Garante per la protezione dei dati personali (Italy) - 10112709
From GDPRhub
| Garante per la protezione dei dati personali - 10112709 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 9(2)(b) GDPR Art. 2 ter d. lgs. 196/2003 Art 2 sexies d. lgs. 196/2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 30.01.2025 |
| Published: | |
| Fine: | 6000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10112709 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GDPD (in IT) |
| Initial Contributor: | Paolo Cucchi |
The DPA fined a hospital €6,000 for unlawfully disclosing employees' health data by sending it to a shared email account.
English Summary
Facts
An employee (the data subject) of a hospital (the controller) worked at the controller's DPO office. She received an email from the personnel office containing information about her vaccination status (vaccination completed) and the suspension from service of another employee due to failure to vaccinate. The email was sent to the shared email address of the DPO office, to which the manager, the complainant and the other employee had access to. As a result, both employees became aware of each other's vaccination status, even thought they were not authorised to access such data.
The data subject filed a complaint.
Holding
The DPA concluded that despite the controller's intention to avoid misdelivery and the urgency of the situation, using the shared email box for this communication constituted an unlawful disclosure of personal data, including health data.
Employees' personal data must only be made available to those who need to process it for the purposes of their assigned tasks and specific role within the organisation. Making data available – by sending it to a functional email address – to individuals who are part of the organisation but who do not need to know the information may constitute unlawful ‘communication’ of personal data, as it lacks a suitable legal basis.
Comment
The DPA is firm in its position that it is the responsibility of employers to prevent unjustifiable access to employee personal data by colleagues or third parties not authorized based on their roles. Sharing data with those not authorized, constitutes a communication without a legal basis, even within the organization.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Provision of 30 January 2025 Register of Provisions n. 35 of 30 January 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); SEEN Legislative Decree no. 30 June 2003, n. 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter the “Code”); CONSIDERING Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Data Protection Authority no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801; Rapporteur Prof. Pasquale Stanzione; WHEREAS 1. Introduction. With a complaint submitted pursuant to art. 77 of the Regulation, Ms XX complained of having received, on XX, an e-mail, sent to the dpo@cittadellasalute.to.it mailbox from the personnel office of the Hospital – University Città della Salute e della Scienza of Turin (hereinafter “Hospital Company”), containing information on her vaccination status (vaccination) and on the suspension from service, due to failure to vaccinate, of another employee. According to what has been reported, in addition to the Data Protection Officer, the complainant and the other employee to whom the information refers, both assigned, for service reasons, to the office of the Data Protection Officer (hereinafter “RPD”), accessed this email box, thus making them mutually informed of each other's vaccination status. 2. The investigation activity. In response to a request for information from the Authority (see note prot. no. XX of XX) with note of XX (prot. no. XX) the Hospital Trust declared, in particular, that: “on the basis of the legislation in force at the time of the facts “on the date of XX the employees in service [had to be] necessarily in compliance with the vaccination obligation since, in the event of exemption, the Multidisciplinary Commission set up ad hoc had not found physical spaces in the Trust provided with safety conditions such as to exclude the risk of spreading the infection”; “with regard to the conditions of lawfulness and the purposes of processing data relating to the application of the vaccination obligation, it is highlighted that Legislative Decree 26 November 2021, no. 172 assigned to the Employer the procedure for verifying compliance with the vaccination obligation for all personnel who carry out their work activity in any capacity "in the facilities referred to in art. 8-ter of Legislative Decree no. 502/1992" […]; "the extension to the personnel referred to in art. 4-ter of Legislative Decree no. 44/2021 has placed the company in a position to ascertain any failure to comply by acquiring the necessary information "also according to the methods defined with the Prime Ministerial Decree referred to in art. 9 paragraph 10 of Legislative Decree no. 52/2021" (the procedure in this regard was established with a regulation approved by resolution no. 1542 of 14.12.2021 which invested the Personnel Office with the material performance of all administrative procedures for managing the related practices)"; “the coordinator in charge of work organization has the right to be informed about the suspension from service or otherwise of his collaborators, and in particular - noting their absence from service - to know whether it is a suspension without pay for failure to comply with the vaccination obligation or whether instead it concerns subjects referred to in paragraphs 2 and 7 of art. 4 of Legislative Decree no. 44/2021, i.e. those for whom vaccination is omitted or postponed due to proven danger to health (for whom it is expected that they will be assigned to even different tasks in order to avoid the risk of spreading the infection, such as smart working)”; “the XX email address does not correspond to a PEC but is an address shared with the