2023, protocol no. 94136).

In this act, the Office found that the Company processed personal data in a manner that did not comply with the principles of "lawfulness, correctness and transparency" in violation of the articles. 5, par. 1, letter. a), 12 and 13 of the Regulation; in the absence of a suitable regulatory basis, in violation of the articles. 2-septies, paragraph 8 of the Code, 6 and 9 of the Regulation.

With a note dated 14 July 2023, the Company sent its defense briefs, not asking to be heard at a hearing.

In particular, the Company, in referring in full to what is contained in the written defense produced in response to the aforementioned request for information from the Office, represented that:

“what was operated on the appellant was a mere aesthetic application, in particular, the treatment of enlarged nose pores; it was therefore not clarified what information relating to the applicant's state of health would be disseminated. In other words, in the present proceeding the existence of a logical assumption is taken for granted which is, in fact, not at all obvious: i.e. that health data has been processed. However, it appears that this is not the case, given that the possible presence of dilated pores (the presence of which concerns 100% of the world population) in itself reveals nothing about the subject's health";

"the processing in question of the [complainant's] data took place on the basis of a written and express consent which the representative, entirely in good faith, considered perfectly valid, mentioning the said consent also the social networks and therefore the tool on which the footage was (for a very short time) published”;

"has taken good note of the observations of this excellent Authority, with which it is already complying" by producing specific documentation in this regard, including the statement of the elements referred to in the art. 83, par. 2 of the Regulation, acquired in the proceedings.

With specific reference to this last document, the Company represented that:

“The alleged violation involved a single person: the appellant; the representative, David S.r.l., acted believing he had written and verbal consent; the time in which the appellant is recognizable is limited from the second 0:24 to the second 0:25, his face was always covered by Dr. Ancona's hands in order to carry out the service; the time the video remained on social media was limited to 45 days with very few views; a few minutes passed from the request for cancellation by the appellant to the actual cancellation; the subject has not been tagged (reference of the image to his specific person and/or his social account)”;

“the representative, David S.r.l., acted in the full belief that the subject was aware of and consented to the resumption and dissemination of the treatment on Instagram. Both to the exponent and to the bystanders (1 medical assistant present there and 2 people who prepared the video) this seemed clear and indeed they believed, completely in good faith, that the subject was pleased with this";

“upon simple request and without raising any objections, even on the assumption of having acted correctly, the exponent immediately proceeded with the definitive deletion of the video from Instagram”;

“the representative had already provided specific training to his staff on the correct processing of personal data; furthermore, following the event the representative reformulated all the consent forms and provided new training to the staff";

“Full collaboration. In any case, there was no need, given that the video has been removed and is not available in any way”;

“processed data does not reveal any state of health. All that can be deduced is that the subject underwent an aesthetic treatment for the dilated pores of the nose";

[…] it was a single violation; the cost of the intervention was 350.00 (three hundred and fifty) euros; David srl is a small aesthetic medicine company, despite this it is implementing quality certification systems, including correct data management".

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in the documents and in the defense briefs, it is noted that:

pursuant to the Regulation, "personal data" means "any information relating to an identified or identifiable natural person ("data subject")". Furthermore, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical, physiological, genetic, mental, economic, cultural or social identity" (art. 4, no. 1 of the Regulation) and "health data" is considered to be personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to your state of health (art. 4, par. 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services";

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner towards the interested party ("lawfulness, correctness and transparency")" and must be collected for specific, explicit and legitimate purposes, and subsequently processed in a manner that is not incompatible with these purposes ("purpose limitation principle") (art. 5, par. 1, letter a), and b) of the Regulation);

with specific reference to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on the processing of such data unless one of the specific exemptions referred to in paragraph 2 occurs;

in this regard, the Guarantor has repeatedly highlighted that with the full application of the Regulation, unlike in the past, the healthcare professional, subject to professional secrecy, must no longer request the patient's consent for the treatments necessary for the healthcare service requested by the interested party, regardless of whether you work as a freelancer (in a medical practice) or within a public or private healthcare facility (see provision "Clarifications on the application of the regulations for the processing of health-related data in the healthcare sector" of 7 March 2019, web doc. no. 9091942);

in cases where the processing is not strictly necessary for treatment purposes and the legal basis is represented by the consent of the interested party, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, such consent must be provided through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (art. 9, par. 2 letter a) of the Regulation and par. 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020). This consent, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, cannot in fact be tacit, but must be explicit (art. 9, par. 2 letter a) of the Regulation and par . 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020);

it is also stated that the Regulation gives Member States the power to introduce further conditions, including limitations, with regard to the processing of genetic, biometric or health-related data (art. 9, par. 4 of the Regulation). The national legislator has implemented these provisions, as far as is relevant here through the art. 2-septies of the Code according to which it is provided that information on the state of health cannot be disseminated (see also art.166, paragraph 2, of the Code) and can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself following written authorization from the latter (art. 9 Regulation);

