Garante per la protezione dei dati personali (Italy) - 10107246
From GDPRhub
| Garante per la protezione dei dati personali - 10107246 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 9 GDPR Article 75 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 13.02.2025 |
| Fine: | 10,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10107246 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | ligialagev |
The DPA fined a doctor €10,000 for unlawfully sending an email to his patients to promote his electoral bid for public office. The recipients of the email numbered approximately 500 people.
English Summary
Facts
A medical doctor (the data controller) sent an email to his patients during the municipal elections of June 8-9, 2024. In this email, the controller informed patients about his candidacy as town councillor and asked for their support and votes.
The DPA became aware of the controller's actions through a report and news articles and questioned the controller. He stated that he had collected the email addresses directly from patients who had contacted him for medical information or assistance. He also claimed the emails were sent based on explicit consent obtained through an information notice that included "Promotional Activities, Information via Telematic Means, and Newsletter" among the processing purposes.
The controller also argued that many email addresses were pseudonyms or fantasy names and, therefore, could not be referred to specific individuals. The controller confirmed that approximately 500 patients received the email.
Holding
First, the DPA established that patients' email addresseses qualify as personal data and, specifically, health data, since they are contact details of directly or indirectly identifiable patients. The DPA referred to case law, including a recent Court of Justice of the European Union decision[1], confirming that information that can reveal a connection between a person and healthcare services constitutes health data under the GDPR.
Second, the DPA determined that the controller lacked a valid legal basis for processing these data for electoral purposes. The consent obtained from patients was not valid for electoral propaganda because this specific purpose was not explicitly mentioned in the information notice provided to patients. The DPA also rejected the controller's claim that electoral messages could be considered equivalent to "newsletters" or "promotional activities" mentioned in the consent form and noted that, according to the Medical Code of Ethics, medical advertising can only concern "professional titles and specializations, professional activities, service characteristics offered, and fees for services."
Third, the DPA found that by including all 500 recipients in the "copy" (CC) field rather than the "blind copy" (BCC) field, the controller had unnecessarily exposed the identity of all his patients to each other, revealing their status as patients without justification and violating the principle of integrity and confidentiality.
Fourth, the DPA dismissed the controller's defense that he lacked proper training on data protection matters, emphasizing that as a data controller, he was obliged to know and observe applicable data protection rules with ordinary diligence. The DPA also pointed out that core data protection principles have been in force since 1998 and that the DPA itself has issued numerous decisions on the topic of electoral propaganda since 2001.
Incidentally, the DPA highlighted that the controller had also potentially violated the Code of Medical Ethics, which prohibits abuse of professional status and conflicts of interest, by leveraging the trust relationship established with his patients for personal electoral advantage.
Overall, the DPA determined that the controller had violated the principles of lawfulness, fairness and transparency, purpose limitation, and integrity and confidentiality 5(1)(a), (b), and (f) GDPR) and processed special category data without an appropriate legal basis (in violation of Article 9 GDPR). For these reasons, the DPA imposed a €10,000 fine.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
- SEE ALSO NEWSLETTER OF 21 MARCH 2025 [web doc. n. 10107246] Measure of 13 February 2025 Register of measures n. 82 of 13 February 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “Regulation”); HAVING SEEN Legislative Decree no. 10107246 of 13 February 2025 196 (Personal Data Protection Code, hereinafter “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER, lawyer Guido Scorza; WHEREAS 1. The preliminary investigation activity. The Office has learned from a report and some press releases that Dr. Thomas Fero, a general practitioner, registered with the Order of Surgeons and Dentists of Imperia, allegedly sent an electoral message via email, on the occasion of the municipal elections of Sanremo on 8-9 June 2024, to his patients (all entered in the recipient field) of the following tenor: "I am sending you this email to inform you of my candidacy as municipal councilor in the next elections of 8-9 June in Sanremo" "I put my experience at the service of our city because Sanremo deserves more! Support me with your vote and also ask your relatives, friends and acquaintances to make an X on the symbol of "Andiamo" and write Fero". With regard to the above, the Office requested information with a note dated 23 May 2024 (prot. no. 62877) to which Dr. Fero responded with a note dated