Garante per la protezione dei dati personali (Italy) - 9361186

From GDPRhub
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9361186
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Article 58(2)(i) GDPR
Article 83(3) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.03.2020
Published:
Fine: 3000 EUR
Parties: Comune di San Giorgio Jonico
National Case Number/Name: 9361186
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

The Italian DPA issued a fine of €3000 against the Municipality of San Giorgio Jonico for unlawfully disclosing personal data regarding the complainant on its website. The Municipality had published a notice on its website which announced that it had appointed a lawyer to start proceedings against the complainant, as well as an attachment containing additional personal data.

English Summary

Facts

The Municipality of San Giorgio Jonico had made public on its website that it had started civil proceedings against a complainant and mandated a lawyer to this end. In addition to the name of the complainant, the Municipality had disclosed his residence, date and place of birth, tax identification number, and a detailed reconstruction of the activities carried out during the complainant's time holding a public office.

Dispute

Was the publishing of the complainant's personal data by the Municipality lawful in accordance with Articles 5(1)(c), 6(1)(c), (e), 6(2), and 6(3)(b) GDPR?

Holding

The DPA held that the disclosure of the personal data by the Municipality was unlawful and imposed a fine of €3000 in accordance with Articles 58(2)(i) and 83(3), (5).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

Ordinance injunction against the Municipality of San Giorgio Jonico - 5 March 2020

Register of measures

n. 52 of March 5, 2020

GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

In today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Augusta Iannini, Vice President, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, members and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter referred to as "GPSD");

HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code");

HAVING REGARD to the general provision no. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for the purpose of publicity and transparency on the web by public entities and other obliged entities", published in G.U. no. 134 of 12/6/2014 and in www.gpdp.it, web document no. 3134436 (hereinafter "Guidelines of the Guarantor on transparency");

HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in OJ no. 106 of 8/5/2019, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Given the documentation in deeds;

Having regard to the observations made by the Secretary General under Article. 15 of the Regulation of the Guarantor No 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, web doc. n. 1098801;

Rapporteur Dr. Augusta Iannini;

PRESS

1. Introduction

This Authority has received a complaint from Mr. XX regarding the unlawful disclosure of his personal data online by the City of San Giorgio Jonico.

In particular, from the preliminary verification carried out by the Office, it emerged that on the institutional website of the aforesaid Municipality, in the Historical Register section as well as in the section called "XX", it was possible to freely view the Determination of the Head of Sector No. XX of XX - concerning "XX before the Court of Taranto appointment for the defense of the Authority to the lawyer XX - commitment of expenditure" - and its annex containing the act of summoning the complainant before the Court of Taranto (url: http://...; http://...).

The aforesaid documents (determination and related annex containing the writ of summons) contained in clear data and personal information of the plaintiff in the subject matter and body of the text.

The Municipality of San Giorgio Jonico responded to the Office's request for information and with a note of the XX confirmed the removal of the personal data of the complainant from the url indicated above.

In addition, with note of the XX has also provided feedback to the Guarantor the person responsible for the protection of personal data appointed by the City, which however has limited itself to recall the general requirements made by the body, without entering into the merits of the violation of personal data complained in the complaint.

2. Applicable regulations

According to the RGPD, the processing of personal data carried out by public entities (such as the Municipality) is lawful only if the processing is necessary "to fulfil a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected with the exercise of public authority vested in the data controller" (art. 6, par. 1, letter c and e).

It is also provided that "Member States may maintain [...] more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1(c) and (e), by laying down more precisely specific requirements for processing and other measures to ensure lawful and correct processing [...]" (Article 6(1)(c) and (e)). 2, RGPD), with the consequence that the provision contained in Article 19, paragraph 3, of the Code, in force at the date of the facts, which provides that the operation of dissemination of personal data (such as publication on the Internet), by public entities, is allowed only when provided for by a rule of law or regulation (similar content also the new Article 2-ter, paragraphs 1 and 3, of the Code).

In any case, moreover, the data controller is required to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "minimization", according to which personal data must be "processed in a lawful, correct and transparent manner towards the data subject" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (art. 5, par. 1, letter a and c, of the RGPD).