the Authority, since 2014, in compliance with art. 22, paragraph 8, of the Code in force at the time, represented that "the publication of any information from which the state of illness or the existence of pathologies of the interested parties can be deduced, including any reference to the conditions of invalidity, disability or physical and/or mental handicaps. For this purpose, starting from the drafting stage of the deeds and documents subject to publication, in compliance with the principle of adequate motivation, no "excessive", "irrelevant", "non-essential" (and, even less so, “prohibited”). Otherwise, it is necessary, in any case, to provide for the relevant blackout" (see Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purposes of advertising and transparency on the web by public entities and other bodies obliged, part II, par. 1, dated 15.5.2014, web doc. no. 3488002);

the principles of transparency and correctness imply that the interested party is informed of the existence of the processing and its purposes and that the personal data are processed by providing the interested parties with the information referred to in the art. 13 of the Regulation (recital no. 60 and art. 5, par. 1 letter a) of the Regulation). The information must then be provided in a concise, transparent, intelligible and easily accessible form, with simple and clear language (Recital 58 and art. 12 of the Regulation).

in case of collection of personal data from the interested party, the data controller must provide him, at the moment in which the personal data are obtained, all the information indicated in the art. 13 of the Regulation.

it is then stated that the regulations regarding the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify the said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014). An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference):

with specific reference to the publication of clinical cases, the Code of medical ethics approved by the National Federation of Orders of Surgeons and Dentists in 2014 (as amended in 2016 and 2017) provides that "the doctor ensures the non-identifiable nature of the subjects involved in scientific publications or disclosures of data and clinical studies” (art. 11 - Confidentiality of personal data);

in this regard, the Code of Conduct for the use of health data for educational and scientific publication purposes approved with the Guarantor's provision no. 7 of 14 January 2021 (web doc. no. 9535354), expressly provides that in the event that it is not possible to proceed with the anonymization of the data, the data controller must acquire specific consent, after which the data must in any case be subjected to pseudonymisation.

From the documentation produced in the documents, it is noted that:

the Company, on the basis of the provisions mentioned above, in making a 34-second video in which the face of the appellant is recognizable during an aesthetic medicine procedure, aimed at removing physiological imperfections of the interested party, defined in the same video as a " non-surgical rhinoplasty”, processed data on the health of the interested party. In numerous provisions, the Guarantor has clarified that the "sensitive" nature (now "particular" pursuant to art. 9 of the Regulation) of information must also be assessed in relation to the reference context and, therefore, a piece of data can be considered relative to the state of health of the interested party even if no explicit reference is made to the pathology suffered, but only to information related to it (see ex multis: provision of 11 April 2019, web doc. no. 9113830; general provision of 9 November 2005, web doc. no. 1191411; provision dated 27 February 2002, web doc. 1063639; point 2, "Guidelines regarding the processing of personal data, also contained in administrative deeds and documents, carried out for the purposes of publicity and transparency on the web by public entities and other obliged bodies" web doc. no. 3134436);

has disseminated information on the state of health of the complainant in a manner that does not comply with the regulations on the protection of personal data which provides for an explicit prohibition (art. 2-septies of the Code) through the publication of a video on the social media Instagram, in the profile public “DvoraAncona” in which he is portrayed during an aesthetic medicine procedure;

according to what has already been noted by the Authority in the aforementioned Code of Conduct, the aforementioned and asserted informative-scientific purposes pursued by the Company through the publication of the aforementioned video should have, if necessary, been pursued through the processing of anonymized data in light of the Opinion 05/2014 of WP29; if it was not possible to proceed with the anonymisation of the data (e.g. due to the peculiarities of the clinical case represented), specific and informed consent would have to be obtained from the interested party, after which the data would still have to be subjected to pseudonymisation;

in any case, the consent acquired by the complainant during the aesthetic medicine treatments to which the interested party underwent cannot be considered valid, as it is not explicit, specific and not informed regarding the purpose in question (see the aforementioned Code of conducted for the use of health data for educational and scientific publication purposes). In fact, the information used by the owner, in the section entitled "Purpose of the processing", bears a generic reference "to the publication of articles on social media and magazines" not specifying that data on the health of the interested party would have been disclosed on the public profile "DvoraAncona ” of the Company's Instagram, without any pseudonymisation of the same;

nor can it be considered - from the video acquired in the proceedings - that the complainant has de facto consented to the processing of his/her data - including health data - for the creation of a film to be published on the aforementioned social profile of the Company. In fact, the so-called consent cannot be considered validly given. "tacit" of the interested party, this is because the Regulation, in identifying the exceptions to the prohibition on the processing of particular categories of data, including health data, provides that they can be processed, among other things, on the basis of the explicit consent of the interested party (art. 9, par. 2, letter a)). Therefore, the fact that the health service to which the interested party was undergoing was registered without the knowledge of the interested party does not equate to having acquired from the same an informed, specific and explicit consent regarding the ways in which the data object of the same shot would have been treated and, in this case, even disseminated on a social channel;

the Company provided information to the complainant that was not suitable and lacked the essential elements referred to in the art. 13 of the Regulation:

