Banner2.png

Garante per la protezione dei dati personali (Italy) - 10084453

From GDPRhub
Garante per la protezione dei dati personali - 10084453
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
art. 2-ter d. lgs. 196/2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.11.2024
Published:
Fine: 5,000 EUR
Parties: n/a
National Case Number/Name: 10084453
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: carloc

The DPA fined a Health Agency €8,000 for unlawfully publishing the names of candidates who were rejected during a public job selection procedure.

English Summary

Facts

The Health Agency of Enna, the controller, held a public selection procedure for external lawyers. The applicants, among which the data subject, consented to the processing of their personal data for the purposes of the selection procedure. The results of the selection were published online on a non-indexed web page. The page listed the names of 20 lawyers whose applications were rejected and the reason for the rejection.

The data subject contacted the data controller and claimed that his personal data were published without a legal basis. In this context, he also requested the erasure of the data. The controller did not respond to the request.

The data subject later filed a complaint with the DPA. The controller erased the data after the data subject filed said complaint.

Holding

First, the DPA held that the controller violated Article 5 GDPR, Article 6 GDPR, and Article 2-ter of the Italian Privacy Code (Codice in materia di protezione dei dati personali) by publishing the names of the rejected lawyers without a legal basis. In this regard, the DPA observed that the data subject’s consent was not freely given and that the publication of the data was not provided for by the law.

Second, the DPA held that the data controller violated Article 17 GDPR by failing to respond to the data subject’s erasure request.

The DPA fined the data controller €8,000.

The DPA noted that public entities should not process personal data on the legal basis of consent due to the power imbalance with the data subjects. Public entities should rely on Article 6(1)(e) GDPR instead (task in the public interest or exercise of official authority).

Comment

Article 2-ter of the Italian Privacy Code (Codice in materia di protezione dei dati personali) is a specification of Articles 6(1)(b) and (e) GDPR (respectively: the legal bases of legal obligation, and public interest or official authority vested in the controller).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10084453]

Provision of 13 November 2024

Register of provisions
no. 666 of 13 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

REPORTER the lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX represented that following participation in a procedure for registration in the list of external lawyers at the Provincial Health Authority of Enna (hereinafter “Health Authority”), the Health Authority communicated to the interested party that, with Resolution of the General Director no. XX of XX of approval of the company register of external lawyers, had been excluded from the procedure "because he had been registered in the Register of Lawyers for less than three years". The complainant also stated that "through the consultation of the electronic public notice board of the Company, [...] he noted that [this resolution] published online contained in attachment, in addition to the list of professionals included in the register [...], also that of the excluded professionals, with the indication next to each name of the reasons for the exclusion".

Subsequently, the interested party sent the Health Authority a request for the cancellation of his personal data pursuant to art. 17, par. 1, of Regulation 2016/679/EU, "alleging the unlawfulness of the processing carried out by the Company through the publication of the names of the lawyers excluded from the procedure".

2. The investigative activity.

In response to a request for information from the Authority (note prot. no. XX of XX, with note of XX, prot. no. XX, the Health Authority declared, in particular, that:

- “with Resolution no. XX of XX, the Company Register of External Lawyers for the assignment of legal assignments was approved. Integral and substantial parts of this resolution were: - Annex A, i.e. the list of professionals included in the Register of External Lawyers; - Annex B, i.e. the list of professionals excluded from the register”;

- “this act was declared immediately enforceable in order to allow the assignment of legal assignments in compliance with the directives issued by the Health Department and also with what is established by Guidelines no. 12 “Assignment of legal services” approved by the Council of the National Anti-Corruption Authority, with resolution no. XX. These Guidelines, […] expressly provide that [in accordance with the principle of transparency, it must be guaranteed] in favor of each potential bidder, an adequate level of knowledge of the selection procedures, including the reasons underlying the choices made by the administration, also in order to allow control over the impartiality of the selection” and with regard to “publicity” it is stated that […] the principle of publicity in question also requires the publication of the notice on the results of the selection”;

- “in resolution no. XX, considered in all its integral and substantial parts, sensitive data does not appear […]. The data in question which is the subject of the publication contested by Attorney XX, namely the express reason for the exclusion from the procedure (“Registration in the register less than three years old”) is not properly characterized as “sensitive data” as described in point 1 of art. 4 of European Regulation 679/16. Furthermore, the data relating to the year of registration of the lawyers in the Bar Association to which they belong are published and freely accessible by anyone on the websites of the Bar Associations throughout Italy as well as on the Single List of Lawyers published on the website of the National Bar Council”;

- “it should also be noted that Avv. XX, by submitting the request for registration in the list of Lawyers using the form provided, first declared that he had proven professional experience lasting no less than 3 (three) years […] and in the part of the final certification […] declared “to have fully read the notice relating to the selection in question and the Regulation in force and to fully accept the conditions set out therein” (...); pursuant to and for the purposes of Legislative Decree no. 196/2003 and EU Regulation no. 679/2016 as well as Legislative Decree no. 101/2018 and subsequent amendments. has “consented to the processing of the above data by the Administration for internal use and in any case for the purposes referred to in this application”.

With note of XX, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigative activity, notified the Health Authority pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having carried out a dissemination, on its institutional website of information relating to the complainant, in violation of arts. 5, 6 of the Regulation, as well as art. 2-ter Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts subject to the complaint) and denying the right to erasure of the data exercised by the interested party, in violation of art. 17 of the Regulation.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of law 24 November 1981, no. 689).

With note of XX, the Health Authority, which did not request to be heard, presented a defensive brief, declaring, in particular, that:

- the complainant "in his capacity as a candidate, by signing the specific request for registration in the list of Lawyers and using the form provided, declared "to have fully read the notice relating to the selection in question and the Regulation in force and to fully accept the conditions reported therein";

- "resolution no. XX of XX was published in copy on the computerized notice board of the Provincial Health Authority of Enna, pursuant to and for the purposes of art. 53, paragraph 2, of Regional Law no. 30/93, as amended and of art. 32 of Law no. 69 of 18/06/2009, from XX to XX and was available on the company website, in the Personnel Competitions section until the date of XX, when the attachment containing the list of excluded subjects was removed, given what was transmitted on XX by this esteemed Authority, in order to demonstrate full cooperation”.

3. Outcome of the investigation activity. The applicable legislation.

The personal data protection regulation provides that public bodies, within the context of the work context, can process the personal data of the interested parties, even relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by the law or by the law of the Union or of the Member States (articles 6, paragraph 1, letter c), 9, paragraph 2, letter b) and 4 and 88 of the Regulation). Furthermore, processing is lawful when it is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (art. 6, paragraphs 1, letter e), 2 and 3, and art. 9, paragraph 2, letter g), of the Regulation; art. 2-ter of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021).

European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (art. 6, paragraph 2, of the Regulation). In this regard, it is highlighted that the “dissemination” of personal data by public entities is permitted only when provided for by a law or, in the cases provided for by law, by regulation (see art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021).

Pursuant to art. 17 of the Regulation, “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if […] d) the personal data have been unlawfully processed, unless the processing is necessary […] b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

3.1. Failure to respond to the request to exercise the right under Article 17 of the Regulation.

From the elements acquired during the investigation, it is established that the Health Authority did not respond to the request to exercise the right formulated by the complainant, proceeding to remove the aforementioned list from its institutional website only on XX, i.e. following the request for information sent by this Authority on XX.

In this regard, it is generally stated that the data controller is required to facilitate the exercise of the rights by the interested party and, in any case, to provide explicit feedback to the request formulated by the interested party, regardless of whether or not the request is well-founded, without unjustified delay and, in any case, no later than one month after its receipt, in the context of a direct relationship between the interested party and the data controller.

The aforementioned deadline may be extended by the controller by two months, if necessary, taking into account the complexity and number of requests, without prejudice to the right of the data subject to be informed of such extension and of the reasons for the delay within one month of receiving the request (Article 12, paragraphs 2 and 3 of the Regulation).

Furthermore, if the controller does not comply with the request of the data subject, he/she shall inform him/her without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy (Article 12, paragraph 4 of the Regulation).

In light of the above, it must be concluded that the Health Authority has not responded to the request formulated by the data subject, resulting in the violation of Article 17 of the Regulation.

3.2. Dissemination of personal data.

As shown by the documents and declarations made by the data controller during the investigation, as well as by the investigation carried out on the basis of the elements acquired, following the investigation and subsequent assessments of this Department, the Health Authority has published on its institutional website, from XX to XX, Resolution no. XX of XX approving the Company Register of External Lawyers including Annexes A and B containing respectively the list of professionals included in the Register of External Lawyers and the list of twenty professionals excluded from the Register, including the name of the complainant and the reason for their exclusion (e.g. not being registered in the Register of Lawyers, not having submitted the curriculum vitae, not having submitted the application within the deadline).

With regard to the legal basis that would have justified the dissemination of the complainant's personal data, the Health Authority has not demonstrated the existence of a specific law that requires the publication of the list of professionals excluded from the register and the related reasons for exclusion.

In this regard, it should be remembered that the Guarantor, also with regard to the dissemination of common data, has clarified on several occasions that even the presence of a specific advertising regime (a circumstance that does not occur in this case), cannot lead to any automaticity with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see numerous provisions including provision of 4 July 2024, no. 404, web doc. 10050145 and provisions referred to therein). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is provided that the data controller must implement "appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" - in light of the principle of "accountability" - that it has done so (Articles 5, paragraph 2; 24 and 25, paragraph 2, Regulation).

For these reasons, the arguments reported in the defense documents of the Health Authority cannot be accepted, which would derive the legitimacy of the publication of the aforementioned data from Article 53, paragraph 2, of Regional Law No. 30 of 3 November 1993 which regulates the management and publicity of documents in the health sector, nor from Article 32 of Law No. 69 of 18 June 2009 which concerns the "elimination of waste related to the maintenance of documents in paper form", this is because none of the provisions referred to contain a specific obligation to publish the lists of professionals to whom the administration deems not to assign an assignment.

Similarly, it is not possible to invoke, as a suitable prerequisite for disseminating the list of excluded persons, the circumstance that the complainant, "by submitting the request for registration in the list of Lawyers using the form provided" has "consented to the processing of the above data by the Administration for internal use and in any case for the purposes of this application for selection", as reported in the defense documents of the Health Authority, since the processing of data by a public body finds its legal basis in the specific sector discipline and not in the consent of the interested parties, due to the imbalance in the relationship between the owner and the interested party (recital no. 43 and art. 88 of the Regulation).

Furthermore, the circumstance that "the data relating to the year of registration of lawyers in the Bar Association to which they belong are published and freely accessible by anyone on the websites of the Bar Associations throughout Italy as well as on the Single List of Lawyers published on the website of the National Bar Council" does not allow, in any case, to consider the processing carried out by the Health Authority as lawful, given that the knowledge and publicity of personal data must respond to the principle of "purpose limitation", according to which personal data must be "collected for specific, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes" (art. 5, par. 1, letter b) of the Regulation).

In other words, the simple fact that personal information is made publicly available online does not mean that it can be freely reused by anyone and for any purpose, having to evaluate from time to time "whether, for what purposes and according to what limits and conditions any further uses of the personal data made public can be considered lawful in light of the "principle of purpose" and other European principles on the protection of personal data" (see provisions of 24 November 2022, web doc 9839018, of 25 March 2021 no. 106, web doc. no. 9584421 and of 12 March 2020, web doc. no. 9429218).

In light of the above considerations, this behavior has led to the dissemination of personal data of the complainant and nineteen other interested parties, in the absence of an appropriate legal basis, in violation of Articles 5, 6 of the Regulation and of Article 2-ter of the Code and without providing feedback to the request for deletion of the interested party's data, in violation of art. 17 of the Regulation.

4. Conclusions.

In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Health Authority is noted for having the aforementioned Entity disseminated online the personal data of the complainant by publishing on its institutional website the list of professionals excluded from the register and the reason for their exclusion, in the absence of a suitable regulatory basis, in violation of Articles 5 and 6 of the Regulation and 2-ter of the Code and in violation of Article 17 of the Regulation.

Considering that the violation of the aforementioned provisions occurred as a result of a single conduct, Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the violations are all subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.
In this context, considering, in any case, that the conduct has exhausted its effects, given that the Health Authority has removed the aforementioned list from its institutional website on XX, the conditions for the adoption of further corrective measures pursuant to art. 58, paragraph 2, of the Regulation do not exist.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (art. 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, paragraph 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor's website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, paragraph 2, of the Regulation.
Considering that:

with specific regard to the nature, seriousness and duration of the violation, it must be considered that the dissemination of data concerned, in addition to the complainant, nineteen other interested parties with express indication of the reasons for exclusion (e.g. not being registered in the Register of Lawyers, not having submitted the Curriculum Vitae, not having submitted the application within the deadlines) even if such publication occurred on the institutional website of the Health Authority without indexing on search engines (see art. 83, par. 2, letter a), of the Regulation);

with specific regard to the subjective profile of the violation, the Health Authority acted in the mistaken belief that it was fulfilling a legal obligation despite the numerous indications provided by the Guarantor to all public entities since 2014 with the guidelines referred to above (see also "Guidelines on the processing of personal data of workers for purposes of managing the employment relationship in the public sector" of 14 June 2007, web doc. no. 1417809). (Article 83, paragraph 2, letter b), of the Regulation);

With regard to the categories of personal data disclosed, special categories of data are not included (Article 83, paragraph 2, letter g) of the Regulation);

In light of this specific circumstance, it is believed that, in this case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Board, "Guidelines 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR" of 24 May 2023, point 60).

That said, the following aggravating and mitigating circumstances must also be considered:

- there have been previous violations of the same provisions of the Regulation and the Code, albeit in different contexts (see art. 83, par. 2, letter e), of the Regulation);

- the Health Authority has offered good cooperation with the Authority by declaring that it has removed the list containing the participants excluded from the procedure, albeit following the request for information from the Guarantor (art. 83, par. 2, letter f), of the Regulation);

- the violation occurred in a period characterized, with particular reference to the Health Authorities, by numerous organizational difficulties, connected to the problems of the emergency period characterized by the spread of the Sars Cov 2 virus (art. 83, par. 2, letter k), of the Regulation).

In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €8,000 (eight thousand) for the violation of Articles 5, 6 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the Guarantor's website.

This is in consideration of the extended period of time during which the aforementioned information was published on the website of the Health Authority also following the failure to respond to the complainant's request for the cancellation of his personal data.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f) and 83, of the Regulation, the unlawfulness of the processing carried out by the Provincial Health Authority of Enna in the terms set out in the reasons is noted, due to the violation of art. 5, 6 and 17 of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text);

ORDER

b) pursuant to art. 58, par. 2, letter f) i) of the Regulation to the Provincial Health Authority of Enna, in the person of its legal representative pro-tempore, with registered office in Viale Armando Diaz, 7 - 94100 Enna (EN), C.F. 01151150867, to pay the sum of Euro 8,000 (eight thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

c) therefore to the Provincial Health Authority of Enna to pay the aforementioned sum of Euro 8,000 (eight thousand) according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below;

ORDERS

d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

e) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

f) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 13 November 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei

[web doc. no. 10084453]

Provision of 13 November 2024

Register of provisions
n. 666 of 13 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

REPORTER the lawyer Guido Scorza;

WHEREAS

1. Introduction.

With a complaint submitted pursuant to art. 77 of the Regulation, Mr. XX represented that following participation in a procedure for registration in the list of external lawyers at the Provincial Health Authority of Enna (hereinafter “Health Authority”), the Health Authority communicated to the interested party that, with Resolution of the General Director no. XX of XX of approval of the company register of external lawyers, had been excluded from the procedure "because he had been registered in the Register of Lawyers for less than three years". The complainant also stated that "through the consultation of the electronic public notice board of the Company, [...] he noted that [this resolution] published online contained in attachment, in addition to the list of professionals included in the register [...], also that of the excluded professionals, with the indication next to each name of the reasons for the exclusion".

Subsequently, the interested party sent the Health Authority a request for the cancellation of his personal data pursuant to art. 17, par. 1, of Regulation 2016/679/EU, "alleging the unlawfulness of the processing carried out by the Company through the publication of the names of the lawyers excluded from the procedure".

2. The investigative activity.

In response to a request for information from the Authority (note prot. no. XX of XX, with note of XX, prot. no. XX), the Health Authority declared, in particular, that:

- “with Resolution no.XX of XX the Corporate Register of External Lawyers for the assignment of legal assignments was approved. Integral and substantial parts of this resolution were: - Annex A, i.e. the list of professionals included in the Register of External Lawyers; - Annex B, i.e. the list of professionals excluded from the register”;

- “this act was declared immediately enforceable in order to allow the assignment of legal assignments in compliance with the directives issued by the Department of Health and also with what is established by Guidelines no. 12 “Assignment of legal services” approved by the Council of the National Anti-Corruption Authority, with resolution no. XX. These Guidelines, […] expressly provide that [according to the principle of transparency, an adequate level of knowledge of the selection procedures must be guaranteed to each potential bidder, including the reasons underlying the choices made by the administration, also in order to allow control over the impartiality of the selection” and with regard to “publicity” it is stated that […] the principle of publicity in question also requires the publication of the notice on the results of the selection”;

- “in resolution no. XX, considered in all its integral and substantial parts, sensitive data does not appear […]. The data in question that is the subject of the publication contested by Attorney XX, namely the express reason for exclusion from the procedure (“Registration in the register less than three years old”) is not properly defined as “sensitive data” as described in point 1 of art. 4 of European Regulation 679/16. Furthermore, the data relating to the year of registration of the lawyers in the Bar Association to which they belong are published and freely accessible by anyone on the websites of the Bar Associations throughout Italy as well as on the Single List of Lawyers published on the website of the National Bar Council”;

- “it should also be noted that Avv. XX, by submitting the request for registration in the list of Lawyers using the form provided, first declared that he had proven professional experience lasting no less than 3 (three) years […] and in the part of the final certification […] declared “to have fully read the notice relating to the selection in question and the Regulation in force and to fully accept the conditions set out therein” (...); pursuant to and for the purposes of Legislative Decree no. 196/2003 and EU Regulation no. 679/2016 as well as Legislative Decree no. 101/2018 and subsequent amendments. has “consented to the processing of the above data by the Administration for internal use and in any case for the purposes referred to in this application”.

With note of XX, the Authority, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigative activity, notified the Health Authority pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having carried out a dissemination, on its institutional website of information relating to the complainant, in violation of arts. 5, 6 of the Regulation, as well as art. 2-ter Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts subject to the complaint) and denying the right to erasure of the data exercised by the interested party, in violation of art. 17 of the Regulation.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of law 24 November 1981, no. 689).

With note of XX, the Health Authority, which did not request to be heard, presented a defensive brief, declaring, in particular, that:

- the complainant "in his capacity as a candidate, by signing the specific request for registration in the list of Lawyers and using the form provided, declared "to have fully read the notice relating to the selection in question and the Regulation in force and to fully accept the conditions reported therein";

- "resolution no. XX of XX was published in copy on the computerized notice board of the Provincial Health Authority of Enna, pursuant to and for the purposes of art. 53, paragraph 2, of Regional Law no. 30/93, as amended and of art. 32 of Law no. 69 of 18/06/2009, from XX to XX and was available on the company website, in the Personnel Competitions section until the date of XX, when the attachment containing the list of excluded subjects was removed, given what was transmitted on XX by this esteemed Authority, in order to demonstrate full cooperation”.

3. Outcome of the investigation activity. The applicable legislation.

The personal data protection regulation provides that public bodies, within the context of the work context, can process the personal data of the interested parties, even relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by the law or by the law of the Union or of the Member States (articles 6, paragraph 1, letter c), 9, paragraph 2, letter b) and 4 and 88 of the Regulation). Furthermore, processing is lawful when it is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (art. 6, paragraphs 1, letter e), 2 and 3, and art. 9, paragraph 2, letter g), of the Regulation; art. 2-ter of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021).

European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (art. 6, paragraph 2, of the Regulation). In this regard, it is highlighted that the “dissemination” of personal data by public entities is permitted only when provided for by a law or, in the cases provided for by law, by regulation (see art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021).

Pursuant to art. 17 of the Regulation, “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where […] d) the personal data have been unlawfully processed, unless the processing is necessary […] b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

3.1. Failure to respond to the request to exercise the right under art. 17 of the Regulation.

From the elements acquired in the context of the investigation, it is established that the Health Authority did not provide feedback to the request to exercise the right formulated by the complainant, proceeding to remove the aforementioned list from its institutional website only on XX, i.e. following the request for information transmitted by this Authority on XX.

In this regard, it is generally stated that the data controller is required to facilitate the exercise of the rights by the interested party and, in any case, to provide explicit feedback to the request formulated by the interested party, regardless of whether or not the request is well-founded, without unjustified delay and, in any case, at the latest within one month of its receipt, in the context of a direct relationship between the interested party and the data controller.

The aforementioned deadline may be extended by the controller by two months, if necessary, taking into account the complexity and number of requests, without prejudice to the right of the data subject to be informed of such extension and of the reasons for the delay within one month of receiving the request (Article 12, paragraphs 2 and 3 of the Regulation).

Furthermore, if the controller does not comply with the request of the data subject, he/she shall inform him/her without delay, and at the latest within one month of receiving the request, of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy (Article 12, paragraph 4 of the Regulation).

In light of the above, it must be concluded that the Health Authority has not responded to the request formulated by the data subject, resulting in the violation of Article 17 of the Regulation.

3.2. Dissemination of personal data.

As shown by the documents and declarations made by the data controller during the investigation, as well as by the investigation carried out on the basis of the elements acquired, following the investigation and subsequent assessments of this Department, the Health Authority has published on its institutional website, from XX to XX, Resolution no. XX of XX approving the Company Register of External Lawyers including Annexes A and B containing respectively the list of professionals included in the Register of External Lawyers and the list of twenty professionals excluded from the Register, including the name of the complainant and the reason for their exclusion (e.g. not being registered in the Register of Lawyers, not having submitted the curriculum vitae, not having submitted the application within the deadline).

With regard to the legal basis that would have justified the dissemination of the complainant's personal data, the Health Authority has not demonstrated the existence of a specific law that requires the publication of the list of professionals excluded from the register and the relative reasons for exclusion.

In this regard, it should be remembered that the Guarantor, also with regard to the dissemination of common data, has clarified on several occasions that even the presence of a specific advertising regime (a circumstance that does not occur in this case), cannot lead to any automaticity with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see numerous provisions including provision of 4 July 2024, no. 404, web doc. 10050145 and provisions referred to therein). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is provided that the data controller must implement "appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" - in light of the principle of "accountability" - that it has done so (Articles 5, paragraph 2; 24 and 25, paragraph 2, Regulation).

For these reasons, the arguments reported in the defense documents of the Health Authority cannot be accepted, which would derive the legitimacy of the publication of the aforementioned data from Article 53, paragraph 2, of Regional Law No. 30 of 3 November 1993 which regulates the management and publicity of documents in the health sector, nor from Article 32 of Law No. 69 of 18 June 2009 which concerns the "elimination of waste related to the maintenance of documents in paper form", this is because none of the provisions referred to contain a specific obligation to publish the lists of professionals to whom the administration deems not to assign an assignment.

Similarly, it is not possible to invoke, as a suitable prerequisite for disseminating the list of excluded persons, the circumstance that the complainant, "by submitting the request for registration in the list of Lawyers using the form provided" has "consented to the processing of the above data by the Administration for internal use and in any case for the purposes of this application for selection", as reported in the defense documents of the Health Authority, since the processing of data by a public body finds its legal basis in the specific sector discipline and not in the consent of the interested parties, due to the imbalance in the relationship between the owner and the interested party (recital no. 43 and art. 88 of the Regulation).

Furthermore, the circumstance that "the data relating to the year of registration of lawyers in the Bar Association to which they belong are published and freely accessible by anyone on the websites of the Bar Associations throughout Italy as well as on the Single List of Lawyers published on the website of the National Bar Council" does not allow, in any case, to consider the processing carried out by the Health Authority as lawful, given that the knowledge and publicity of personal data must respond to the principle of "purpose limitation", according to which personal data must be "collected for specific, explicit and legitimate purposes, and subsequently processed in a way that is not incompatible with those purposes" (art. 5, par. 1, letter b) of the Regulation).

In other words, the simple fact that personal information is made publicly available online does not mean that it can be freely reused by anyone and for any purpose, having to evaluate from time to time "whether, for what purposes and according to what limits and conditions any further uses of the personal data made public can be considered lawful in light of the "principle of purpose" and other European principles on the protection of personal data" (see provisions of 24 November 2022, web doc 9839018, of 25 March 2021 no. 106, web doc. no. 9584421 and of 12 March 2020, web doc. no. 9429218).