3. Preliminary assessments of the Office on the processing of personal data carried out

From the verifications carried out on the basis of the elements acquired and the facts that emerged as a result of the preliminary activity, as well as the subsequent evaluations, the Office with note prot. n. XX of XX has ascertained that the Municipality of San Giorgio Jonico by disseminating the data and personal information of the complainant - contained in the Determination of the Sector Manager n. XX del XX, as well as in the attached act of summons of Mr. XX before the Court of Taranto published in the official register of the institutional website - has carried out a processing of personal data not found to comply with the relevant discipline on the protection of personal data contained in the RGPD. Therefore, with the same note were notified to the Municipality of the violations carried out (pursuant to Article 166, paragraph 5, of the Code), communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 5, of the Code. 2, of the RGPD and inviting the above mentioned Municipality to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within 30 days (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by Law n. 689 of 24/11/1981).

4. Defensive pleadings and hearing

With the note prot. n. XX of the XX the Municipality of San Giorgio Jonico has sent to the Guarantor its defensive writings in relation to the violations notified.

In this regard, it is recalled that, unless the fact does not constitute a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false acts or documents is liable under Article 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of duties or exercise of powers of the Guarantor".

Specifically, in relation to the disputed facts, the Municipality has preliminarily objected to the "nullity/inadmissibility of the complaint" received with the cited note of the Office prot. n. XX of XX for the period of ninety days provided by art. 14, paragraph 2, of Law n. 689/1981, as the Municipality had already been the recipient of a previous note of the Office containing the "outcome of the preliminary investigation" (prot. n. XX of XX).

On the merits, however, the body has reiterated the correctness of the processing of personal data carried out, as the legal basis that would justify the disclosure of the data subject of the complaint is to be found in art. 124 of Legislative Decree no. 267/2000, which provides for the publication of the deliberations of the municipality "for fifteen consecutive days, unless specific provisions of law"; in Articles. 8 and 37 of Legislative Decree no. 267/2000, which provides for the publication of the deliberations of the municipality "for fifteen consecutive days, unless specific provisions of law". 33/2013, which - respectively - provide that "data, information and documents subject to mandatory publication under current legislation are published for a period of 5 years" and that "public administrations and contracting authorities publish: a) the data required by Article 1, paragraph 32, of Law no. 190 of November 6, 2012; b) the acts and information subject to publication under Legislative Decree no. 50 of April 18, 2016".

In this regard, it was also specified that:

- "The municipality has given a legal mandate for the defense of its own reasons against the claims for damages made by the summons of Mr. XX";

- "in terms of legal framework of the assignment of legal representation [the] code of public contracts (Legislative Decree 50/2016) [provides that] the award of the same, although in a regime of peculiarities must be in compliance with the general principles of public procurement. And so the national legislator, in transposing the European legislation on procurement, has expressly brought the entire legal activity to the regulation of procurement";

- "to the determination of assignment XX n. XX is attached the act of citation of XX [...]";

- The "factual event" set forth in the writ of summons attached to the assignment determination does not contain any personal data, since, moreover, these are already known and public facts";

- "In this factual and legal framework, therefore, the conduct of the Entity appears to be absolutely exempt from liability, which - after verifying the absence of sensitive and judicial data - has published in full the provision of legal assignment together with the attached writ of summons".

With regard to the conduct held, it has been asked in any case to take into consideration:

- the "regulatory, jurisprudential and interpretative stratification that have undoubtedly generated the conviction of the legitimacy and lawfulness of the conduct leading to a disorientation of operators in the process of harmonization, interpretation and application of the legislation"; - Article 22, paragraph 13, of Legislative Decree no. 101 of 10/08/2018 which provides as "For the first eight months from the date of entry into force of this decree, the Guarantor for the protection of personal data takes into account, for the purposes of the application of administrative sanctions and to the extent that it is compatible with the provisions of Regulation (EU) 2016/679, the phase of first application of the penalty provisions";

- of the extreme particularity of the case under examination, which is an absolute novelty of the issue examined in relation to which there are no known jurisprudential precedents";

- "following the request for information of the XX, this Municipality has immediately and spontaneously remedied the complainant's complaint, so much so that the Authority has not been the recipient of any injunction in this regard";

- "there was a technical and educational adjustment process in place, to which the Society XX has documented in its note of XX".