two members of the DPO Office, as required by the Guidelines of the Guarantor for electronic mail and internet of 1 March 2007, for the purpose of monitoring mail directed to the Data Protection Officer, even in the event of his temporary absence, and is the contact information indicated in the company information”; “on that occasion, the situation of the presence/absences of the two employees was sent to the email address of the Office of the Data Protection Officer precisely in order to avoid the risk, using the nominative company email address, of sending the information to the employee with the same name as the DPO, since it was not clear to the sender at that time whether to use the address “XX” or “XX” instead, nor was it easy to verify with the interested party, given the time the email was sent (around 7:30 p.m.). The time of sending was determined by the need to ensure that the coordinator of the two resources was aware of their situation, in order to comply with the regulatory provision with particular regard to the verification of the ban on accessing the workplace the following day by the suspended employees”; "the two employees who have access to this mailbox were authorized to know the communications related to the disengagement of service activities, however, with regard to the information contained in the email in question, it does not appear that their accidental reading has brought to light situations that were unknown to each other, given the context described above. It should also be added that the probability that Ms. XX's colleague could have viewed the email was quite low because, being suspended from service, he had no duty to consult company mail". With note of XX (prot. no. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigative activity, notified the Hospital Trust, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having communicated personal data relating to the vaccination status of workers in the absence of an appropriate legal basis, in violation of articles 5 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code. With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of law 24 November 1981, n. 689). With a note of XX (prot. no. XX), the Hospital Trust, which did not request to be heard, submitted a defense brief, declaring, in particular, that: “this is an alleged violation of personal data that occurred in the context of the control and verification activity of the vaccination obligation as provided for by Legislative Decree 26 November 2021, no. 172 which assigned the Employer the procedure for verifying compliance with the vaccination obligation by workers”; “in the undersigned Company, this procedure was governed by regulation, approved with resolution no. XX of XX, which assigned to the Personnel Office all administrative tasks for the management of the related practices”; “the event is attributable to the sending of an email on XX aimed at providing the DPO, to whom it was addressed, with the necessary information for organizational purposes regarding the observed absence from service of the two resources assigned to the office”; “the content [of the email] is extremely brief and does not provide any indication of the type of vaccination of the employee, nor the reason for the suspension of the other colleague, nor is there any specific reference to COVID”; “the text of the email does not contain any other particular personal data relating to the interested parties. This is a single and isolated event that involved only the two subjects belonging to the alias in addition to the DPO himself. The duration of the alleged violation can be said to be limited, in fact it is an incident of instantaneous formation that did not continue over time. With regard to the severity of the same, no harmful events are known towards the interested parties attributable to the communication of the data in question”; “with regard to the subjective element that determined the conduct in question, it is believed, following the investigation carried out, that the alleged violation is the result of an absolutely accidental and involuntary behavior, attributable to a mere error of the sender who, not having found the Data Protection Officer on the phone, provided the due communication to the email address: dpo@cittadellasalute.to.it , believing in good faith that there were no other users authorized to access the email”; “in order to avoid undue dissemination of data, with resolution no.XX of XX […] the AOU Città della Salute e della Scienza of Turin, implementing the provisions of Legislative Decree no. 127, has defined the company procedural guidelines for the application of art. 1 of Legislative Decree no. 127/2021 in relation to the obligations of the employer and with subsequent resolution no. XX of XX […], among other things, the Personnel Office was assigned the task of carrying out all administrative procedures for the management of the related practices”; “the life cycle of the processing, as can be seen from the procedures mentioned above, has been defined in such a way as to minimize the risk of improper dissemination/communication of information and also provides for the use of a dedicated email address: domandadl44@cittadellasalute.to.it which can only be accessed by authorized personnel belonging to the Office that manages the procedures in question”; “subsequent to the event that occurred, the undersigned Company approved and published on the company Intranet the form for requesting new company email addresses […], called "Aliases" (distribution lists that deliver emails directly to the mailboxes of users identified by the Structure Managers) in order to optimize the management of incoming correspondence intended for a Structure/Office”; “the aforementioned form attributes to the Director of the requesting Structure the responsibility for the correct use of this tool, in particular, by signing the form, the same certifies that he has previously instructed and authorized all users connected to the email address in question to process personal data”; “as a further integration of the instructions reported on the form and the operational ones, already available on the company intranet, further instructions are also being prepared aimed at better clarifying to users the methods of correct use of the Aliases precisely in consideration of the possible sharing of said tool by several employees”; “it is necessary to take into account, as a mitigating factor, the workload attributable to the activity of verification and control of compliance with the vaccination obligation required by the legislation and that the Personnel Office dedicated to this task has had to carry out”; “in fact, since the third wave of the COVID epidemic was underway in those days, it represented a serious risk not to proceed with the timely suspension of unvaccinated subjects in compliance with the legislation, both in order to protect the health of the unvaccinated staff involved, and to take every precaution to avoid possible outbreaks within the hospital structure”; “as denoted by the time the email was sent to the DPO address, the tasks in this regard continued until late evening, and also considering the subsequent Christmas holidays, it was urgent to provide an answer to the information requested by the Data Protection Officer”; “for this reason, the communication was made via email (instead of replying the following day by telephone) using the email address of the Office of the Data Protection Officer precisely in order to avoid the risk, using the nominative company email address, of sending the information to the employee of the same name as the DPO”; “the name of the email address used: dpo@cittadellasalute.to.it is not in itself attributable to a plurality of subjects and in fact, in perfect good faith, the sender decided to address exclusively the DPO as can be understood from the overall content of the letter”. 3. Outcome of the investigation. 3.1 The lawfulness of the processing. Following the investigation, it emerged that, as part of the obligations aimed at verifying the vaccination obligations of the staff in service, in the context of the organization of shifts by the Hospital Trust, an email was sent by the Personnel Office, which contained personal data of the complainant and another employee, to the email address dpo@cittadellasalute.to.it, to which the staff assigned to the organizational unit of the RPD had access. As a result of the aforementioned sending, the DPO and the employees who collaborated with him (the complainant and the colleague to whom the data referred) thus became mutually aware of each other's vaccination status. The personal data protection regulation provides that public bodies, within the context of the work environment, can process the personal data of the interested parties, including those relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by law or by the law of the Union or of the Member States (Articles 6, paragraph 1, letter c), 9, paragraph 2, letter b) and 4 and 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (Article 6, paragraphs 1, letter e), 2 and 3, and Article 9, paragraph 2, letter b). g), of the Regulation; art. 2-ter of the Code and art. 2-sexies, paragraph 1, of the Code). European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (art. 6, par. 2, of the Regulation). The employer, data controller, is, in any case, required to comply with the general principles on the protection of personal data (art. 5 of the Regulation) and must process the data through “authorized” and “trained” personnel regarding access to and processing of data (arts. 4, point 10), 29, and 32, par. 4, of the Regulation). 3.2. The communication of personal data relating to the vaccination status of employees and the consequent suspension from service. In general, since 2007 the Guarantor has clarified that the administration must adopt technical and organizational measures to prevent the unjustified knowledge of personal data of its employees by other colleagues or third parties, in order to avoid the undue circulation of personal information - in this case concerning particularly sensitive information such as the vaccination status of the worker or the adoption of disciplinary measures such as suspension from service - not only externally, but also within the work contexts by unauthorized persons (see, points 2, 4, 5.1 and 5.3 of the "Guidelines on the processing of personal data of workers for purposes of managing the employment relationship in the public sector", of 14 June 2007, published in the Official Journal of 13 July 2007, no. 161, and in www.garanteprivacy.it, web doc. no. 1417809). In this regard, according to the consolidated orientation of the Guarantor (see, already provisions of 18 October 2012, no. 296, web doc. no. 2174351 and no. 297, web doc. no. 2174582, as well as provision of 8 May 2013, no. 232, web doc. no. 2501216, provision of 3 October 2013, no. 431, web doc. 2747867 and provision of 31 July 2014, no. 392 web doc. no. 3399423), recently confirmed in numerous provisions on individual cases, the personal data of employees processed for the purposes of managing the employment relationship cannot, as a rule, be disclosed to persons other than those who are part of the specific employment relationship (see definitions of "personal data" and "data subject", contained in art. 4, par. 1, no. 1, of the Regulation), or those who - also taking into account the definition of "third party", contained in art. 4, par. 1, no. 10, of the Regulation - are not entitled to process them by virtue of the tasks assigned and the organizational choices of the data controller; this also with reference to the correct management of communications between offices and staff in the emergency context (see, among many, most recently, provision no. 606 of 26 September 2024, web doc 10068155; but see also provision no. 223 of 1 June 2023, web doc 9916798, provision no. 322 of 16 September 2021, web doc no. 9711517 and provisions cited therein). This is because, as confirmed by the Guarantor, even making data available to subjects who, even if they are part of the organization of the data controller, due to the role performed and the functions performed, cannot be considered "authorized" to process (see Articles 4, no. 10, 28, paragraph 3, letter b), 29 and 32, paragraph 4, of the Regulation, as well as Article 2-quaterdecies of the Code), may give rise to a communication of personal data in the absence of a legal basis. It is necessary to take into account, in general, the particular context that provides the backdrop to the facts in question following the provision of the anti-Sars-cov-2 vaccination as an "essential requirement for the exercise of the profession and for the performance of work performances" which was envisaged, initially, for health professions and health care workers pursuant to Article 4 of Legislative Decree 1 April 2021, no. 44 (converted into law no. 76 of 28 May 2021 - Urgent measures to contain the COVID-19 epidemic, in terms of Sars-cov-2 vaccinations, justice and public competitions) in order to protect public health and maintain adequate conditions of safety at work and in the provision of care and assistance services. As is known and as also recalled by the Hospital Trust, this provision was followed by the sector legislation applicable to the case in question (Legislative Decree no. 172 of 26 November 2021, "Urgent measures to contain the COVID-19 epidemic and to carry out economic and social activities safely") which introduced art. 4-ter in Legislative Decree no. 44 of 2021, providing, also for the administrative staff of healthcare facilities (who in any capacity carried out their work activity "in the facilities referred to in art. 8-ter of Legislative Decree no. 502/1992"), as already established for medical staff, that the anti-Sars-cov-2 vaccination, starting from XX, constituted an "essential requirement for carrying out work activities". The aforementioned decree law also provided that checks regarding compliance with the vaccination obligation were to be entrusted, respectively, to employers or to the managers of the institutions where these categories of interested parties worked. The above-mentioned provisions - currently no longer in force due to subsequent regulatory interventions (see most recently, Legislative Decree 31 October 2022, no. 162) - constituted, from the point of view of data protection, the scope of processing permitted, respectively, to employers and other institutional bodies involved, as well as the legal basis in accordance with the Regulation, establishing, in particular, that the communication of the worker's suspension from service, in the event of failure to undergo vaccination, was carried out exclusively with respect to the interested party (see art.4-ter, paragraph 3, of Legislative Decree 44 of 2021: "In the event of failure to submit the documentation referred to in the second and third periods, the subjects referred to in paragraph 2 shall ascertain the non-compliance with the vaccination obligation and shall immediately notify the interested party in writing"). The legislator had therefore introduced a complex system for verifying the professional requirement for these categories of workers, which involved various institutional entities, and provided for data flows between them, as well as the consequences, including suspension from the exercise of the profession and from any employment relationship, for the worker lacking the aforementioned requirement. The processing of personal data necessary for verifying the aforementioned professional requirement, therefore, had to be carried out in strict compliance with the limits and conditions set out in this legislative framework of reference which constituted its legal basis and defined, uniformly at national level, the scope of processing permitted to each of the aforementioned entities (articles 5 and 6, paragraph 2, letters b) and g), of the Regulation and art. 2-sexies of the Code; as highlighted in numerous provisions of the Guarantor during the emergency period and, in particular, in the opinions issued on the subsequent provisions implementing the aforementioned framework see, among many, provision 13 December 2021, no. 430, web doc. no. 9727220). Having said this, with regard to the case in question, it appears that - although the communication in question was made for the sole purpose of avoiding a possible error in sending "to the employee of the same name of the DPO" in the urgency of making such a communication in the pre-holiday period - the solution actually adopted, using the shared email address dpo@cittadellasalute.to.it to provide the Office Manager with the necessary information on the organizational plan and on the presence in service of the staff during the Christmas period, has in any case determined an illicit communication of personal data by making the complainant and the other colleague mutually aware of each other's vaccination status. Therefore, without prejudice to the need for the head of the organizational unit to know the aforementioned information relating to his collaborators, i.e. the complainant and the other employee concerned (arg. pursuant to art. 4 ter, paragraph 2, Legislative Decree 44 of 2021), it must be considered that, since both interested parties had access to the same shared email account (dpo@cittadellasalute.to.it), each of them, as a result of the aforementioned sending, was made aware of the vaccination status of the other as well as other personal information connected to the specific employment relationship with the Hospital Trust, in particular, the vaccination of the complainant and the failure to vaccinate and the consequent suspension of the service of the other colleague. In light of the foregoing considerations, this