Dr. Ancona and not the company David S.r.l. being erroneously indicated as the data controller, of which the latter is the legal representative (art. 13, par. 1, letter a) of the Regulation and Guidelines 07/2020 on concepts of data controller and processor pursuant to GDPR Version 2.0, adopted on 7 July 2021, point 2.1.1);

the purposes of the processing being indicated in a contradictory way, as - at the outset - the interested parties are represented that "all personal data and images collected during the interventions of the Dvora medical center will be used for the organization and management of the events and of conferences for the advertising of medical instruments and for the publication of articles on social media, magazines" and - to follow - that "all treatments carried out by the Dvora medical center as owner are aimed solely at the correct carrying out of the activities necessary for the provision of aesthetic medicine treatments or other medical services requested by you";

as all the purposes of the processing are not indicated, in particular that which is the object of dispute and consists in the dissemination of the aforementioned video on the social media Instagram, which in any case is not permitted except within the limits highlighted above (art. 13, par. 1, letter c) of the Regulation);

as the different legal bases of the processing carried out are not indicated (art. 13, par. 1, letter c) of the Regulation);

the consent of the interested party being erroneously foreseen as the legal basis for the processing of data for treatment purposes, no longer provided for by the art. 9 par. 2 lett. h) of the Regulation;

as the right to withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the revocation is not indicated, for processing based on this condition of lawfulness (art. 13, par. 2, letter c) ) of the Regulation);

as all third parties who could receive them consistently with the purposes indicated (such as for example the owners of social media platforms) are not indicated among the recipients (art. 13, par. 1, letter e of the Regulation).

3. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the owner during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the deed to be overcome to start the procedure, since none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, we note the illicit nature of the processing of personal data carried out by the Company David S.r.l., in the terms set out in the motivation, in violation of the articles. of the articles 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation and 2-septies, paragraph 8, of the Code.

4. Corrective measures

The art. 58, par. 2, provides for the Guarantor a series of corrective powers, of a prescriptive and sanctioning nature, to be exercised in the event that illicit processing of personal data is ascertained. Among these powers, art. 58, par. 2, letter. d) of the Regulation, provides for the power to "order the data controller or data processor to conform the processing to the provisions of this regulation, if appropriate, in a specific manner and within a specific deadline".

In light of the assessments mentioned above, it is deemed necessary to order the Company, pursuant to the aforementioned art. 58, par. 2, letter. d) Regulation, to adopt the following corrective measures within ninety days of notification of this provision:

revise the document called “Information on the processing of personal data pursuant to art. 13 and 14 of EU Regulation 2016/679 for the processing of personal data dedicated to audio, video and photographic recordings":

1. eliminating the irrelevant reference to the art. 14 of the Regulation, which applies only in the event that the personal data are not obtained from the interested party;

2. eliminating the reference to the contact details of the Data Controller and inserting those of the Data Protection Officer who the Company declared to have appointed starting from last May. This is because the art. 13, par. 1, letter. b) refers to the contact details of the Data Protection Officer, pursuant to art. 37 et seq. of the Regulation, a very different figure from the aforementioned data controller, governed by art. 28 of the Regulation (see also art. 4, point 8) of the Regulation);

3. clarifying in the section called "Purpose of processing" that the personal data being disseminated will not be health data, taking into account the prohibition on dissemination of this type of data (art. 2-septies, paragraph 8 of the Code) and integrating this section with the indication of the legal basis of the processing (art. 13, par. 1, letter c) of the Regulation);

4. modifying the "obligatory consent" section as it is misleading and contradictory considering that on the one hand it is indicated that "the provision of your data is optional, if not strictly related to the functioning of the activity or the proposed service" and on the other that “lack of consent will not allow the use of the images and/or audiovisual footage of the interested party for the purposes indicated above”;

5. correcting the typo in the section “Communications to third parties and publication/dissemination of data”, where it is written that: “Within the limits pertinent to the purposes of the processing indicated, personal data, images and audiovisual recordings may (will not) be subject to communication, publication and dissemination […];

6. integrating the "Rights of interested parties" section with the right of access to data and the right to withdraw the consent given by the interested party, which can be exercised at any time.
In this context, considering that the aforementioned video has been removed from the aforementioned Instagram profile, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation and 2-septies, paragraph 8, of the Code, caused by the conduct carried out by the David S.r.l. Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, 5, of the Regulation and art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

the processing carried out involved the dissemination for 45 days on the social network Instagram of a video recording lasting 34 seconds of the interested party's face during an aesthetic medicine procedure, information suitable for detecting the state of health of a single interested party (art. 83, par. 2, letters a) and g), of the Regulation);

from the point of view of the subjective element, an intentional attitude on the part of the data controller does not emerge as the violation occurred in good faith (art. 83, par. 2, letter b) of the Regulation);

at the request of the complainant, the data controller acted proactively to remedy the violation, having promptly removed the video from his Instagram profile (art. 83, par. 2, letter c) of the Regulation).