On the date XX, the hearing requested by the Municipality of San Giorgio Jonico pursuant to art. 166, paragraph 6, of the Code was also held at the Guarantor, at which it was represented, in addition to what has already been reported in the documentation sent, that:

- "for about 30 years the complainant has turned several times to the civil and criminal judicial authorities to contest the unlawful processing of personal data by the City of San Giorgio Jonico, all rejected by judgment (2009, 2011, 2014, 2019). In the case in point, the Guarantor has contested the processing of personal data contained in the summons published by the Municipality, in the absence of a legal basis. Transparency in the matter of litigation is fundamental for the Municipality. The legal prerequisite for the publication of the determination of conferral of legal appointment, to which the act of summons is attached, is not only in Legislative Decree no. 33/2013 (art. 37) but also in art. 29 of the Procurement Code (Legislative Decree no. 50/2016) which refers to art. 37 of Legislative Decree no. 33/2013, which provides that the acts of awarding contracts for services and supplies (such as that of entrusting an external lawyer with the legal sponsorship of the entity), are published on the institutional website (transparent administration) for a period of five years. This is confirmed by the case law of the Court of Auditors - Emilia Romagna (see judgment / opinion no. 144 of 2018) which provides that the legal aid assignments are published, pursuant to Legislative Decree no. 33/2013, in the transparent administration section "calls for tenders and contracts";

- "the act of summons was considered an annex and an integral part of the resolution";

- "in relation to the publication of the summons, the personal data disclosed are only those identifying data such as the name, residence and CF of the complainant (ex XX) already made public on the website www.comuniweb.net. All other information contained therein relates to excerpts from public meetings, in particular of the City Council of XX";

- "the complainant did not first contact the City Council to request the removal of the published data for which the entity would have done so immediately, but contacted the Guarantor directly".

5. Outcome of the investigation relative to the submitted complaint

In the specific case submitted to the examination of the Guarantor, object of complaint by the complainant turns out to be:

- the disclosure of its personal data contained in the Determination of Sector Manager No. XX, with which the City Council has appointed its legal counsel for the defense in court proceedings against the complainant itself;

- the publication of a full copy of its summons requesting compensation for damages to the Entity.

It appears from the documents that the personal data and information of the complainant contained in the aforementioned resolution correspond to the name and circumstance that the complainant sued the City Council for damages (financial and other).

The published summons contains the personal data and information of the complainant such as, in addition to the name, date and place of birth, residence and tax code, a detailed reconstruction of personal, professional, judicial and political-administrative activities carried out when he held the office of XX.

In relation to what contested, the City Council has objected - preliminarily - the lateness of the dispute for the period of ninety days provided by art. 14, paragraph 2, of Law n. 689 of 24/11/1981, as the City had already been recipient of the note containing the "result of the preliminary investigation" prot. n. XX of XX (date that according to the City Council would correspond to the "assessment"), while the dispute of the violation would have occurred with the note prot. n. XX of XX.

In this regard, it is not possible to accept the exception presented by the City in relation to the commencement of the period of ninety days provided by art. 14, paragraph 2, of Law no. 689/1981, as it is not applicable to the case in question. It must, in fact, be remembered that on 19/9/2018 came into force the new Article 166 of the Code (as amended by Legislative Decree no. 101 of 10/8/2018), which, in paragraph 7, precisely in relation to the adoption of the penalty measure, no longer provides for the application of Article 14 of Law 689/1981 as not expressly mentioned.

To the case in point, relating to the violation of the provisions contained in the RGPD, applies instead art. 166, paragraph 5, of the Code (reformed by Legislative Decree no. 101/2018) in light of which, with note prot. n. XX of XX, it was ascertained the conduct in violation of the European Regulation by notifying the offender of the violations made with the simultaneous initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the RGPD; exactly, therefore, in the manner, form and time limits provided by the provisions referred to.

On the merits, in relation to what has been objected by the City in relation to the conduct held, although some observations are worthy of consideration, it is not possible to completely overcome the findings notified by the Office with the act of initiation of proceedings, as they are not sufficient to allow the filing of this procedure, since none of the cases provided for in Article 11 of the Regulation of the Guarantor No 1/2019.

In this sense, in the light of Resolution No. XX of XX of the National Anti-Corruption Authority (ANAC) with which the "Guidelines No. 12. Entrusting legal services", it is considered to accept the observations presented in the defense briefs of the Municipality, according to which - under the combined provisions of art. 37 of Legislative Decree no. 33/2013 and art. 29 of Legislative Decree no. 50/2016 - must be published on the institutional website the resolution to entrust the task to the legal representative for the defense of the Entity in the cases provided for therein.

However, this does not in any way legitimize the Municipality to also publish the summons, as happened in this case, nor to disseminate the name of the complainant (counterpart of the Municipality) reported in the published resolution, which is not necessary with respect to the purposes of the processing - i.e. the appointment of a lawyer of the Municipality for the defense in court - in accordance with the principle of "minimization" of data (Article 5, paragraph 1, letter c, of the RGPD). With reference to the latter profile, in fact, in order to entrust the task to the lawyer it was well possible to identify the case by indicating only the role number, without reporting the name of the complainant or publish the resolution by obscuring the name of the complainant or its replacement with omissis.

On the other hand, the Privacy Guarantor has, since 2014, pointed out in the Transparency Guidelines that, even if there is an obligation to publish transparency, the persons called upon to do so may not disclose personal data that is excessive or irrelevant (see Part One, Section 2) and that in any case:

- "Where the administration finds the existence of a regulatory obligation that requires the publication of the act or document on its institutional website, it is necessary to select the personal data to be included in such acts and documents, verifying, on a case-by-case basis, whether the conditions for the obscuration of certain information are met";

- "The public subjects, in fact, in accordance with the principles of data protection, are required to reduce to a minimum the use of personal data and identification data and avoid the related processing when the purposes pursued in individual cases can be achieved through anonymous data or other methods that allow to identify the person concerned only in case of need [...]";

- "Only personal data whose inclusion in acts and documents to be published is really necessary and proportionate to the purpose of transparency pursued in the specific case (so-called "principle of relevance and not excessive" as per art. 11, paragraph 1, letter d, of the Code [now "principle of minimization" pursuant to art. 5, paragraph 1, letter c) of the RGPD]). Consequently, personal data outside of this purpose must not be included in the acts and documents to be published online. If this is not the case, it is necessary, however, to provide for the obscuration of information that is excessive or irrelevant".

Therefore, confirming the preliminary assessments of the Office, it is noted that the processing of personal data carried out by the Municipality of San Giorgio Jonico is unlawful:

- the disclosure of personal data contained in the summons published on the institutional website was made in the absence of a suitable legal basis, in violation of art. 19, paragraph 3, of the Code (now reproduced in the new art. 2-ter, paragraphs 1 and 3, of the Code), in force at the time of the cessation of the conduct (XX) and art. 6, par. 1, letter c) and e); par. 2 and par. 3, letter b), of the RGPD;

- the disclosure of the name of the complainant contained in the Determination of the Sector Manager no. XX is not necessary with respect to the purposes of the processing - i.e. the assignment to an external lawyer for the defense in court of the Entity - violating the principle of "minimization" of data contained in Article 5, paragraph 1, letter c, of the RGPD.

Considering, however, that the conduct has exhausted its effects, since the Municipality has taken steps to remove from the institutional website the acts containing the personal data of the complainant described above, without prejudice to what will be said about the application of the pecuniary administrative penalty, the conditions for the adoption of further corrective measures under Article 58, paragraph 2, of the RGPD are not met.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Art. 58, par. 2, letter i; 83 RGPD)

The Municipality of San Giorgio Jonico appears to have violated articles 5, par. 1, letter c; and 6, par. 1, letter c) and e); par. 2 and par. 3, letter b), of the RGPD, as well as art. 19, par. 3, of the Code in force at the time the illegal conduct began.

In this regard, Art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction shall not exceed the amount specified for the most serious violation".

In the present case, the violation of the above mentioned provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the RGPD, which therefore applies to the present case.

It should also be borne in mind that, although the resolution and the act of summons which is the subject of the complaint, published online, date back to the 20th, for the determination of the applicable rule, from a temporal point of view, the principle of legality set forth in Article 1, paragraph 2, of Law no. 689/1981 must be recalled, which, in stating as "Laws providing for administrative sanctions are applied only in the cases and times considered", affirms the recurrence of the principle of tempus regit actum. This determines the obligation to take into account the provisions in force at the time the violation was committed, which in the case in question - considering the permanent nature of the alleged offence - must be identified at the time of cessation of the illegal conduct, which occurred after the date of the XX in which the RGPD became applicable. From the acts of the investigation it emerged, in fact, that the illegal online distribution ceased in September 2018 (month in which the Municipality declared that it had removed the measures from the institutional website).

The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD and Article 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case". In this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019).

The above mentioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking due account of the elements provided for in Article 83, paragraph 2, of the RGPD.

In relation to the aforesaid elements, the conduct found to have been committed in violation of the regulations on the protection of personal data has concerned the disclosure of personal data and information of a single interested party, contained, moreover, in a summons published in full. The dissemination lasted for a period of less than one year. The Municipality of San Giorgio Jonico, which in any case is a smaller local authority, with less than 15. 000 inhabitants, has, however, asked to take into account several mitigating factors among which are considered relevant: the uncertainties regarding the application of the provisions on the publication of acts of entrustment of legal tasks of the entity resulting from "regulatory, jurisprudential and interpretative stratification"; the circumstance that the act of summons was considered an attachment and an integral part of the resolution published online; the plaintiff turned directly to the Guarantor and did not first apply to the City to request the removal of the published data against which the entity would immediately take action. In addition, the administration has acted to remove the personal data subject of the complaint and has cooperated with the Authority during the investigation of this proceeding in order to remedy the violation - whose character, according to the City, appears to be of a culpable nature - mitigating the possible negative effects. In the response to the Guarantor were also described several technical and organizational measures put in place pursuant to Articles 25-32 of the RGPD. There are no previous violations of the relevant RGPD committed by the Municipality of San Giorgio Jonico.

Because of the above elements, assessed as a whole, it is considered necessary to determine the amount of the pecuniary sanction, provided for by art. 83, par. 2 and 3, of the RGPD, in the measure of € 3,000.00 (three thousand) for the violation of articles. 5, par. 1, lett. c; and 6, par. 1, lett. c) and e); par. 2 and par. 3, lett. b), of the RGPD, as well as art. 19, par. 3, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.

In relation to the specific circumstances of this case - given the extreme intrusiveness of the dissemination, concerning even very sensitive data dating back to the time of the complainant - it is also considered that the accessory sanction of the publication on the website of the Guarantor of this measure, provided by Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019, should be applied.

Finally, it is considered that the conditions set out in Article 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS BEING SAID, THE GUARANTOR

found the unlawfulness of the processing carried out by the Municipality of San Giorgio Jonico pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD, as well as Article 166 of the Code for violation of Articles 5, paragraph 1, letter c) and 6, paragraph 1, letter c) and e); paragraph 2 and paragraph 3, letter b) of the RGPD, as well as Article 2-ter, paragraphs 1 and 3, of the Code in the terms set out in the grounds;

ORDER

to the Municipality of San Giorgio Jonico, in the person of the pro-tempore legal representative, with registered office in Via Salvo D'Acquisto - 74027 San Giorgio Ionico (TA) - C.F. 80009010739 to pay the sum of euro 3. 000.00 (three thousand) by way of administrative fine for the violations referred to in the grounds; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by payment, within 30 days, of an amount equal to half the penalty imposed;

INGIUNGE

to the same Municipality to pay the sum of euro 3.000,00 (three thousand), according to the modalities indicated in the attachment, within 30 days from the notification of the present measure, under penalty of adopting the consequent executive acts according to art. 27 of the law n. 689/1981.

AVAILABLE

the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019 and it is considered that the requirements of art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to Article 78 of the RGPD, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of notification of the measure itself or within sixty days if the applicant resides abroad.