In light of the above considerations, this behavior has led to the dissemination of personal data of the complainant and nineteen other interested parties, in the absence of an appropriate legal basis, in violation of Articles 5, 6 of the Regulation and of Article 2-ter of the Code and without providing feedback to the request for deletion of the interested party's data, in violation of art. 17 of the Regulation.

4. Conclusions.

In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Health Authority is noted for having the aforementioned Entity disseminated online the personal data of the complainant by publishing on its institutional website the list of professionals excluded from the register and the reason for their exclusion, in the absence of a suitable regulatory basis, in violation of Articles 5 and 6 of the Regulation and 2-ter of the Code and in violation of Article 17 of the Regulation.

Considering that the violation of the aforementioned provisions occurred as a result of a single conduct, Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the violations are all subject to the sanction provided for by Article 83, paragraph 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000.
In this context, considering, in any case, that the conduct has exhausted its effects, given that the Health Authority has removed the aforementioned list from its institutional website on XX, the conditions for the adoption of further corrective measures pursuant to art. 58, paragraph 2, of the Regulation do not exist.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (art. 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, paragraph 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.
Taking into account that:

with specific regard to the nature, seriousness and duration of the violation, it must be considered that the dissemination of data concerned, in addition to the complainant, also nineteen other interested parties with express indication of the reasons for exclusion (e.g. not being registered in the Register of Lawyers, not having submitted the Curriculum Vitae, not having submitted the application within the terms) even if such publication occurred on the institutional website of the Health Authority without indexing on search engines (see art. 83, par. 2, letter a), of the Regulation);

with specific regard to the subjective profile of the violation, the Health Authority acted in the mistaken belief that it was fulfilling a legal obligation despite the numerous indications provided by the Guarantor to all public entities since 2014 with the guidelines referred to above (see also "Guidelines on the processing of personal data of workers for purposes of managing the employment relationship in the public sector" of 14 June 2007, web doc. no. 1417809). (Article 83, paragraph 2, letter b), of the Regulation);

With regard to the categories of personal data disclosed, special categories of data are not included (Article 83, paragraph 2, letter g) of the Regulation);

In light of this specific circumstance, it is believed that, in this case, the level of severity of this violation committed by the data controller is medium (see European Data Protection Board, "Guidelines 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR" of 24 May 2023, point 60).

Having said this, the following aggravating and mitigating circumstances must also be considered:

- there have been previous violations of the same provisions of the Regulation and the Code, albeit in different contexts (see art. 83, par. 2, letter e), of the Regulation);

- the Health Authority has offered good cooperation with the Authority by declaring that it has removed the list containing the participants excluded from the procedure, albeit following the request for information from the Guarantor (art. 83, par. 2, letter f), of the Regulation);

- the violation occurred in a period characterized, with particular reference to the Health Authorities, by numerous organizational difficulties, connected to the problems of the emergency period characterized by the spread of the Sars Cov 2 virus (art. 83, par. 2, letter k), of the Regulation).

In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 8,000 (eight thousand) for the violation of Articles 5, 6 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.

In this context, it is also deemed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor.

This is in consideration of the extended period of time during which the aforementioned information was published on the Health Authority's website, also following the failure to respond to the complainant's request to delete his/her personal data.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) pursuant to art. 57, par. 1, letter f) and 83, of the Regulation, the unlawfulness of the processing carried out by the Provincial Health Authority of Enna in the terms set out in the reasons is noted, due to the violation of art. 5, 6 and 17 of the Regulation, as well as 2-ter of the Code (both in the text prior to the amendments made by the Legislative Decree of 8 October 2021, in force at the time the dissemination of the personal data in question began, and in the current text);

ORDER

b) pursuant to art. 58, par. 2, letter i) of the Regulation to the Provincial Health Authority of Enna, in the person of its legal representative pro-tempore, with registered office in Viale Armando Diaz, 7 - 94100 Enna (EN), C.F. 01151150867, to pay the sum of Euro 8,000 (eight thousand) as an administrative pecuniary sanction for the violations indicated in this provision;

ORDERS

c) therefore to the Provincial Health Authority of Enna to pay the aforementioned sum of Euro 8,000 (eight thousand) according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below;

ORDERS

d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

e) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

f) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 13 November 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei