Garante per la protezione dei dati personali (Italy) - 9994597

Garante per la protezione dei dati personali - 9994597

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 13(1)(b) GDPR Article 37(1)(a) GDPR Article 37(7) GDPR Article 58(2) GDPR Article 83 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	08.02.2024
Published:	08.02.2024
Fine:	6,000 EUR
Parties:	Territorial Agency of the Puglia Region for the waste management service (AGER)
National Case Number/Name:	9994597
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	Mgrd

Garante fined an Agency 6,000 EUR for not having designated the DPO timely, informing the data subjects of the DPO's contact details and communicating these data to the DPA, violating Article 13(1)(b) and Article 37(1)(a) GDPR.

English Summary

Facts

Garante received a complaint from an employee of the Territorial Agency of the Puglia Region for Waste Management (AGER) alleging that her performance evaluation sheet of 2019, was mistakenly recorded as a non-confidential document, making it accessible to individuals authorized to use the Agency’s protocol system, but not directly involved in the matter.

The data subject also highlighted the lack of adequate information or consultation regarding data processing policies by the Agency's DPO.

The data controller acknowledged that the evaluation sheet was mistakenly filed as “ordinary” instead of “confidential.” However, it provided system logs showing that only individuals directly involved in the process accessed the document.

Holding

Garante considered that the data controller's mistake in filed the document as "ordinary" instead of "confidential", even with the system logs showing that only individuals directly involved in the process accessed the document, was a failure to implement sufficient organizational measures to prevent such risks.

The agency appointed its DPO in 2020, significantly later than the May 25, 2018, deadline set by GDPR. This delay constituted a violation of Article 37 GDPR.

Also, Garante highlighted that the data controller failed to timely publish or communicate the DPO's contact details, violating Article 13 and Article 37 GDPR. The data controller cited organizational challenges and difficulties stemming from the COVID-19 pandemic as contributing factors.

For this reason, Garante fined the data controller 6,000 EUR for not having designated the DPO timely, neither informing the data subjects of the DPO's contact details and communicating these data to the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. n. 9994597]

Provision of 8 February 2024

Register of provisions
n. 61 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Deputy Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur: lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Ms. XX, an employee of the Territorial Agency of the Puglia Region for the waste management service (AGER – hereinafter, the “Agency”), complained that “on […] XX [she was] notified by email from the sender protocollo@pec.ager.puglia.it [....] on [her] [institutional] mailbox, the evaluation sheet for the year 2019” and that this outgoing note would have been acquired by the Agency’s protocol in a manner unsuitable to ensure the confidentiality of the personal data contained therein, since the same was “visible to all authorized users”.

The interested party also stated that she “had not [had] any indication and/or discussion [with the Data Protection Officer (DPO) designated by the Agency], in relation to the methods of data processing at least relating to her sphere of activity”, knowing only the details of the act of assignment of the task to the same.

2. The investigative activity.

With note prot. no. XX of XX, reiterated with note prot. no. XX of XX, the Authority addressed a request for information to the Agency pursuant to art. 157 of the Code.
With note prot. no. XX of XX, the Agency responded to the aforementioned request, declaring, in particular, that:

“due to a mere material error, the evaluation form was not registered in a confidential manner, but was accessible to all persons authorised to access the protocol”;

“AGER is a newly established body, which took place with Regional Law no. 20 of 2016 with the appointment of a commissioner ad acta in office until September 2018. In the start-up phase of the body, […] the first employee personnel identified arrived in February 2019, through mobility and AGER faced the start of institutional activities with personnel on a parasubordinate contract or consultancy. To ensure the functioning of the structure, collaborators also accessed the protocol ([…] and the [complainant] herself), but there was no reason why other users should have accessed the file, and as can be verified from the system logs […] only the people involved in the procedure (the operator who sent it, and the [complainant] herself) accessed the file and therefore no one else became aware of the content of the protocol in question”;

“after the event, only four people […] from the protocol office were authorised to access the system. Starting in 2021, the units were reduced to three […]”;

“the system adopts high levels of security, as it is only accessible from a specific IP address, and any communication regarding personnel, by checking the “confidential” box, automatically becomes inaccessible if they do not have the password”;

“every time a confidential protocol is generated, in order to access it or send it, a unique password must be generated that is useful for opening only and exclusively the registered file […]”;

“[…] no protocol operator is able to acquire or generate [the] aforementioned password [, as it is necessary to make] a request to the IT office in support of the general management which, based on the request received via email from the protocol office, proceeds, following verification by the General Director, to generate the password for accessing the protocol to allow its possible sending”;

“[the] appointment of the [RPD was made with] DD. no. XX of XX [with] subject “XX […]” and [with] DD. no. XX of XX [renewing the assignment]”;

“the contact details [of the RPD] were published on XX, with the simultaneous publication of the new website”;

“due to a material error, the [RPD] was not communicated to the Guarantor and this was done on day XX with note prot. no. XX”.
With note of XX (prot. no. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigation, notified the Agency, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for:

the failure to designate the DPO in the period between 25 May 2018, the date on which the Regulation became effective, and XX, the date on which the DPO was designated, in violation of art. 37, paragraph 1, letter a), of the Regulation;

the failure to provide information regarding the contact details of the DPO, in violation of art. 13, paragraph 1, letter b), and 37, paragraph 7, of the Regulation;

failure to communicate the contact details of the DPO to the Authority, in violation of art. 37, par. 7, of the Regulation.
With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law 24 November 1981, no. 689).

With note of XX (prot. no. XX), the Agency submitted a defensive brief, declaring, in particular, that:

“the body[,] started after the first phase of the commissionership in 2018[,] could not count on any employee staff, [as] the activities were conducted by leveraging professional relationships”;

“only from February 2019 were two positions filled with as many staff members from the voluntary mobility procedure”;

“[only in] October 2019 with subsequent Decrees 90/91/92/93/94/95 the Agency proceeded to announce public selection procedures based on qualifications and interviews for the coverage of 10 fixed-term positions”;

“the procedures started were then suspended due to the COVID-19 emergency. Only in the XX century were these procedures perfected and allowed the institution to equip itself with its own staff (although largely on fixed-term contracts) in the total number of 6 units (including those acquired through the mobility procedure)”;

“therefore it should be emphasized that this period should be considered as a real start-up of the institution, in fact deprived for a long time of a stable and organic organizational structure, aggravated by all the critical issues that the concomitance of the health emergency entailed”;

“there was no unauthorized access to the personal data covered by this procedure […, as emerges from the] access “logs” produced in the documents;

“[…] the employee concerned in no way pointed out the circumstance of the failure to affix the “confidential” protocol instead of the “ordinary” one, thus allowing colleagues to block access to the document”;

“[…] the failure to affix the “confidential” protocol instead of the “ordinary” one is attributable to a mere oversight by the protocol operator”.
During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on XX (see minutes prot. no. XX of XX), the Agency stated, in particular, that:

“the Authority has experienced a very complex period in equipping itself with an internal organizational structure; given its establishment in 2018, the first two units with mobility procedures only arrived in 2019. Collaborators arrived in the same year and the first fixed-term contracts were signed only in 2020”;

“this internal organization process was further complicated by the SARS-CoV-2 pandemic”;

“the failure to designate the DPO and the late publication and communication of the contact details of the same did not depend on the will of the Agency, which, in the first period of its history, had to deal with an emergency situation and scarcity of resources”;

“until the XX, the Agency used the website of the Puglia Region, which did not allow for the insertion of timely information relating to the Agency; subsequently, once it became autonomous, the Agency was able to publish online all the information required by law”;

“the Agency published the contact details [of] the DPO on its institutional website and modified all its information on data processing, including those intended for workers, indicating the contact details of the DPO”;

“in any case, the employees had already been informed of the appointment of the DPO and of the contact details of the same”.

3. Outcome of the investigation.

3.1 Accessibility to personal data contained in an evaluation sheet.

The complainant complained that unauthorized persons had access to her evaluation sheet, relating to the year 2019.

In this regard, the Agency, also assuming responsibility pursuant to art. 168 of the Code, declared - also producing evidence extracted from its IT systems (log files) - that, although this evaluation sheet had been erroneously registered in an ordinary and non-confidential manner, no unauthorized person had access to it and became aware of the complainant's personal data, therefore no illicit communication of personal data to third parties had taken place. However, this circumstance does not relieve the Agency of its responsibility to adopt, as data controller, the appropriate organizational and technical measures to prevent access by unauthorized persons to the data in question.

3.2 The delay in designating the DPO.

Pursuant to art. 37, par. 1, letter a), of the Regulation, “the controller […] shall systematically designate […] a data protection officer whenever […] processing is carried out by a public authority or body […]”.

Following the investigation, it emerged that the Agency had designated its own DPO with decision no. XX of XX, acquired in the files.

It is therefore established that in the period between 25 May 2018, the date on which the Regulation became effective, and XX, the date of adoption of said decision, the Agency did not designate a DPO, in violation of art. 37, par. 1, letter a), of the Regulation.

3.3 Failure to provide information regarding the contact details of the DPO.

Pursuant to art. 37, par. 7, of the Regulation, “the controller or the processor publishes the contact details of the data protection officer […]”.

During the investigation, the Agency stated that “the contact details [of the DPO] were published on XX, with the simultaneous publication of the new website”.

It is therefore established that in the period between XX, the date on which the DPO was designated, and XX, the Agency failed to publish the contact details of the DPO.

In this regard, it is also noted that the Agency has not demonstrated that it has made the contact details of the DPO available, in other ways, for example in the context of the information on the processing of personal data pursuant to art. 13, par. 1, letter b), of the Regulation (on this point, see the “Guidelines on data protection officers”, in the version adopted by the European Data Protection Board on 5 April 2017, par. 2.6).

Only following the hearing of XX, in response to an express reservation formulated at that time, the Agency, with note prot. no. XX of XX, filed in the documents the text of a notice, with which employees would have been informed of the contact details of the DPO, as well as copies of two information notices on the processing of personal data, reporting, among other things, the email address at which it is possible to contact the DPO. However, these are mere text documents, without a certain temporal placement, which cannot be considered sufficient to prove the fulfillment of the obligations provided for by the Regulation. Moreover, in filing such documents, the Agency did not clarify the timing and methods with which such documents would have been brought to the attention of the interested parties.

The Agency therefore acted in violation of Articles 13, paragraph 1, letter b), and 37, paragraph 7, of the Regulation.

3.4 Failure to communicate the contact details of the DPO to the Authority.

The Agency stated that “due to a material error, the communication of the [DPO] was not made to the Guarantor and this was done on day XX with note prot. no. XX”.

Also in this regard, it should be noted first of all that, again pursuant to art. 37, par. 7, of the Regulation, “the data controller or the data processor […] communicates [the contact details of the DPO] to the supervisory authority”.

It is therefore also established that in the period between XX, the date on which the DPO was designated, and XX, the Agency failed to communicate the contact details of the DPO to the Authority.

Failure to communicate the same to the Authority, in the periods indicated above, constitutes a violation of art. 37, par. 7, of the Regulation.

4. Conclusions.

In light of the above assessments, it is noted that the statements made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act of initiation of the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Agency is noted, for not having promptly designated the DPO, informed the interested parties of the contact details of the same and communicated the same data to the supervisory authority, in violation of art. 13, par. 1, letter b), and 37, parr. 1, letter a), and 7 of the Regulation.

Considering that the violation of the aforementioned provisions occurred as a result of a single conduct, Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation is subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to EUR 20,000,000.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Agency has declared that it has fulfilled the relevant obligations relating to the figure of the DPO, the conditions for the adoption of further corrective measures pursuant to Article 58, paragraph 2, of the Regulation do not exist.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

With specific regard to the nature and severity of the violation (art. 83, par. 2, letter a), of the Regulation), it must be considered that the untimely designation of the DPO and the failure to inform - both the data subjects and the Authority - regarding the contact details of the same may significantly prejudice the correct fulfillment by the data controller of the obligations deriving from the data protection legislation, as well as the possibility for the data subjects to assert their rights with the data controller and for the Authority to interface effectively with the same.

In light of these circumstances, it is considered that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

That said, it is considered that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account:

following the initiation of the investigation by the Authority, the Agency took steps to remedy the contested violations (Article 83, paragraph 2, letter f), of the Regulation);

there are no previous relevant violations committed by the Agency (Article 83, paragraph 2, letter i), of the Regulation);

the violations also depended on the peculiar organizational and management situation in which the Authority found itself since its establishment in 2018 (appointment of a commissioner ad acta until September 2018; assignment of dependent staff only starting from February 2019, first with two units and then with six units on a permanent basis between 2020 and 2021), further complicated during the Sars-CoV-2 pandemic emergency (art. 83, par. 2, letter k), of the Regulation);

until XX, the information relating to the Agency was published on the institutional website of the Public Region, as the Agency did not have its own website (art. 83, par. 2, letter k), of the Regulation).

In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of 6,000 (six thousand) euros for the violation of the articles. 13, par. 1, letter b), and 37, par. 1, letter a), and 7 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account that the designation of the DPO was carried out with considerable delay, i.e. approximately three years after the effective date of the Regulation, it is also believed that the accessory sanction of publication of this provision on the website of the Guarantor, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, should be applied.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, paragraph 1, letter f), of the Regulation, declares the conduct held by the Agency, described in the terms set out in the reasons, to be unlawful, consisting in the violation of art. 13, paragraph 1, letter b), and 37, paragraphs 1, letter a), and 7 of the Regulation;

ORDER

to the Territorial Agency of the Puglia Region for the waste management service (AGER), with registered office in Via delle Magnolie 6/8 - 70026 Modugno (BA), C.F. 93473040728, to pay the sum of Euro 6,000 (six thousand) as an administrative fine for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Agency, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 6,000 (six thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions set out in art. 17 of the Guarantor Regulation no. 1/2019 exist.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 8 February 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE DEPUTY SECRETARY GENERAL
Filippi

[web doc. no. 9994597]

Provision of 8 February 2024

Register of provisions
no. 61 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members and Dr. Claudio Filippi, Deputy Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD to Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “Code”);

HAVING REGARD to Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);