June 5, 2024, stating, in particular, that: “The email addresses collected by the study are the result of communications sent directly to Dr. Fero by patients or collected in the study by the same for the purpose of requesting information or medical assistance, the study’s email address being visible on headed paper”; "The legal basis for sending communications by email is based on explicit consent pursuant to art. 6 of the GDPR, acquired through information submitted via a dedicated, unflagged field. This was necessary because the patients themselves often contact the practice by email to obtain information, appointments or brief consultations for problems that can be resolved quickly or to send prescriptions in digital format and at the same time allows the medical practice to use a rapid communication tool regarding service times or any periods of absence or in the event of disruptions for any reason. In any case, special health data are not sent by email to any supplier with the exception of those already present in the SSN systems and the so-called electronic health record"; “On the communication to email addresses in copy: it should be noted that the email addresses of the recipients are free accounts where no particular certification is required regarding the identity of the subscribers by the service providers. In fact, some addresses appear in the form of pseudonyms or accounts created with purely fictitious names or references. It follows that, although they are visible to the recipients, they cannot be traced back with certainty to the recipients, appearing in fact pseudo-anonymized”; “With regard to the number of recipients to whom the communication was sent, it is indicatively around five hundred addresses”. With reference to this investigation, Dr. Fero submitted a request for access to administrative documents with a note dated 30 May 2024 which was accepted with a provision dated 19 June 2024. 2. The notification of violations and the defensive briefs. In relation to what emerged in the documents, the Office, with a note dated 16 July 2024 (prot. no. 87367), sent a notification of violation pursuant to art. 166, paragraph 5, of the Code to Dr. Thomas Fero as it was found that the processing of personal data in question was carried out in a manner that did not comply with the principles of “lawfulness, fairness and transparency”, “purpose limitation”, “integrity and confidentiality” (art. 5, par. 1, letters a), b) and f) of the Regulation), as well as in the absence of a suitable regulatory basis (art. 9 of the Regulation). With a note dated 18 August 2024, Dr. Thomas Fero presented his defense briefs reiterating what was already represented in the aforementioned note of June 5, 2024 and highlighting, with specific reference to the case in question, in particular, that: “the duration of the alleged violation must be considered to be instantaneous execution since only one newsletter of the contested content was sent”; “the malicious nature of the newsletter sent must be considered excluded, but rather it must be traced back to a simple carelessness of a culpable nature” “albeit for a human carelessness for having sent the newsletter via a study account with pseudo-anonymized email addresses for information purposes visible to the recipients, also considering the poor knowledge of the subject given the profession practiced”. “The Medical Association has never provided any training course reserved for the methods of processing patients’ personal data according to the provisions of the GDPR”; “Among the purposes of processing reported in the information submitted to the patients of the Study we read: Promotional activities, Information via telematics, Newsletter”; in light of what was learned on the basis of the aforementioned request for access to the documents in the file, “No patient of Dr. Fero’s office has ever complained of any violation regarding the way in which their personal data is processed”. 3. The outcome of the investigation. Having taken note of what is represented in the documentation in the files and in the defense briefs, it is noted that: pursuant to the Regulation, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”; “data relating to health” are those relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health (art. 4, par. 1, points 1 and 15). Recital no. 35 of the Regulation then specifies that data relating to health “include information on the natural person collected during his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”; the Court of Cassation held that “the very fact of communicating the need for health treatment and, therefore, the existence of a “disease” in a broad sense – understood therefore as a situation that makes health treatment necessary – pertains to health data: that is, for this purpose, it is not necessary to specify which treatment or which disease it is” (Sent. n. 28417/2023); lastly, with reference to the concept of health data, the CJEU also held that “the information entered by customers (such as their name, delivery address and the elements necessary to identify the medicinal products) when ordering online medicinal products reserved for pharmacies, even if the sale of the latter is not subject to a medical prescription, constitutes health data within the meaning of the GDPR. In fact, such data are capable of revealing, through an intellectual operation of comparison or deduction, information on the state of health of an identified or identifiable natural person, because a link is established between the latter and a medicinal product, its therapeutic indications or its uses, regardless of whether such information concerns the customer or any other person for whom the latter places the order. Therefore, it is irrelevant that, in the absence of a medical prescription, it is only with a certain probability, and not with absolute certainty, that such medicinal products are intended for the customers who ordered them” (see press release of the Court of Justice of the European Union no. 159/24, in relation to the judgment of 4 October 2024, in case C-21/23); Patients' email addresses must be classified as personal data, and in particular, health data as it is a contact data of a directly or indirectly identifiable patient (see, on the traceability of the email address to the notion of personal data, see, among others, provisions of the Guarantor of 9 January 2020, no. 1, web doc. no. 9261234, of 13 May 2021, no. 206, web doc. no. 9688020, of 16 September 2021, no. 328, web doc. no. 9722297, of 28 April 2022, no. 164, web doc. no. 9779057, of 7 July 2022, no. 242, web doc. no. 9809998, of 11 January 2022). 2023, no. 7, web doc. no. 9861356, of 18 July 2023, no. 316, web doc. no. 9935484, of 23 May 2024, no. 306, web doc. 10037439); personal data must be “processed lawfully, fairly and transparently” and “collected for specific, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes” (principles of “lawfulness, fairness and transparency” and “purpose limitation”, art. 5, par. 1, letters a) and b) of the Regulation); The Guarantor has long since outlined a precise framework of guarantees and obligations that parties, political bodies, supporters of lists and candidates must observe in order to correctly collect and use the personal data of citizens they intend to contact for the purposes of communication and electoral propaganda (seemost recently the provision of 18 April 2019, web doc. no. 9105201). In this provision, in particular, it was recalled that personal data collected in the context of health protection activities by healthcare professionals and healthcare organizations cannot be used for electoral propaganda and related political communication purposes. This purpose cannot in fact be traced back to the legitimate purposes for which the data were collected (art. 5, par. 1, letters a) and b) of the Regulation), unless the controller acquires specific and informed consent from the interested party (art. 9, par. 1, letter a); see, with regard to the healthcare sector, the provision of 7 March 2019, web doc. no. 9091942, in particular, par. 1, point d); Dr. Fero, as represented above, considered that the legal basis for the data processing in question is to be found in the consent of the interested party given on the basis of the information provided in the documents. On this point, it should be noted that the consents acquired in light of the aforementioned information cannot constitute a suitable legal basis for lawfully using the patients' email addresses by Dr. Fero for electoral propaganda purposes, as this purpose is not expressly indicated in the aforementioned information nor in any of the multiple consent services provided for therein. As recalled in the provisions cited above, in fact, the processing of personal data for electoral propaganda purposes and related political communication could be carried out by Dr. Fero, in his capacity as data controller, only if he had acquired specific and informed consent from all 500 patients to whom the aforementioned email was sent; consent which - as mentioned above - cannot be traced back to those indicated in the documents (art. 9, par. 1, letter a) of the Regulation; see. with regard to the healthcare sector, the provision of 7 March 2019, web doc. no. 9091942, in particular, par. 1, point d)). On this point, it should be noted that in the documentation in the files, Dr. Fero himself highlights that the patients' e-mail addresses had been provided by them because they were "aimed at requesting information or medical assistance" and therefore not also for electoral propaganda purposes; in particular, it should be noted that it is not possible to consider valid even the consent acquired by Dr. Fero for the activities indicated in the information, relating to: "Promotional activities, Information via telematics, Newsletter"; this is because the electoral propaganda activity carried out by Dr. Fero, aimed at gaining the trust of voters and convincing them to give him their vote in the 2024 municipal elections of Sanremo, cannot be equated, as instead claimed by Dr. Fero himself, to sending a Newsletter; in fact, this last activity refers exclusively to a systematic communication sent to those registered to the service to update them on the news in a specific sector. Moreover, pursuant to the Code of Medical Ethics, “The doctor's health information advertising” can have “as its object exclusively the professional titles and specializations, the professional activity, the characteristics of the service offered and the fee relating to the services” (art. 56 of the Code of Medical Ethics of 2014, last updated in 2017); personal data must be “processed in a manner that ensures appropriate security (…), including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage («integrity and confidentiality»)” (art. 5, par. 1, letter f) of the Regulation); the sending of a communication via a single email message addressed to a multiple number of recipients (500), whose addresses were entered in the carbon copy (c/c) field (instead of in the field called “blind carbon copy” (bcc)), has, in fact, without justified reason and in the absence of any regulatory basis, mutually revealed, to the recipients involved, the patient status of the other recipients; with specific reference to the circumstance that Dr. Fero complains in the documents about “the lack of knowledge of the subject given the profession practiced” and that “The Medical Association has never provided any training course reserved for the methods of processing patients’ personal data according to the provisions of the GDPR” it is highlighted that this aspect does not constitute an exemption since Dr. Fero, as data controller and in relation to the exercise of his activity as a doctor, is required, with the use of ordinary diligence, to know and observe the rules applicable to the processing of personal data, as well as the related interpretation; this, moreover, considering, also, that the principles relating to the violated provisions have been in force since 1998 and that the Authority has intervened on the issue with many provisions starting from 2001 (see ex multis Decalogue for the use of data by political parties and movements in the electoral propaganda of 7 March 2001, web doc. no. 663323 and the Electoral Decalogue of 12 February 2004, web doc. no. 634369); the Regulation in regulating the parameters of lawfulness of the processing carried out by the healthcare professional refers to professional secrecy and compliance with the sector rules established by the competent healthcare bodies among which the Code of Medical Ethics can be included (art. 9, par. 2, letter h) and par. 3 of the regulation and art. 75 of the Code). The aforementioned Code of Medical Ethics, in addition to the above, provides that "In no case may the doctor (be) abusing his/her professional status" and that "the doctor (must) avoid (any) conflict of interest in which professional conduct is subordinated to undue economic or other advantages" (articles 7 and 30 of the 2014 Code of Medical Ethics, last updated in 2017). In this regard, the possibility of electoral advantage of Dr. Fero in addressing his patients based on the relationship of trust created during the treatment process is highlighted. 4. Conclusions: declaration of unlawfulness of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation. In light of the overall findings, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are therefore unsuitable to order the archiving of the present proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. The processing of personal data carried out by Dr. Fero is in fact unlawful, in the terms set out above, as it was carried out in violation of the principles of "lawfulness, fairness and transparency", "purpose limitation", "integrity and confidentiality" (art. 5, par. 1, letters a), b) and f) of the Regulation) and in the absence of a suitable regulatory basis (art. 9 of the Regulation). Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). Violation of arts. 5, par. 1, letters a), b) and f) and 9 of the Regulation entails the application of the administrative sanction provided for by art. 83, par. 5 of the Regulation. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Dr. Thomas Fero, which was found to be unlawful, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "if, in relation to the same processing or connected processing, a data controller […] infringes, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement", the total amount of the sanction is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5. In light of the above and, in particular, of the category of personal data affected by the breach which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, of the number of data subjects (500 patients) whose data were processed without obtaining consent for electoral purposes from the doctor to whom they had entrusted themselves for treatment purposes, it is believed that the level of severity of the breach committed by Dr. Fero is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the following circumstances were taken into account: Dr. Fero processed the personal data of numerous patients (about 500) - acquired in the context of the relationship of trust aimed at providing care - for a personal advantage linked to his presentation in the elections of the Municipality of Sanremo in 2024 (Article 83, paragraph 2, letter k) of the Regulation); the Guarantor became aware of the violation through a report and some press releases (Article 83, paragraph 2, letters b) and h) of the Regulation); Dr. Fero is not the recipient of previous prescriptive or sanctioning measures by the Authority and has collaborated during the investigative activity in which he was involved (art. 83, par. 2, letters e) and f) of the Regulation). It is also believed that the circumstance that Dr. Fero works as a general practitioner in the Municipality of Sanremo where the aforementioned elections took place is relevant in this specific case, due to the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1 of the Regulation). In light of the elements indicated above and the assessments carried out, it is believed, in this specific case, that the administrative sanction of the payment of a sum equal to Euro 10,000.00 (ten thousand/00) should be applied to Dr. Thomas Fero. In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor. This is in consideration of the seriousness of the contested conduct which involves the regulation on the protection of personal data and the ethical obligations which constitute a parameter of lawfulness of the processing pursuant to art. 9, par. 2, letter h) and par. 3 of the Regulation and art. 75 of the Code. For the same reasons, it is considered appropriate to transmit this provision to the Order of Surgeons and Dentists of Imperia of which Dr. Fero is registered. GIVEN ALL THE ABOVE, THE GUARANTOR a) pursuant to art. 57, par. 1, letter f) and 83 of the Regulation, the unlawfulness of the processing carried out by Dr. Thomas Fero, c.f. XX, registered with the Order of Surgeons and Dentists of Imperia, resident in XX, XX in the terms set out in the grounds, for the violation of art. 5, par. 1, letters a), b) and f) and art. 9 of the Regulations; ORDERS b) pursuant to art. 58, par. 2, letter i) of the Regulations to Dr. Thomas Fero to pay the sum of Euro 10,000.00 (ten thousand/00) as an administrative pecuniary sanction for the violations indicated in this provision. ORDERS c) therefore to Dr. Thomas Fero to pay the aforementioned sum of Euro 10,000.00 (ten thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below remains intact. ORDERS d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; e) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website; f) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation; g) the sending of this provision to the Order of Surgeons and Dentists of Imperia for assessments of competence. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, February 13, 2025 THE PRESIDENT Stanzione THE REPORTER Scorza THE DEPUTY GENERAL SECRETARY Filippi - SEE ALSO NEWSLETTER OF MARCH 21, 2025 [web doc. no. 10107246] Provision of February 13, 2025 Register of provisions no. 82 of February 13, 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi Deputy Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter the “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Attorney Guido Scorza; WHEREAS 1. The preliminary investigation. The Office has learned from a report and some press reports that Dr. Thomas Fero, a general practitioner, registered with the Order of Surgeons and Dentists of Imperia, allegedly sent an electoral message via email, on the occasion of the municipal elections of Sanremo on 8-9 June 2024, to his patients (all entered in the recipient field) along the following lines: "I am sending you this email to inform you of my candidacy as a municipal councilor in the upcoming elections of 8-9 June in Sanremo" "I am putting my experience at the service of our city because Sanremo deserves more! Support me with your vote and also ask your relatives, friends and acquaintances to make an X on the "Andiamo" symbol and write Fero". With regard to the above, the Office requested information with a note dated 23 May 2024 (prot. no. 62877) to which Dr. Fero responded with a note dated June 5, 2024, stating, in particular, that: “The email addresses collected by the study are the result of communications sent directly to Dr. Fero by patients or collected in the study by the same for the purpose of requesting information or medical assistance, the study’s email address being visible on headed paper”; "The legal basis for sending communications by email is based on explicit consent pursuant to art. 6 of the GDPR, acquired through information submitted via a dedicated, unflagged field. This was necessary because the patients themselves often contact the practice by email to obtain information, appointments or brief consultations for problems that can be resolved quickly or to send prescriptions in digital format and at the same time allows the medical practice to use a rapid communication tool regarding service times or any periods of absence or in the event of disruptions for any reason. In any case, special health data are not sent by email to any supplier with the exception of those already present in the SSN systems and the so-called electronic health record"; “On the communication to email addresses in copy: it should be noted that the email addresses of the recipients are free accounts where no particular certification is required regarding the identity of the subscribers by the service providers. In fact, some addresses appear in the form of pseudonyms or accounts created with purely fictitious names or references. It follows that, although they are visible to the recipients, they cannot be traced back with certainty to the recipients, appearing in fact pseudo-anonymized”; “With regard to the number of recipients to whom the communication was sent, it is indicatively around five hundred addresses”. With reference to this investigation, Dr. Fero submitted a request for access to administrative documents with a note dated 30 May 2024 which was accepted with a provision dated 19 June 2024. 2. The notification of violations and the defensive briefs. In relation to what emerged in the documents, the Office, with a note dated 16 July 2024 (prot. no. 87367), sent a notification of violation pursuant to art. 166, paragraph 5, of the Code to Dr. Thomas Fero as it was found that the processing of personal data in question was carried out in a manner that did not comply with the principles of “lawfulness, fairness and transparency”, “purpose limitation”, “integrity and confidentiality” (art. 5, par. 1, letters a), b) and f) of the Regulation), as well as in the absence of a suitable regulatory basis (art. 9 of the Regulation). With a note dated 18 August 2024, Dr. Thomas Fero presented his defense briefs reiterating what was already represented in the aforementioned note of June 5, 2024 and highlighting, with specific reference to the case in question, in particular, that: “the duration of the alleged violation must be considered to be instantaneous execution since only one newsletter of the contested content was sent”; “the malicious nature of the newsletter sent must be considered excluded, but rather it must be traced back to a simple carelessness of a culpable nature” “albeit for a human carelessness for having sent the newsletter via a study account with pseudo-anonymized email addresses for information purposes visible to the recipients, also considering the poor knowledge of the subject given the profession practiced”. “The Medical Association has never provided any training course reserved for the methods of processing patients’ personal data according to the provisions of the GDPR”; “Among the purposes of processing reported in the information submitted to the patients of the Study we read: Promotional activities, Information via telematics, Newsletter”; in light of what was learned on the basis of the aforementioned request for access to the case file, “No patient of Dr. Fero's office has ever complained of any violation regarding the way in which their personal data was processed”. 3. The outcome of the investigation. Having taken note of what is represented in the documentation in the files and in the defense briefs, it is noted that: pursuant to the Regulation, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”; “data relating to health” are those relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health (Article 4, paragraph 1, points 1 and 15). Recital no. 35 of the Regulation then specifies that data relating to health “include information about the natural person collected in the course of his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”; the Court of Cassation held that "the very fact of communicating the need for medical treatment and, therefore, the existence of a "disease" in a broad sense - understood therefore as a situation that makes medical treatment necessary - concerns health data: that is, for this purpose, it is not necessary to specify which treatment or which disease it is" (Sent. n. 28417/2023); lastly, with reference to the concept of health data, the CJEU also held that “the information entered by customers (such as their name, delivery address and the elements necessary to identify the medicinal products) when ordering online medicinal products reserved for pharmacies, even if the sale of the latter is not subject to a medical prescription, constitutes health data within the meaning of the GDPR. In fact, such data are capable of revealing, through an intellectual operation of comparison or deduction, information on the state of health of an identified or identifiable natural person, because a link is established between the latter and a medicinal product, its therapeutic indications or its uses, regardless of whether such information concerns the customer or any other person for whom the latter places the order. Therefore, it is irrelevant that, in the absence of a medical prescription, it is only with a certain probability, and not with absolute certainty, that such medicinal products are intended for the customers who ordered them” (see press release of the Court of Justice of the European Union no. 159/24, in relation to the judgment of 4 October 2024, in case C-21/23); Patients' email addresses must be classified as personal data, and in particular, health data as it is a contact data of a directly or indirectly identifiable patient (see, on the traceability of the email address to the notion of personal data, see, among others, provisions of the Guarantor of 9 January 2020, no. 1, web doc. no. 9261234, of 13 May 2021, no. 206, web doc. no. 9688020, of 16 September 2021, no. 328, web doc. no. 9722297, of 28 April 2022, no. 164, web doc. no. 9779057, of 7 July 2022, no. 242, web doc. no. 9809998, of 11 January 2022). 2023, no. 7, web doc. no. 9861356, of 18 July 2023, no. 316, web doc. no. 9935484, of 23 May 2024, no. 306, web doc. 10037439); personal data must be “processed lawfully, fairly and transparently” and “collected for specific, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes” (principles of “lawfulness, fairness and transparency” and “purpose limitation”, art. 5, par. 1, letters a) and b) of the Regulation); The Guarantor has long outlined a precise framework of guarantees and obligations that parties, political bodies, supporters of lists and candidates must observe in order to correctly collect and use the personal data of citizens they intend to contact for communication and electoral propaganda purposes (see most recently the provision of 18 April 2019, web doc. no. 9105201). In this provision, it was recalled, in particular, that personal data collected in the context of health protection activities by healthcare professionals and healthcare bodies cannot be used for electoral propaganda and related political communication purposes. This purpose cannot in fact be traced back to the legitimate purposes for which the data were collected (art. 5, par. 1, letters a) and b) of the Regulation), unless the controller acquires specific and informed consent from the interested party (art. 9, par. 1, letter a); see, with regard to the healthcare sector, the provision of 7 March 2019, web doc. no. 9091942, in particular, par. 1, point d); Dr. Fero, as represented above, considered that the legal basis for the data processing in question is to be found in the consent of the interested party given on the basis of the information provided in the documents. On this point, it should be noted that the consents acquired in light of the aforementioned information cannot constitute a suitable legal basis for the lawful use of patients' email addresses by Dr. Fero for electoral propaganda purposes, as this purpose is not expressly indicated in the aforementioned information nor in any of the multiple consent services provided for therein. As recalled in the provisions cited above, in fact, the processing of personal data for electoral propaganda purposes and related political communication could be carried out by Dr. Fero, in his capacity as data controller, only if he had acquired specific and informed consent from all 500 patients to whom the aforementioned email was sent; consent which - as mentioned above - cannot be traced back to those indicated in the documents (art. 9, par. 1, letter a) of the Regulation; see, with regard to the healthcare sector, the provision of 7 March 2019, web doc. no. 9091942, in particular, par. 1, point d)). On this point, it should be noted that in the documentation in the documents, Dr. Fero himself highlights that the patients' e-mail addresses had been provided by them because they were "aimed at requesting information or medical assistance" and therefore not also for electoral propaganda purposes; in particular, it should be noted that the consent acquired by Dr. Fero cannot be considered valid for the activities - indicated in the information, relating to: "Promotional activities, Information via telematics, Newsletter"; this is because the electoral propaganda activity carried out by Dr. Fero, aimed at gaining the trust of voters and convincing them to give him their vote in the 2024 municipal elections of Sanremo, cannot be equated, as instead claimed by Dr. Fero himself, to sending a Newsletter; in fact, this latter activity refers exclusively to a systematic communication sent to those registered for the service to update them on news in a specific sector. Moreover, pursuant to the Code of Medical Ethics, "The doctor's health information advertising" can have "as its object exclusively the professional titles and specializations, the professional activity, the characteristics of the service offered and the fee relating to the services" (art. 56 of the Code of Medical Ethics of 2014, last updated in 2017); personal data must be “processed in a manner that ensures appropriate security (…), including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality’) using appropriate technical or organisational measures” (Article 5, paragraph 1, letter f) of the Regulation); sending a communication via a single email message addressed to a multiple number of recipients (500), whose addresses have been entered in the copy of information (c/c) field (instead of in the field called “blind copy of information” (bcc)), has, in fact, without justified reason and in the absence of any regulatory basis, mutually revealed to the recipients involved the status of patient of the other recipients; with specific reference to the circumstance that Dr. Fero complains in the documents “the lack of knowledge of the subject given the profession practiced” and that “The Medical Association has never provided any training course reserved for the methods of processing patients’ personal data according to the provisions of the GDPR” it is highlighted that this aspect does not constitute an exemption since Dr. Fero, as data controller and in relation to the exercise of his activity as a doctor, with the use of ordinary diligence, is required to know and observe the rules applicable to the processing of personal data, as well as the related interpretation; this, moreover, considering, also, that the principles relating to the violated provisions have been in force since 1998 and that the Authority has intervened on the issue with many provisions starting from 2001 (see ex multis Decalogue for the use of data by political parties and movements in the electoral propaganda of 7 March 2001, web doc. no. 663323 and the Electoral Decalogue of 12 February 2004, web doc. no. 634369); the Regulation in regulating the parameters of lawfulness of the processing carried out by the healthcare professional refers to professional secrecy and compliance with the sector rules established by the competent healthcare bodies among which the Code of Medical Ethics can be included (art. 9, par. 2, letter h) and par. 3 of the regulation and art. 75 of the Code). The aforementioned Code of Medical Ethics, in addition to the above, provides that "In no case may the doctor abuse his/her professional status" and that "the doctor must avoid any conflict of interest in which professional conduct is subordinated to undue economic or other advantages" (articles 7 and 30 of the 2014 Code of Medical Ethics, last updated in 2017). In this regard, the possibility of electoral advantage for Dr. Fero in addressing his/her patients based on the relationship of trust created during the treatment process is highlighted. 4. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to art. 58, par. 2, Regulation. In light of the overall findings, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are therefore unsuitable for ordering the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. The processing of personal data carried out by Dr. Fero, in fact, is unlawful, in the terms set out above, as it is implemented in violation of the principles of "lawfulness, fairness and transparency", "purpose limitation", "integrity and confidentiality" (Article 5, paragraph 1, letters a), b) and f) of the Regulation) and in the absence of a suitable regulatory basis (Article 9 of the Regulation). Finally, it is believed that the conditions set out in Article 17 of the Regulation of the Guarantor no. 1/2019 are met. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (Articles 58, paragraph 2, letter i), and 83 of the Regulation; Article 166, paragraph 7, of the Code). Violation of Articles 5, paragraph 1, letters a), b) and f) and 9 of the Regulation entails the application of the administrative sanction provided for by Article 83, par. 5 of the Regulation. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Dr. Thomas Fero, which has been found to be unlawful, in the terms set out above. Having deemed it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "if, in relation to the same or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement", the total amount of the fine is calculated so as not to exceed the maximum amount set out in the same art. 83, par. 5. In light of the above and, in particular, of the category of personal data affected by the infringement which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, of the number of data subjects (500 patients) whose data were processed without obtaining the consent for electoral purposes from the doctor to whom they had entrusted themselves for treatment purposes, it is believed that the level of severity of the infringement committed by Dr. Fero is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be “in each individual case effective, proportionate and dissuasive” (art. 83, par. 1 of the Regulation), it is represented that, in the case in question, the circumstances reported below were taken into account: Dr. Fero processed the personal data of numerous patients (about 500) - acquired in the context of the relationship of trust aimed at providing care - for a personal advantage linked to his presentation in the elections of the Municipality of Sanremo in 2024 (art. 83, par. 2, letter k) of the Regulation); the Guarantor became aware of the violation through a report and some press releases (Article 83, paragraph 2, letters b) and h) of the Regulation); Dr. Fero is not the recipient of previous prescriptive or sanctioning measures by the Authority and has collaborated during the investigative activity in which he was involved (Article 83, paragraph 2, letters e) and f) of the Regulation). It is also believed that the circumstance that Dr. Fero works as a general practitioner in the Municipality of Sanremo where the aforementioned electoral consultations took place is relevant in this specific case, by virtue of the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (Article 83, paragraph 1 of the Regulation). In light of the elements indicated above and the assessments carried out, it is believed, in this specific case, that the following should be applied to Dr. Thomas Fero the administrative sanction of the payment of a sum equal to Euro 10,000.00 (ten thousand/00). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the seriousness of the contested conduct which involves the regulation on the protection of personal data and the ethical obligations which constitute a parameter of lawfulness of the processing pursuant to art. 9, paragraph 2, letter h) and paragraph 3 of the Regulation and art. 75 of the Code. For the same reasons, it is considered appropriate to transmit this provision to the Order of Surgeons and Dentists of Imperia to which Dr. Fero is registered. NOW, CONSIDERING ALL THE ABOVE, THE GUARANTOR a) pursuant to articles 57, par. 1, letter f) and 83 of the Regulation, finds the unlawfulness of the processing carried out by Dr. Thomas Fero, tax code XX, registered with the Order of Surgeons and Dentists of Imperia, resident in XX, XX in the terms set out in the reasons, for the violation of art. 5, par. 1, letters a), b) and f) and art. 9 of the Regulation; ORDERS b) pursuant to art. 58, par. 2, letter i) of the Regulation to Dr. Thomas Fero to pay the sum of Euro 10,000.00 (ten thousand/00) as an administrative pecuniary sanction for the violations indicated in this provision. ORDERS c) therefore to Dr. Thomas Fero to pay the aforementioned sum of Euro 10,000.00 (ten thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. ORDERS d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; e) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Guarantor Regulation no. 1/2019, the publication of this provision on the Authority's website; f) pursuant to art. 17 of the Guarantor Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation; g) the sending of this provision to the Order of Surgeons and Dentists of Imperia for assessments of competence. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, February 13, 2025 THE PRESIDENT Stanzione THE REPORTER Scorza THE VICE SECRETARY GENERAL Filippi