There are no previous relevant violations committed by the data controller nor have measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e) of the Regulation);

the Company collaborated fully with the Authority during the investigation and this proceeding by implementing some measures aimed at bringing the processing of personal data into compliance with the current regulatory framework on the protection of personal data, although the profiles of non-compliance persist compliance highlighted above (par. 4). In particular, the Company:

organized specific training courses attended by employees and collaborators involved in data processing and launched a review process of all internal procedures, the completion of which will be brought forward compared to the date previously indicated at the end of the current year;

has appointed, with effect from 1 May 2023, an "external DPO and subject matter expert";

already before receiving the communication regarding the start of the sanctioning procedure by the Office, it modified the "documents with which consent to the processing of patient data is requested, adopting specific provisions on the use of health data for the purposes of presentations, publications or scientific disclosures, including on social media” ((art. 83, par. 2, letter f) of the Regulation);

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) and b), of the Regulation, in the amount of 8,000 (eight thousand) euros for the violation of the articles. 5, par.1, letter. a), 6, 9, 12, 13 of the Regulation, 2 septies, paragraph 8 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Company David S.r.l. for the violation of the articles. 5, par.1, letter. a), 6, 9, 12, 13 of the Regulation, 2 septies, paragraph 8 of the Code within the terms set out in the motivation.

ORDER

pursuant to the articles 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, to the company David S.r.l., with headquarters in Milan, Via Paolo Lomazzo 19, C.F. 06835980969, in the person of the legal representative pro tempore, to pay the sum of 8,000 (eight thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000 (eight thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981;

pursuant to art. 58, par. 2, letter. d), of the Regulation, to conform the processing to the provisions of the Regulation, adopting within ninety days of notification of this provision, the corrective measure of revising the document called "Information on the processing of personal data pursuant to art. 13 and 14 of EU Regulation 2016/679 for the processing of personal data dedicated to audio, video and photographic recordings":

1. eliminating the irrelevant reference to the art. 14 of the Regulation, which applies only in the event that the personal data are not obtained from the interested party;

2. eliminating the reference to the contact details of the Data Controller and inserting those of the Data Protection Officer who the Company declared to have appointed starting from last May. This is because the art. 13, par. 1, letter. b) refers to the contact details of the Data Protection Officer, pursuant to art. 37 et seq. of the Regulation, a very different figure from the aforementioned data controller, governed by art. 28 of the Regulation (see also art. 4, point 8) of the Regulation);

3. clarifying in the section called "Purpose of processing" that the personal data being disseminated will not be health data, taking into account the prohibition on dissemination of this type of data (art. 2-septies, paragraph 8 of the Code) and integrating this section with the indication of the legal basis of the processing (art. 13, par. 1, letter c) of the Regulation);

4. modifying the "obligatory consent" section as it is misleading and contradictory considering that on the one hand it is indicated that "the provision of your data is optional, if not strictly related to the functioning of the activity or the proposed service" and on the other that “lack of consent will not allow the use of the images and/or audiovisual footage of the interested party for the purposes indicated above”;

5. correcting the typo in the section “Communications to third parties and publication/dissemination of data”, where it is written that: “Within the limits pertinent to the purposes of the processing indicated, personal data, images and audiovisual recordings may (will not) be subject to communication, publication and dissemination […];

6. integrating the "Rights of interested parties" section with the right of access to data and the right to withdraw the consent given by the interested party, which can be exercised at any time.

Failure to comply with an order formulated pursuant to art. 58, par. 2, of the Regulation, is punished with the administrative sanction referred to in the art. 83, par. 6, of the Regulation;

pursuant to art. 58, par. 1, letter. a), of the Regulation and of the art. 157 of the Code, to communicate what initiatives have been undertaken in order to implement what is prescribed in the aforementioned par. 6, and to provide feedback, adequately documented, no later than 20 days from the expiry of the deadline indicated above. Failure to respond to a request made pursuant to art. 157 of the Code is punished with an administrative sanction, pursuant to the combined provisions of articles. 83, par. 5 of the Regulation and 166 of the Code.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2024

PRESIDENT
Stantion

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei