Garante per la protezione dei dati personali (Italy) - 10095836

Garante per la protezione dei dati personali - 10095836/2024

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5 GDPR Article 9 GDPR Art. 2-septies Codice Privacy
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	12.12.2024
Published:	31.01.2025
Fine:	20000 EUR
Parties:	dott. Giuseppe Rubino
National Case Number/Name:	10095836/2024
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Autorità Garante per la protezione dei dati personali (in IT)
Initial Contributor:	Martinalevi

The DPA fined a plastic surgeon €20,000 for the publishing of images taken of a data subject during an aesthetic surgery on Instagram, without the data subject's prior consent.

English Summary

Facts

The data subject, a patient, filed a complaint against her plastic surgeon, the controller. The controller published, without authorisation, photographs depicting her during an aesthetic surgery on Instagram. The images showed her recognizable face before (wearing a surgical cap) and after the procedure, with controller's logo displayed on his personal page.

The data subject stated that she had not given any consent for the sharing of the photographs, which had been taken for internal use only. Informed by a friend about the publication, she took legal action to request the removal of the images and compensation for damages.

In the context of this separate civil procedure, the controller explained that he requested the removal of all patient images from his social media profiles years earlier. He further clarified that the issue arose because the patient had signed consent forms with another colleague at the clinic, without specific authorization for the publication of the images.

Although he did not admit any wrongdoing, the doctor resolved the separate legal through a settlement agreement, providing financial compensation.

Holding

The DPA considered the violation committed by the controller to be of a high level of severity, given the particularly sensitive nature of the personal data involved (images of the face following an aesthetic procedure) and the processing carried out (unauthorized sharing).

In light of these circumstances and in application of the principles of effectiveness, proportionality, and deterrence, the DPA imposed a financial penalty of €20,000 for violations of Articles 5 and 9 GDPR, as well as Article 2-septies, paragraph 8, of the Privacy Code.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of January 31, 2025

[web doc. no. 10095836]

Measure of December 12, 2024

Register of measures
no. 769 of December 12, 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD to Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD to Legislative Decree no. 101 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

HAVING SEEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Prof. Pasquale Stazione;

WHEREAS

1. The complaint and the investigative activity

On XX, Ms. XX made a complaint, complaining about the dissemination on the social media Instagram of photographs in which she is shown during an aesthetic medicine procedure performed by Dr. Giuseppe Rubino at the XX clinic.

The complainant, through her lawyer, stated that “on XX, (…) she underwent (..), a “cervical mid-facial lift with upper and lower blepharoplasty” procedure performed by Dr. Giuseppe Rubino and XX (…). On that occasion, some photographs were taken of the patient for internal use. No consent was given (also because it was not requested) to the disclosure of the images. Last April, my sponsor was notified by a friend that images of her absolutely recognizable face were circulating on Instagram, before (with an operating cap) and after the operation, and under each image was the logo of Dr. Giuseppe Rubino, on whose personal page the photographs were proudly displayed”.

As part of the preliminary investigation, it was necessary to request information from Dr. Rubino that was useful for evaluating the case (notes of XX, prot. no. XX, XX, prot. no. XX, of XX, prot. no. XX).

With a note of XX, Dr. Rubino responded to the request for information, stating that:

- “Ms. XX years ago contacted my secretary by telephone, who promptly requested, from the person who managed my social sites at the time, the deletion of all photos on the Instagram platform of patients who had undergone facelifts and blepharoplasty, the same procedures performed on patient XX”;

- “despite the deletion of the photos, on XX I received communication from the legal representative of Ms. XX, who requested an amicable settlement of the dispute within 10 days with compensation for the damages suffered, without however providing an HTTPS, for which compensation is requested and furthermore reporting me secondarily to your GPDP offices”;

- “in the procedure carried out on XX, at XX, since Ms. XX was a direct patient of my colleague, XX, her informed consents were made to sign, lacking consent to the publication of the photos; in confidence, since my consents by practice include this item, they were signed. In spite of myself, the person who managed my social media platforms at the time (..), published these images, which in this case portrayed only and exclusively the patient's face. (...) in the case of Ms. XX, the misunderstanding arose from the fact that she signed the consent forms with the facility and with another doctor".

With the same note, Dr. Rubino attached the forms of "informed consents relating to the interventions" that he usually performs and, in the requested hearing, declared, among other things, that:

- "despite the dispute arising from a mere misunderstanding and Dr. Rubino did not in any way acknowledge any fault, the same was settled with a settlement agreement with Prof. XX, through financial recognition to the same as compensation for damages";

- "Prof. XX, already a patient of XX, had signed the informed consents for the surgical act of the aforementioned doctor; Dr. Rubino was unaware of the lack of specific consent to the publication of the images” (see minutes of XX).

2. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code

In relation to the facts described in the complaint, the Office notified Dr. Giuseppe Rubino, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions pursuant to art. 58, paragraph 2, of the Regulation (note of XX, prot. no. XX), inviting him to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981).

In particular, the Office, in the aforementioned document, considered that Dr. Rubino, by disseminating on his Instagram social media profile photographs of the complainant, in which she is portrayed before and after an aesthetic medicine procedure, processed health data in violation of the basic principles of processing pursuant to Articles 5 and 9 of the Regulation as well as Article 2-septies, paragraph 8, of the Code.

In relation to the notification made with the aforementioned note of XX, Dr. Rubino did not produce any written defense.

3. Outcome of the investigation

Having taken note of what Dr. Rubino represented in the documentation in the case file, it is observed that:

1. personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4, paragraph 1, point 1 of the Regulation);

2. “health data” means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the state of health of that natural person (Article 4, paragraph 1, no. 15 of the Regulation);

3. dissemination of personal data means “the disclosure of personal data to unspecified subjects, in any form, including by making them available or consulting them” (Article 2-ter, paragraph 4 of the Code);

4. the data controller is required to comply with the principles of data protection, including those of "lawfulness, fairness and transparency", "purpose limitation", "data minimisation" and "integrity and confidentiality", according to which the data must be "processed lawfully, fairly and in a transparent manner in relation to the data subject", "collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes", "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" and must be "processed in a manner that ensures appropriate security (...), including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures" (Article 5, paragraph 1, letters a), b), c) and f) of the Regulation);

5. with specific reference to the particular categories of data, including health data, Article 9, paragraph 1, of the Regulation establishes a general prohibition on the processing of such data, unless one of the specific exemptions provided for in paragraph 2 of the same article applies;

6. data relating to health deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51); the legislation on the protection of personal data expressly prohibits their dissemination (art. 9, paragraph 4 of the Regulation and art. 2-septies, paragraph 8);

7. the Authority, since 2014, has represented that "the publication of any information from which one can infer the state of illness or the existence of pathologies of the data subjects is prohibited, including any reference to conditions of invalidity, disability or physical and/or mental handicap. To this end, from the drafting stage of the acts and documents to be published, in compliance with the principle of adequate motivation, no “excessive”, “irrelevant”, “non-essential” (and, even less, “prohibited”) personal data should be included. Otherwise, it is necessary to provide for the relevant blackout” (see “Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for advertising and transparency purposes on the web by public bodies and other obliged entities”, part II, par. 1, of 15.5.2014, web doc. no. 3488002); in this regard, attention is also drawn to the Authority's previous interventions regarding the publication of images and videos of patients undergoing medical procedures (provision of 15 April 2021, web doc. nos. 9587071, 9587089, 9587637, provision of 24 November 2022, web doc. no. 9844780);

8. with specific reference to the publication of clinical cases, the Code of Medical Ethics approved by the National Federation of the Orders of Surgeons and Dentists in 2014 (as amended in 2016 and 2017) provides that "the doctor shall ensure that the subjects involved in the publication or scientific disclosure of data and clinical studies cannot be identified" (Article 11 - confidentiality of personal data).

4. Conclusions: declaration of unlawfulness of processing

In light of the above assessments, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code (“False declarations to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”), it is noted that the elements provided by the data controller are not suitable for accepting the requests for archiving, not allowing to overcome the findings notified by the Office with the aforementioned act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply

From all of the above, it follows that Dr. Rubino has disseminated, through the publication on his Instagram profile, images that revealed data on the health of the complainant, with respect to which the legitimate expectation of confidentiality and privacy was high, also in consideration of the professional and fiduciary relationship with the doctor.

From the examination of the information and elements acquired as well as the documentation provided, the processing of the complainant's personal data carried out by Dr. Rubino appears to be unlawful, as it was carried out outside the treatment purposes for which the same doctor was entitled to process and in violation of the basic principles set out in Articles 5 and 9 of the Regulation as well as Article 2-septies, paragraph 8 of the Code.

In this context, considering that the photographs portraying the complainant have been eliminated, the conditions for the adoption of the corrective measures set out in Article 58, paragraph 2, of the Regulation do not currently exist.

It is believed that the conditions set out in Article 17 of the Regulation of the Guarantor no. 1/2019 exist.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of articles 5 and 9 of the Regulation and article 2-septies, paragraph 8, of the Code, caused by the conduct of Dr. Giuseppe Rubino entails the application of the administrative pecuniary sanction pursuant to article 83, par. 5 of the Regulation (see article 166, paragraph 2, of the Code).

The Guarantor, pursuant to article 58, par. 2, letter i) of the Regulation and article 166 of the Code, has the power to “impose an administrative pecuniary sanction pursuant to Article 83, in addition to the (other) (corrective) measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case”, by adopting an injunction order (Article 18, Law 24 November 1981, no. 689), in relation to the processing of personal data carried out by Dr. Rubino, which has been found to be unlawful, in the terms set out above.

Considering it necessary to apply paragraph 3 of Article 83 of the Regulation, in relation to the violation of Articles 5 and 9 of the Regulation and Article 2-septies of the Code, where it provides that “if, in relation to the same processing or linked processing, a controller […] violates, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum amount set out in the same art. 83, par. 5.

In light of the above and, in particular, of the category of personal data affected by the violation, which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms as well as the type of processing operation (dissemination), it is believed that the level of severity of the violation committed by Dr. Rubino is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). It was also assessed that the Guarantor became aware of the event following the receipt of a complaint from a patient of Dr. Rubino (Article 83, paragraph 2, letter h) of the Regulation).

In light of the elements indicated above and the assessments carried out, it is believed, in the case in question, to determine the amount of the pecuniary sanction in the amount of €20,000.00 (twenty thousand/00) for the violation of Articles 5 and 9 of the Regulation, as well as Article 2-septies, paragraph 8 of the Code, based on the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere, pursuant to Article 83, paragraph 1, of the Regulation.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor. This, in consideration of the type of operation carried out and the personal data subject to unlawful processing.

GIVEN ALL THE ABOVE, THE GUARANTOR

pursuant to art. 57, par. 1, letter f) and 83 of the Regulation, notes the unlawfulness of the processing carried out by Dr. Giuseppe Rubino, born in XX (XX) on XX, C.F. XX, in the terms set out in the reasons, for the violation of art. 5 and 9 of the Regulation as well as art. 2-septies, paragraph 8 of the Code;

ORDERS

pursuant to art. 58, par. 2, letter f) and 83 of the Regulation, notes the unlawfulness of the processing carried out by Dr. Giuseppe Rubino, born in XX (XX) on XX, C.F. XX, in the terms set out in the reasons, for the violation of art. 5 and 9 of the Regulation as well as art. 2-septies, paragraph 8 of the Code;

ORDERS

pursuant to art. 58, par. 2, letter f) i) of the Regulation, to the same doctor, in the person of the legal representative pro-tempore, to pay the sum of Euro 20,000.00 (twenty thousand/00) as an administrative pecuniary sanction for the violation indicated in this provision.

ORDERS

the aforementioned doctor to pay the sum of Euro 20,000.00 (twenty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 1 September 2011, no. 150 provided for the filing of the appeal as indicated below.

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the website of the Authority;

c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, art. 152 of the Code and art. 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 12 December 2024

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE DEPUTY SECRETARY GENERAL
Filippi

SEE ALSO Newsletter of 31 January 2025

[web doc. no. 10095836]

Provision of 12 December 2024

Register of provisions
no. 769 of 12 December 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter "Regulation");

HAVING SEEN Legislative Decree no. 30 June 2003 196 containing the “Personal data protection code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”);

SEEN Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Prof. Pasquale Stazione;

WHEREAS

1. The complaint and the investigation

On XX, Ms. XX filed a complaint, complaining about the dissemination on the social media Instagram of photographs in which she is shown during an aesthetic medicine procedure performed by Dr. Giuseppe Rubino at the XX clinic.

The complainant, through her lawyer, stated that “on XX, (…) she underwent (..), a “cervical mid-facial lift with upper and lower blepharoplasty” performed by Dr. Giuseppe Rubino and XX (…). On that occasion, some photographs were taken of the patient for internal use. No consent was given (also because it was not requested) to the disclosure of the images. Last April, my client was informed by a friend that images of her absolutely recognizable face were circulating on Instagram, before (with an operating cap) and after the operation, and under each image was the logo of Dr. Giuseppe Rubino, on whose personal page the photographs were proudly displayed”.

As part of the investigation, it was necessary to request information from Dr. Rubino that was useful for assessing the case (notes of XX, prot. no. XX, XX, prot. no. XX, of XX, prot. no. XX).