behavior, although isolated and occurred in the run-up to the Christmas holidays, led to a communication of data, including health data, of the complainant, with reference, in particular, to the communication of the date on which she had undergone vaccination against Sars-cov-2, (according to the definition of art. 4, paragraph 1, no. 15 of the Regulation); this communication also concerned personal data relating to the failure to vaccinate, with consequent suspension from service, of the other employee. In light of the foregoing considerations, the Hospital Trust, which processed personal data through authorized personnel only within the framework of the aforementioned sector regulations in force at the time, however, despite mistakenly believing it was adopting the preferable solution in the reference context, gave rise to a communication of personal data, including health data, in an unjustified manner, in favor of subjects who were not mutually authorized to process them, in the absence of an appropriate legal basis, in violation of articles. 5, 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code. 4. Conclusions. In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Hospital Trust is noted for having communicated information also relating to the health of the complainant, with reference, in particular, to the communication of the date on which she had undergone the anti-Sars-cov-2 vaccination, (according to the definition of art. 4, paragraph 1, no. 15 of the Regulation), as well as personal data relating to the failure to vaccinate, with consequent suspension from service, of the other employee, in violation of arts. 5, 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code. Taking into account that the violation of the aforementioned provisions occurred as a result of a single conduct (same treatment or treatments linked to each other), art. 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, relating to arts. 5, 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code, are subject to the sanction provided for by art. 83, par. 5, of the Regulation, as also referred to in art. 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to €20,000,000. In this context, considering, in any case, that the conduct has exhausted its effects, taking into account the assurances provided by the Hospital Trust regarding the organizational measures subsequently adopted, aimed at preventing similar situations from occurring in the future, the conditions for the adoption of further corrective measures referred to in art. 58, par. 2, of the Regulation do not exist. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in art. 83, par. 2, of the Regulation. Taking into account that: with specific regard to the nature, severity and duration of the violation, it should be highlighted that the communication occurred in reference to the data of only two interested parties and, even if due to human error, the communication determined the mutual knowledge of the vaccination status (art. 83, par. 2, letter a), of the Regulation); with specific regard to the subjective profile, the violation was carried out, due to an error of assessment, for the sole purpose of avoiding the risk of sending "to the employee of the DPO with the same name" in the urgency of making such communication in the pre-holiday period and to provide the Office manager with the necessary information (art. 83, par. 2, letter b), of the Regulation); the processing also involved data belonging to the special categories referred to in art. 9 of the Regulation, in particular, with reference to the vaccination having taken place as a health service (see art. 83, par. 2, letter g), of the Regulation), it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into consideration: the hospital offered good cooperation with the Authority during the investigation (art. 83, par. 2, letter f), of the Regulation); there are some previous violations of some provisions of the Regulation and of the Code, albeit in a different data processing context (see art. 83, par. 2, letter e), of the Regulation); the violation, which however represented an isolated case, occurred in a period characterised by numerous difficulties for hospital companies on an organisational level, connected to the problems of the emergency period characterised by the spread of the Sars-cov 2 virus (art. 83, par. 2, letter k), of the Regulation). In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 6,000 (six thousand) for the violation of Articles 5, 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive. It is also deemed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the Guarantor's website. This is in consideration of the fact that sensitive information has been communicated regarding the vaccination status of two workers which has led to the circulation, in the workplace, also of personal data relating to particular categories. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Hospital Trust for violation of arts. 5, 6 and 9 of the Regulation, as well as 2-ter and 2-sexies of the Code, in the terms set out in the reasons; ORDERS the Hospital Trust - University City of Health and Science of Turin, in the person of its legal representative pro-tempore, with registered office in C.so Bramante 88 - 10126 Turin (TO), C.F. 10771180014, to pay the sum of 6,000 (six thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS the aforementioned Hospital Trust in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 6,000 (six thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive actions pursuant to art. 27 of Law no. 689/1981; ORDERS - pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; - pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Guarantor Regulation no. 1/2019, the publication of this provision on the Authority's website; - pursuant to art. 17 of the Guarantor Regulation no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, January 30, 2025
