Garante per la protezione dei dati personali (Italy) - 9556625: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 20: Line 20:
|Date_Published=11.03.2021
|Date_Published=11.03.2021
|Year=2021
|Year=2021
|Fine=75000
|Fine=75,000
|Currency=EUR
|Currency=EUR


Line 36: Line 36:
|National_Law_Link_1=https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29
|National_Law_Link_1=https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29


|Party_Name_1=
|Party_Name_1=Ministero dello sviluppo economico (Ministry of Economic Development)
|Party_Link_1=
|Party_Link_1=https://www.mise.gov.it/index.php/it/
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
Line 56: Line 56:
}}
}}


The Italian DPA (Garante per la protezione dei dati personali) fined the Ministry of Economic Development ('MISE') € 75,000 for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website, including their CVs.
The Italian DPA (Garante per la protezione dei dati personali) fined the Ministry of Economic Development ('MISE') €75,000 for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website, including their CVs.


==English Summary==
==English Summary==
Line 69: Line 69:
Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data.
Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data.


In light of the above and given that the MISE has appointed a DPO then, the Italian DPA issued a fine of EUR 75,000.
In light of the above and given that the MISE has appointed a DPO then, the Italian DPA issued a fine of €75,000.


==Comment==
==Comment==
Line 81: Line 81:


<pre>
<pre>
IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA


NELLA riunione odierna, alla quale hanno preso parte il prof. Pasquale Stanzione, presidente, la prof.ssa Ginevra Cerrina Feroni, vicepresidente, il dott. Agostino Ghiglia e l’avv. Guido Scorza, componenti e il cons. Fabio Mattei, segretario generale;
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;


VISTO il Regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE, “Regolamento generale sulla protezione dei dati” (di seguito “RGPD”);
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");


VISTO il d. lgs. 30 giugno 2003, n. 196 recante “Codice in materia di protezione dei dati personali (di seguito “Codice”);
GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);


VISTO il provvedimento generale n. 243 del 15/5/2014 recante le «Linee guida in materia di trattamento di dati personali, contenuti anche in atti e documenti amministrativi, effettuato per finalità di pubblicità e trasparenza sul web da soggetti pubblici e da altri enti obbligati», pubblicato in G.U. n. 134 del 12/6/2014 e in www.gpdp.it, doc. web n. 3134436 (di seguito “Linee guida in materia di trasparenza”);
GIVEN the general provision n. 243 of 5/15/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");


VISTO il Regolamento n. 1/2019 concernente le procedure interne aventi rilevanza esterna, finalizzate allo svolgimento dei compiti e all’esercizio dei poteri demandati al Garante per la protezione dei dati personali, approvato con deliberazione n. 98 del 4/4/2019, pubblicato in G.U. n. 106 dell’8/5/2019 e in www.gpdp.it, doc. web n. 9107633 (di seguito “Regolamento del Garante n. 1/2019”);
GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");


VISTA la documentazione in atti;
HAVING REGARD to the documentation on file;


VISTE le osservazioni formulate dal Segretario generale ai sensi dell’art. 15 del Regolamento del Garante n. 1/2000 sull’organizzazione e il funzionamento dell’ufficio del Garante per la protezione dei dati personali, in www.gpdp.it, doc. web n. 1098801;
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;


Relatore il prof. Pasquale Stanzione;
Speaker prof. Pasquale Stanzione;


PREMESSO
WHEREAS


1. Introduzione
1. Introduction


A seguito della pubblicazione di alcune notizie di stampa, questa Autorità ha aperto un’istruttoria nei confronti del Ministero dello Sviluppo Economico (MISE) in ordine alla diffusione di dati e informazioni personali sul sito web istituzionale avvenuta in maniera non conforme alla disciplina in materia di protezione dei dati personali. Sulla stessa questione sono stati ricevuti, a breve distanza di tempo, anche diverse segnalazioni e il reclamo del Sig. XX.
Following the publication of some press reports, this Authority has opened an investigation against the Ministry of Economic Development (MISE) regarding the dissemination of personal data and information on the institutional website in a manner that does not comply with the regulations on personal data protection. On the same issue, several reports and a complaint from Mr. XX were also received shortly after.


Nello specifico, dall’accertamento preliminare effettuato dall’Ufficio è emerso che all’url https://... era presente una pagina web intitolata «Elenco Manager» nella quale erano visibili e liberamente scaricabili dati personali (nominativo, codice fiscale, e-mail) e curriculum vitae integrale (con ulteriori dati personali come, ad esempio, telefono cellulare, istruzione e formazione, dettagliate esperienze professionali, in alcuni casi anche copia del documento di riconoscimento e della tessera sanitaria ecc.) riferiti a più di cinquemila soggetti interessati, inseriti nell’elenco dei «Manager qualificati e delle società di consulenza».
Specifically, from the preliminary assessment carried out by the Office it emerged that at the url https: // ... there was a web page entitled "Manager List" in which personal data (name, tax code, and -mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, detailed professional experiences, in some cases also a copy of the identification document and health card, etc.) referring to more than five thousand subjects interested, included in the list of "Qualified Managers and Consulting Firms".


Inoltre, all’url https://... era possibile scaricare l’allegato al decreto direttoriale del Ministero dello sviluppo economico del XX con cui è stato approvato il citato «elenco dei manager qualificati e delle società di consulenza istituito ai sensi del decreto ministeriale XX e formato sulla base dei dati e delle informazioni dichiarati dagli istanti», contenente dati e informazioni personali di tutti i predetti soggetti (fra cui nominativo, codice fiscale, e-mail).
Furthermore, at the url https: // ... it was possible to download the attachment to the directorial decree of the 20th century Ministry of Economic Development with which the aforementioned "list of qualified managers and consultancy companies established pursuant to the decree was approved ministerial XX and formed on the basis of the data and information declared by the applicants ", containing data and personal information of all the aforementioned subjects (including name, tax code, e-mail).


2. Contesto normativo di riferimento dell’avvenuta pubblicazione.
2. Reference regulatory context of the successful publication.


La legge di bilancio 2019 ha previsto specifiche forme di incentivazione tramite l’erogazione di contributi per consulenza in innovazione (“Voucher”) a favore delle micro, piccole e medie imprese «per l'acquisto di prestazioni consulenziali di natura specialistica finalizzate a sostenere i processi di trasformazione tecnologica e digitale []» forniti da società di consulenza o manager qualificati, iscritti in un apposito elenco (di seguito “Elenco MISE” o “Elenco dei manager”) istituito con apposito decreto del Ministro dello sviluppo economico (art. 1, commi 228 ss., della legge 30/12/2018, n. 145).
The 2019 budget law provided for specific forms of incentives through the provision of contributions for innovation consultancy ("Vouchers") in favor of micro, small and medium-sized enterprises "for the purchase of specialist consultancy services aimed at supporting technological and digital transformation processes [...] »provided by consultancy companies or qualified managers, registered in a special list (hereinafter the" MISE List "or" Manager List ") established by a specific decree of the Minister of Economic Development (art. 1, paragraphs 228 ss., Of the law 30/12/2018, n. 145).


La citata legge ha previsto che tale decreto dovesse stabilire «i requisiti necessari per l'iscrizione nell'elenco delle società di consulenza e dei manager qualificati, nonché i criteri, le modalità e gli adempimenti formali per l'erogazione dei contributi e per l'eventuale riserva di una quota delle risorse da destinare prioritariamente alle micro e piccole imprese e alle reti d'impresa» (comma 228).
The aforementioned law provided that this decree should establish "the necessary requirements for registration in the list of consultancy companies and qualified managers, as well as the criteria, methods and formal requirements for the disbursement of contributions and for the any reserve of a portion of the resources to be allocated primarily to micro and small enterprises and business networks "(paragraph 228).


In attuazione di quanto disposto dal predetto comma, è stato quindi adottato il Decreto Ministeriale del 7/5/2019 (di seguito “D.M.”) che ha disciplinato la materia, dettando le disposizioni «applicative del contributo a fondo perduto, in forma di voucher».
In implementation of the provisions of the aforementioned paragraph, the Ministerial Decree of 7/5/2019 (hereinafter "DM") was adopted which governed the matter, dictating the provisions «applying the non-repayable grant, in the form of a voucher ".


Tale D.M., inoltre, al fine di dettagliare alcuni aspetti legati all’erogazione concreta del voucher, ha demandato a un ulteriore atto amministrativo – nello specifico, a un «decreto del Direttore generale per gli incentivi alle imprese» – la dettagliata individuazione di «modalità e termini per la presentazione delle domande di iscrizione all’elenco dei manager qualificati e delle società di consulenza abilitati allo svolgimento degli incarichi manageriali» nonché l’approvazione del «modello di domanda di ammissione al contributo», dei «termini per la presentazione [della stessa]», dei «criteri di valutazione delle domande e per l'assegnazione prioritaria delle risorse disponibili» (artt. 5, comma 1; 6, comma 1).
Furthermore, this Ministerial Decree, in order to detail some aspects related to the concrete delivery of the voucher, has delegated to a further administrative act - specifically, to a "decree of the Director General for incentives for businesses" - the detailed identification of "modalities and deadlines for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial positions "as well as the approval of the" application form for admission to the contribution ", the" deadlines for submitting [the itself] ", of the" criteria for evaluating applications and for the priority allocation of available resources "(articles 5, paragraph 1; 6, paragraph 1).


In tale cornice normativa, è stato approvato il Decreto del Direttore generale per gli incentivi alle imprese del XX intitolato «Voucher per consulenza in innovazione. Modalità e termini per la presentazione delle domande di iscrizione all'elenco» (di seguito “decreto direttoriale”).
In this regulatory framework, the Decree of the Director General for business incentives of the twentieth century entitled «Voucher for innovation advice was approved. Procedures and deadlines for submitting applications for registration on the list »(hereinafter" directorial decree ").


Nel citato decreto direttoriale, oltre a essere contenute le disposizioni per la presentazione delle domande di iscrizione all'elenco, è stato previsto che «Trascorsi i termini per la trasmissione delle istanze di iscrizione [], con provvedimento del Direttore generale per gli incentivi alle imprese è pubblicato l'elenco Mise, secondo lo schema di cui all'allegato n. 4, reso disponibile nell'apposita sezione "Voucher per consulenza in innovazione" del sito web del Ministero (www.mise.gov.it)» (art. 4, comma 1). L’allegato n. 4 citato risulta contenere una tabella da compilare con i seguenti campi: cognome, nome, codice fiscale, e-mail contatto (personale o società di consulenza), link cv, società di consulenza, soggetto già iscritto in altri elenchi dei manager dell’innovazione, esperienza professionale nello svolgimento di incarichi manageriali negli ambiti di cui all’articolo 3 del DM 7 maggio 2019 (numero anni), area di interesse.
In the aforementioned directorial decree, in addition to containing the provisions for submitting applications for registration to the list, it was established that "After the deadline for the transmission of applications for registration [...], with a provision of the Director General for incentives to companies, the Mise list is published, according to the format set out in attachment no. 4, made available in the special section "Voucher for innovation consultancy" of the Ministry website (www.mise.gov.it) "(art. 4, paragraph 1). Annex no. 4 cited appears to contain a table to be filled in with the following fields: surname, name, tax code, contact e-mail (personal or consulting company), cv link, consulting company, subject already registered in other lists of innovation managers , professional experience in carrying out managerial positions in the areas referred to in Article 3 of the Ministerial Decree of 7 May 2019 (number of years), area of interest.


3. Valutazioni preliminari dell’Ufficio sul trattamento di dati personali effettuato.
3. Preliminary assessments of the Office on the processing of personal data carried out.


Con la nota prot. n. XX del XX il MISE ha fornito riscontro alla richiesta d’informazioni dell’Ufficio (prot. n. XX del XX).
With the note prot. n. XX of the XX the MISE has provided a reply to the request for information of the Office (prot. No. XX of the XX).


Rispetto a quanto rappresentato, a seguito dalle verifiche compiute sulla base degli elementi acquisiti e dei fatti emersi a seguito dell’attività istruttoria, nonché delle successive valutazioni, l’Ufficio con nota prot. n. XX del XX ha accertato che il Ministero dello Sviluppo Economico – diffondendo online dati personali (nominativo, codice fiscale, e-mail) e curriculum vitae integrale (con ulteriori dati personali come, ad esempio, telefono cellulare, istruzione e formazione, esperienze professionali, ecc.) riferiti a più di cinquemila soggetti interessati, inseriti nell’elenco dei «Manager qualificati e delle società di consulenza» – ha effettuato un trattamento di dati personali non conforme alla disciplina rilevante in materia di protezione dei dati personali contenuta nel RGPD.
With respect to what is represented, following the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Ministry of Economic Development - by disseminating personal data online (name, tax code, e-mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, professional experiences, etc.) referring to more than five thousand interested parties, included in the list of "Qualified managers and consultancy companies" - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD.


È stato inoltre accertato il ritardo nella nomina del Responsabile della Protezione dei Dati (RPD) del MISE, nonché della comunicazione a questa Autorità dei relativi dati di contatto, entrambi avvenuti in data successiva al 25/5/2018 in cui è divenuto obbligatorio il RGPD, in violazione dell’art. 37, parr 1 e 7, del Regolamento europeo.
The delay in the appointment of the Data Protection Officer (DPO) of the MISE was also ascertained, as well as the communication to this Authority of the related contact data, both occurred after 25/5/2018 in which the RGPD became mandatory. , in violation of art. 37, paragraphs 1 and 7, of the European Regulation.


Pertanto, con la medesima nota n. XX sono state notificate, al predetto Ministero, le violazioni effettuate (ai sensi dell’art. 166, comma 5, del Codice), comunicando l’avvio del procedimento per l’adozione dei provvedimenti di cui all’articolo 58, par. 2, del RGPD, invitando il MISE a far pervenire al Garante scritti difensivi o documenti ed eventualmente a chiedere di essere sentito da questa Autorità, entro il termine di 30 giorni (art. 166, commi 6 e 7, del Codice; nonché art. 18, comma 1, dalla legge n. 689 del 24/11/1981).
Therefore, with the same note no. XX the violations carried out (pursuant to art. 166, paragraph 5, of the Code) were notified to the aforementioned Ministry, communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, par. 2, of the RGPD, inviting the MISE to send to the Guarantor defensive writings or documents and possibly to ask to be heard by this Authority, within the term of 30 days (art.166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law no. 689 of 11/24/1981).


4. Memorie difensive, audizione e valutazioni del Garante.
4. Defensive memoirs, hearing and evaluations by the Guarantor.


Il Ministero delle Sviluppo Economico ha inviato al Garante – con note prot. n. XX del XX, prot. n. XX del XX – i propri scritti difensivi in relazione alle violazioni notificate. Inoltre, in data XX si è svolta, mediante videoconferenza a distanza, l’audizione richiesta dal MISE ai sensi dell’art. 166, comma 6, del Codice, in occasione della quale è stata depositata ulteriore documentazione e sono stati forniti chiarimenti aggiuntivi.
The Ministry of Economic Development sent the Guarantor - with prot. n. XX of the XX, prot. n. XX of the XX - own defensive writings in relation to the notified violations. Furthermore, on the 20th, the hearing requested by the MISE pursuant to art. 166, paragraph 6, of the Code, on the occasion of which further documentation was filed and additional clarifications were provided.


Al riguardo, si evidenzia che, salvo che il fatto non costituisca più grave reato, chiunque, in un procedimento dinanzi al Garante, dichiara o attesta falsamente notizie o circostanze o produce atti o documenti falsi ne risponde ai sensi dell’art. 168 del Codice, intitolato «Falsità nelle dichiarazioni al Garante e interruzione dell’esecuzione dei compiti o dell’esercizio dei poteri del Garante».
In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".


4.a. Sulla base giuridica del trattamento
4.a. On the legal basis of the processing


L’Ufficio ha contestato al MISE la violazione dell’art. 2-ter, commi 1 e 3, del Codice – che prevede la possibilità, per i soggetti pubblici, di diffondere dati personali solo se tale operazione è prevista «da una norma di legge o, nei casi previsti dalla legge, di regolamento» – in quanto ha ritenuto che la disciplina prevista dagli artt. 3 ss. del Decreto Direttoriale del XX, non potesse costituire un idoneo presupposto normativo per la diffusione di dati personali ai sensi del Codice, tenuto conto che il decreto direttoriale citato non ha natura regolamentare e non è, in ogni caso, in alcun modo richiamato dall’art. 1, commi 228, 230 e 231, della legge n. 145/2018 (che prevedono l’istituzione dell’elenco dei manager).
The Office accused the MISE of the violation of art. 2-ter, paragraphs 1 and 3, of the Code - which provides for the possibility, for public entities, to disclose personal data only if this operation is envisaged "by a law or, in the cases provided for by law, by regulation" - as it has held that the discipline provided for by art. 3 ss. of the Directorial Decree of the XXth, could not constitute a suitable regulatory prerequisite for the dissemination of personal data pursuant to the Code, taking into account that the aforementioned directorial decree does not have a regulatory nature and is not, in any case, in any way referred to by art . 1, paragraphs 228, 230 and 231, of law no. 145/2018 (which provide for the establishment of the list of managers).


È stato, inoltre, fatto presente che l’art. 4 del citato decreto direttoriale non prevede la pubblicazione integrale dei curriculum dei manager inviati, comprensivi di tutti i dati personali ivi contenuti, ma, al massimo, dell’«elenco MISE», ossia dell’elenco comprendente i «soggetti abilitati allo svolgimento degli incarichi manageriali oggetto di agevolazione» (secondo la definizione contenuta nell’art. 1, comma 1, lett. b, del decreto direttoriale).
It was also pointed out that art. 4 of the aforementioned directorial decree does not provide for the full publication of the curriculum vitae of the managers sent, including all the personal data contained therein, but, at the most, of the "MISE list", that is, the list including the "persons authorized to carry out the tasks managerial subject to facilitation "(according to the definition contained in Article 1, paragraph 1, letter b, of the directorial decree).


OSSERVAZIONI DEL MISE
COMMENTS OF THE MISE


Al riguardo, il MISE nella nota prot. n. XX del XX – i cui contenuti sono in parte ripresi anche nel «documento inerente alle contestazioni mosse dal Garante» allegato al verbale di audizione del XX – ha fornito un’articolata ricostruzione che si fonda sostanzialmente sulle seguenti argomentazioni:
In this regard, the MISE in the note prot. n. XX of the XX - the contents of which are also partly included in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XX - provided an articulated reconstruction that is substantially based on the following arguments:


- «l’art. 4 del DD [i.e. il Decreto direttoriale] rimanda per la pubblicazione dell’Elenco MISE allo schema di cui all’allegato 4, il quale prevede, tra l’altro, una sezione recante il link al cv del manager. Pertanto, il combinato disposto dell’art. 4 e dell’allegato 4, ivi richiamato, consente di ritenere pacificamente che il DD prevedesse espressamente la diffusione dei dati che sono stati pubblicati dal Ministero»;
- "art. 4 of the DD [i.e. the Directorial Decree] refers for the publication of the MISE List to the scheme referred to in Annex 4, which includes, among other things, a section containing the link to the manager's CV. Therefore, the combined provisions of art. 4 and Annex 4, referred to therein, allows you to peacefully believe that the DD expressly provided for the dissemination of the data that have been published by the Ministry ";


- «il riferimento al “regolamento” [contenuto nel Codice], stante l’asettica formulazione, è ragionevolmente da intendersi come un generico e ampio riferimento a disposizioni di natura secondaria, dunque lato sensu regolamentare»;
- "the reference to the" regulation "[contained in the Code], given the aseptic formulation, is reasonably to be understood as a generic and broad reference to provisions of a secondary nature, therefore regulatory side";


- «i “regolamenti” possono essere costituiti da tutte le fonti normative secondarie, e dunque con provenienza soggettiva dell’esecutivo, che sottostanno alle leggi. E in tale contesto si inquadrano tanto il DM quanto il DD che ne dà esecuzione»;
- "the" regulations "can be made up of all secondary regulatory sources, and therefore with the subjective provenance of the executive, which underlie the laws. And in this context both the DM and the DD who execute it are framed ";


- «l’art. 2-ter, comma 1, del Codice privacy, nel fare riferimento al “regolamento”, stante l’assenza di qualsiasi riferimento normativo alla legge 23 agosto 1988, n. 400, che specificamente disciplina il procedimento di adozione delle fonti regolamentari tradizionali, cioè del “contenitore regolamento”, e stante la diffusione già all’epoca della emanazione delle fonti secondarie atipiche, intende richiamare – in termini generali, e non particolari – un atto normativo avente natura di fonte sotto-ordinata alla legge []»;
- "art. 2-ter, paragraph 1, of the Privacy Code, in referring to the "regulation", given the absence of any regulatory reference to the law of 23 August 1988, n. 400, which specifically governs the procedure for the adoption of traditional regulatory sources, that is the "container regulation", and given the diffusion already at the time of the issue of atypical secondary sources, intends to recall - in general and not particular terms - a regulatory act having the nature of a source subordinated to the law [...] ";


- «[quanto all’]interpretazione della condizione cui deve sottostare la fonte regolamentare per poter individuare la base giuridica per il trattamento dei dati personali («nei casi previsti dalla legge») [, un’]interpretazione letterale di tale inciso consente di rilevare come il legislatore non abbia in alcun modo circoscritto neanche il riferimento alla previa individuazione del trattamento di dati personali in una norma di rango primario. [] In altri termini, affinché una norma di regolamento possa costituire idonea base giuridica, deve ritenersi sufficiente che la legge individui anche solo indirettamente – e dunque per il tramite di norme attuative delle quali disponga l’adozione – il trattamento di dati personali, avendo la fonte primaria solo il ruolo di fonte di legittimazione dell’esercizio del potere normativo da parte dell’amministrazione».
- "[as regards the] interpretation of the condition to which the regulatory source must submit in order to identify the legal basis for the processing of personal data (" in the cases provided for by law ") [, a literal interpretation of this sentence allows us to detect how the legislator has not in any way circumscribed even the reference to the prior identification of the processing of personal data in a rule of primary rank. [...] In other words, in order for a regulation to be able to constitute an appropriate legal basis, it must be considered sufficient that the law identifies, even only indirectly - and therefore through the implementation rules which it adopts - the processing of personal data, having the primary source only the role of legitimizing source for the exercise of regulatory power by the administration ".


- «D’altronde, ragionando a contrario, appare del tutto irragionevole immaginare che la legge debba sempre individuare direttamente le basi giuridiche per il trattamento di dati personali, disciplinandone nel dettaglio le modalità esecutive, non potendo demandare alle norme regolamentari l’individuazione di tali casi»;
- "On the other hand, reasoning the other way around, it seems completely unreasonable to imagine that the law must always directly identify the legal bases for the processing of personal data, regulating in detail the executive procedures, not being able to delegate the identification of such cases ";


- «[] ove si offrisse una lettura dell’art. 2-ter, comma 1, del Codice Privacy più restrittiva di quella esposta, si finirebbe inevitabilmente per entrare in contrasto con quanto specificamente disposto dal RGPD in merito alle previsioni che possono costituire – nell’ambito degli ordinamenti dei diversi Stati membri – la “base giuridica” per il trattamento di dati personali»;
- "[...] where a reading of art. 2-ter, paragraph 1, of the Privacy Code which is more restrictive than the one set out, it would inevitably end up in contrast with the provisions of the RGPD regarding the provisions that may constitute - within the legal systems of the various Member States - the "basis legal "for the processing of personal data";


- «A tal proposito, occorre ribadire che nell’impianto del Regolamento – e in particolare secondo quanto espressamente previsto nel considerando 41 – tale base giuridica può essere costituita da qualsiasi norma, espressamente anche non di rango primario e non necessariamente adottate a seguito di procedura legislativa: “qualora il presente regolamento faccia riferimento a una base giuridica o a una misura legislativa, ciò non richiede necessariamente l’adozione di un atto legislativo da parte di un parlamento”»;
- "In this regard, it must be reiterated that in the structure of the Regulation - and in particular according to what is expressly provided for in recital 41 - this legal basis can be constituted by any provision, expressly even not of primary rank and not necessarily adopted following a procedure legislative: "where this regulation refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament" ";


- «Pertanto, sarebbe incoerente con le chiare disposizioni dettate dal legislatore UE una impostazione interpretativa volta a restringere (peraltro immotivatamente, stante il rispetto del principio di certezza del diritto, garantito dalla pubblicità assicurata alle fonti de quibus) l’ambito delle fonti regolamentari che possono costituire base giuridica per il trattamento, escludendo norme che, nel rispetto delle richiamate coordinate costituzionali in materia di norme attuative, siano chiare, precise e prevedibili nella loro applicazione, come quelle dettate dal DD».
- "Therefore, it would be inconsistent with the clear provisions dictated by the EU legislator an interpretative approach aimed at restricting (moreover without reason, given the respect of the principle of legal certainty, guaranteed by the advertising guaranteed to the sources de quibus) the scope of the regulatory sources that they can constitute a legal basis for the processing, excluding rules that, in compliance with the aforementioned constitutional coordinates on the subject of implementation rules, are clear, precise and predictable in their application, such as those dictated by the DD ".


- «Come previsto dall’art. 6, co. 3, 2° cpv. del GDPR, la norma di legge o di regolamento che costituisce la base giuridica di cui alle lettere c) ed e) del co. 1 dell’art. 6 del GDPR, potrebbe contenere, tra l’altro, l’indicazione delle tipologie di dati oggetto del trattamento, i soggetti cui possono essere comunicati i dati personali, le operazioni e procedure di trattamento, etc. La locuzione “potrebbe contenere” implica e ammette anche la possibilità che la norma di legge (nel caso in oggetto la legge di bilancio 2019) non specifichi queste informazioni, la cui individuazione si presume essere rimessa in capo al Titolare. Considerato il silenzio della legge di bilancio in merito, è il titolare, quindi il MiSE, che si è trovato a dover definire la tipologia di dati trattati (identificativi e professionali), i soggetti cui possono essere comunicati i dati personali (soggetti indeterminati), le operazioni di trattamento (raccolta e diffusione)» (dichiarazione contenuta nell’allegato al verbale di audizione).
- "As required by art. 6, co. 3, 2nd para. of the GDPR, the law or regulation that constitutes the legal basis referred to in letters c) and e) of co. 1 of art. 6 of the GDPR, could contain, among other things, an indication of the types of data being processed, the subjects to whom the personal data may be disclosed, processing operations and procedures, etc. The term "could contain" implies and also admits the possibility that the law (in the case in question the 2019 budget law) does not specify this information, the identification of which is presumed to be left to the Owner. Considering the silence of the budget law in this regard, it is the owner, therefore the MiSE, who found himself having to define the type of data processed (identification and professional), the subjects to whom the personal data can be communicated (indeterminate subjects), processing operations (collection and dissemination) "(declaration contained in the annex to the minutes of the hearing).


VALUTAZIONI DEL GARANTE
ASSESSMENTS BY THE GUARANTOR


La ricostruzione giuridica offerta del MISE, sicuramente utile ai fini della valutazione della condotta, non appare idonea a superare i rilievi critici mossi e si basa su un’interpretazione del combinato disposto delle norme del RGPD con quelle del Codice, che non è possibile accogliere in questa sede per i seguenti motivi.
The legal reconstruction offered by the MISE, certainly useful for the purposes of assessing the conduct, does not appear to be suitable for overcoming the critical remarks raised and is based on an interpretation of the combined provisions of the rules of the RGPD with those of the Code, which cannot be accepted in this venue for the following reasons.


Il RGPD prevede che il trattamento dei dati personali effettuato da soggetti pubblici è lecito se necessario «per adempiere un obbligo legale al quale è soggetto il titolare del trattamento» oppure «per l’esecuzione di un compito di interesse pubblico o connesso all’esercizio di pubblici poteri di cui è investito il titolare del trattamento» (art. 6, par. 1, lett. c ed e). In tale contesto, come correttamente ricordato anche dal MISE, il considerando n. 41 del RGPD indica che laddove il predetto regolamento europeo «faccia riferimento a una base giuridica o a una misura legislativa, ciò non richiede necessariamente l'adozione di un atto legislativo da parte di un parlamento, fatte salve le prescrizioni dell'ordinamento costituzionale dello Stato membro interessato. [L’importante è che] tale base giuridica o misura legislativa [sia] chiara e precisa, e la sua applicazione prevedibile, per le persone che vi sono sottoposte, in conformità della giurisprudenza della Corte di giustizia dell'Unione europea (la «Corte di giustizia») e della Corte europea dei diritti dell'uomo».
The RGPD provides that the processing of personal data carried out by public subjects is lawful if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c and e). In this context, as correctly recalled also by the MISE, recital no. 41 of the GDPR indicates that where the aforementioned European regulation "refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament, without prejudice to the requirements of the constitutional order of the Member State interested. [The important thing is that] this legal basis or legislative measure [is] clear and precise, and its application foreseeable, for the persons subject to it, in accordance with the jurisprudence of the Court of Justice of the European Union (the "Court of Justice ") and of the European Court of Human Rights".


Il considerando n. 41 non va quindi interpretato in maniera isolata e decontestualizzata, come sembrerebbe fare il Ministero, ma in maniera sistematica e in combinato disposto con le altre disposizioni vigenti applicabili al caso di specie – già richiamate dall’Ufficio nella nota prot. n. XX del XX – quali l’art. 6, par. 2, del RGPD e l’art. 2-ter, commi 1 e 3, del Codice.
Recital no. 41 should therefore not be interpreted in an isolated and decontextualized manner, as the Ministry would seem to do, but in a systematic manner and in conjunction with the other provisions in force applicable to the case in question - already referred to by the Office in the note prot. n. XX of the XX - such as art. 6, par. 2, of the RGPD and art. 2-ter, paragraphs 1 and 3, of the Code.


Il RGPD prevede, infatti, esplicitamente che «Gli Stati membri possono mantenere [] disposizioni più specifiche per adeguare l’applicazione delle norme del [RGPD] con riguardo al trattamento, in conformità del paragrafo 1, lettere c) ed e) [dell’art. 6, par. 1], determinando con maggiore precisione requisiti specifici per il trattamento e altre misure atte a garantire un trattamento lecito e corretto […]» (art. 6, par. 2, del RGPD). È, in tale contesto, che il Codice ha previsto degli specifici requisiti per il trattamento, stabilendo che, nel caso di diffusione di dati personali (come la pubblicazione su Internet) da parte di soggetti pubblici, tale operazione possa essere ammessa solo se prevista «da una norma di legge o, nei casi previsti dalla legge, di regolamento» (art. 2-ter, commi 1 e 3, del Codice).
Indeed, the RGPD explicitly provides that "Member States may maintain [...] more specific provisions to adapt the application of the rules of the [RGPD] with regard to processing, in accordance with paragraph 1, letters c) and e) [of 'art. 6, par. 1], determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] "(Article 6, paragraph 2, of the RGPD). It is, in this context, that the Code has provided for specific requirements for the processing, establishing that, in the case of the dissemination of personal data (such as publication on the Internet) by public entities, this operation can be admitted only if provided for " by a law or, in the cases provided for by law, by regulation "(art. 2-ter, paragraphs 1 and 3, of the Code).


In tale quadro, la base normativa richiamata dal Ministero per giustificare la diffusione dei dati personali oggetto di contestazione e contenuta nel Decreto Direttoriale del XX non costituisce un idoneo presupposto normativo per la diffusione di dati personali, ai sensi dell’art. 2-ter, commi 1 e 3, del Codice.
In this context, the legal basis referred to by the Ministry to justify the dissemination of personal data subject to dispute and contained in the Directorate Decree of the twentieth century does not constitute an appropriate legal basis for the dissemination of personal data, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.


Ciò in quanto, adottando un criterio sostanziale, la natura del decreto direttoriale citato – contrariamente a quanto sostenuto dal MISE – appare riconducibile più alla categoria dell’“atto amministrativo generale” (che a quella del “regolamento”, inteso come atto normativo a contenuto generale e astratto), considerando che la relativa applicabilità è limitata alla presentazione della domanda per l’iscrizione all’elenco MISE, con scadenza 25/10/2019, e si esaurisce con l’erogazione del voucher previsto una tantum dalla legge di bilancio 2019 per «i due periodi d'imposta successivi a quello in corso al 31 dicembre 2018» (sul punto, si rinvia alla ricostruzione della categoria dell’“atto amministrativo generale” contenuta, ex plurimis, in Cons. St., ad.plen., n. 9 del 4/5/2012; sez. III, n. 6028 del 22/12/2017).
This is because, by adopting a substantial criterion, the nature of the aforementioned directorial decree - contrary to what is claimed by the MISE - appears to be attributable more to the category of the "general administrative act" (than to that of the "regulation", intended as a legislative act with general and abstract), considering that its applicability is limited to the presentation of the application for registration in the MISE list, with deadline 25/10/2019, and ends with the provision of the one-off voucher provided for by the 2019 budget law for "the two tax periods subsequent to the one in progress at 31 December 2018" (on this point, reference is made to the reconstruction of the category of the "general administrative act" contained, ex plurimis, in Cons. St., ad.plen. , n. 9 of 4/5/2012; section III, n. 6028 of 22/12/2017).


Inoltre, l’utilizzo di un decreto direttoriale per stabilire il regime di pubblicità dei dati dei manager non era in alcun modo previsto dalla norma di rango primario, contenuta nell’art. 1, comma 228 della legge n. 145/2018, che ha sancito l’istituzione dell’elenco dei manager rinviando, per la relativa disciplina, a un apposito Decreto del Ministro dello sviluppo economico (e non a un altro atto amministrativo generale quale un decreto direttoriale).
In addition, the use of a directorial decree to establish the management data disclosure regime was in no way provided for by the primary rank rule, contained in art. 1, paragraph 228 of law no. 145/2018, which sanctioned the establishment of the list of managers, referring, for the related discipline, to a specific Decree of the Minister of Economic Development (and not to another general administrative act such as a directorial decree).


In tal senso, quindi, anche se il D.M. approvato (del 7/5/2019) ha effettuato, a sua volta, un rinvio “di secondo grado” a un successivo «decreto del Direttore generale per gli incentivi alle imprese», occorre far presente che l’oggetto della disciplina del decreto del direttore generale per gli incentivi alle imprese doveva essere limitato – ai sensi dell’art. 5, comma 1, del decreto ministeriale – alla sola disciplina dell’individuazione di «modalità e termini per la presentazione delle domande di iscrizione all’elenco dei manager qualificati e delle società di consulenza abilitati allo svolgimento degli incarichi manageriali», e non poteva estendersi fino al punto di individuare regimi di pubblicità dei dati personali e operazioni di diffusione online.
In this sense, therefore, even if the Ministerial Decree approved (dated 7/5/2019) made, in turn, a "second degree" postponement to a subsequent "decree of the Director General for business incentives", it should be noted that the subject of the discipline of the decree of general manager for business incentives had to be limited - pursuant to art. 5, paragraph 1, of the ministerial decree - to the sole discipline of identifying "methods and terms for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial duties", and could not be extended up to the point of identifying personal data advertising schemes and online dissemination operations.


Peraltro, il Decreto Direttoriale del XX ha previsto la pubblicazione sul sito web del Ministero dell’«elenco Mise» – che, ai sensi dell’art. 1, comma 1, lett. b), del citato decreto, è l’elenco comprendente i «soggetti abilitati allo svolgimento degli incarichi manageriali oggetto di agevolazione» – e non dei relativi documenti. Per cui tale disposizione – nonostante il riferimento allo «schema di cui all'allegato n. 4» del decreto direttoriale contenesse un campo dedicato al link del cv del manager (art. 4, comma 1) – non poteva essere interpretata, come sostiene il MISE, in maniera tanto estensiva da autorizzare la pubblicazione delle migliaia di curricula con tutti i dati personali ivi contenuti, ma al massimo dei soli campi previsti dal citato schema (cognome, nome, codice fiscale, e-mail di contatto, società di consulenza, indicazione circa l’iscrizione in altri elenchi dei manager dell’innovazione, esperienza professionale nello svolgimento di incarichi manageriali con indicazione del numero di anni, area di interesse).
Moreover, the Directorial Decree of the twentieth century provided for the publication on the website of the Ministry of the "Mise list" - which, pursuant to art. 1, paragraph 1, lett. b), of the aforementioned decree, is the list including the "persons authorized to carry out managerial duties subject to facilitation" - and not the related documents. Therefore, this provision - despite the reference to the «scheme referred to in attachment no. 4 "of the directorial decree contained a field dedicated to the link of the manager's CV (art. 4, paragraph 1) - it could not be interpreted, as the MISE claims, in such an extensive way as to authorize the publication of thousands of curricula with all the data personal data contained therein, but at most only the fields provided for by the aforementioned scheme (surname, name, tax code, contact e-mail, consultancy company, indication of the inclusion in other lists of innovation managers, professional experience in carrying out of managerial positions with indication of the number of years, area of interest).


A complicare il caso in esame, è infine la circostanza, come già evidenziato (cfr. supra par. 2), che – nonostante l’evidente ricaduta sulla protezione dei dati personali – sia il Decreto del Ministro per lo sviluppo economico del 7/5/2019, sia il Decreto Direttoriale del XX (che il MISE sostiene avere natura “regolamentare”) sono stati adottati senza il parere del Garante, obbligatoriamente previsto dagli artt. 36, par. 4; 57, par. 1, lett. c); 58, par. 3, lett. b), del RGPD (cfr. anche considerando n. 96). Tale elemento costituisce anche un vizio procedurale dei predetti atti amministrativi.
Finally, complicating the case in question is the circumstance, as already highlighted (see supra paragraph 2), that - despite the evident impact on the protection of personal data - is the Decree of the Minister for Economic Development dated 7/5 / 2019, both the Directorial Decree of the XXth (which the MISE claims to have a "regulatory" nature) were adopted without the opinion of the Guarantor, compulsorily provided for by art. 36, par. 4; 57, par. 1, lett. c); 58, par. 3, lett. b), of the GDPR (see also recital 96). This element also constitutes a procedural defect in the aforementioned administrative acts.


Le circostanze sopradescritte, considerate nel loro complesso, impediscono pertanto di ritenere che il richiamato Decreto Direttoriale del XX possa costituire un’idonea base normativa per diffondere i dati personali contenuti nell’elenco MISE e nei curricula dei manager, ai sensi dell’art. 2-ter, commi 1 e 3, del Codice.
The circumstances described above, considered as a whole, therefore prevent us from believing that the aforementioned Directorial Decree of the XXth could constitute an appropriate regulatory basis for disseminating the personal data contained in the MISE list and in the curricula of managers, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.


4.b. Sul rispetto del principio di limitazione della finalità e di minimizzazione
4.b. On compliance with the principle of purpose limitation and minimization


Il MISE ha evidenziato che la finalità della pubblicazione dei dati personali e dei curricula dei manager risiedeva nella necessità «di consentire alle imprese potenzialmente beneficiarie del Voucher di individuare, agevolmente e in modo compiuto, i manager dei quali avvalersi per sostenere i propri processi di trasformazione tecnologica e digitale, nonché consentire alle imprese stesse di mettersi in contatto con tali professionisti» (note prott. n. XX del XX e n. XX del XX).
The MISE highlighted that the purpose of publishing the personal data and curricula of the managers lay in the need "to allow companies potentially benefiting from the Voucher to identify, easily and completely, the managers they can use to support their transformation processes technological and digital, as well as allowing the companies themselves to get in touch with such professionals "(prott. n. XX of the XX and n. XX of the XX).


L’Ufficio ha rappresentato al Ministero che, per la finalità dichiarata, ossia l’incontro tra la domanda delle società e l’offerta di consulenza da parte dei manager, come previsto dalla normativa di riferimento, sarebbe stato sufficiente utilizzare strumenti meno invasivi rispetto alla pubblicazione sul web dei dati e delle informazioni riguardanti tutti i manager, la quale rappresenta la forma più ampia di diffusione di dati personali, con il rischio di renderli facilmente vulnerabili rispetto a ulteriori forme di utilizzo, non legittime, da parte di terzi (es.: furti d’identità, profilazione illecita, phishing, ecc.). Si sarebbe potuto prevedere – ad esempio –forme di accesso selettivo ad aree riservate del sito web istituzionale che permettessero la consultazione delle informazioni riguardanti i manager inseriti nell’elenco del MISE ai soli soggetti che intendevano effettuare la domanda di voucher; mediante l’attribuzione a questi ultimi di credenziali di autenticazione (es. username o password, oppure altri strumenti di autenticazione forniti dall’amministrazione o previste dal d.lgs. n. 82 del 7/3/2005, Codice dell'amministrazione digitale-CAD).
The Office represented to the Ministry that, for the declared purpose, i.e. the meeting between the demand of the companies and the offer of consultancy by the managers, as required by the relevant legislation, it would have been sufficient to use less invasive tools than the publication on the web of data and information concerning all managers, which represents the widest form of dissemination of personal data, with the risk of making them easily vulnerable to further forms of use, not legitimate, by third parties (eg. : identity theft, illicit profiling, phishing, etc.). It could have been envisaged - for example - forms of selective access to restricted areas of the institutional website that would allow the consultation of information regarding the managers included in the MISE list only to those who intended to apply for a voucher; through the attribution to the latter of authentication credentials (e.g. username or password, or other authentication tools provided by the administration or provided for by Legislative Decree no. 82 of 7/3/2005, Digital Administration Code- CAD).


Sotto questo profilo è stata quindi contestata la violazione dei principi di “limitazione della finalità” e di “minimizzazione dei dati” e di proporzionalità, anche considerando che il titolare del trattamento è tenuto a mettere «in atto misure tecniche e organizzative adeguate [] volte ad attuare in modo efficace i principi di protezione dei dati, quali la minimizzazione, e a integrare nel trattamento le necessarie garanzie al fine di soddisfare i requisiti del presente regolamento e tutelare i diritti degli interessati» (art. 25, par. 1, del RGPD).
In this respect, the violation of the principles of "purpose limitation" and "data minimization" and proportionality was therefore contested, also considering that the data controller is required to implement "adequate technical and organizational measures [...] aimed at effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees into the processing in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25, paragraph 1, of GDPR).


OSSERVAZIONI DEL MISE
COMMENTS OF THE MISE


Nella nota prot. n. XX del XX il Ministero ha osservato, in sintesi, che i dati personali dei manager sono stati raccolti per finalità determinate, esplicite (rese note tramite apposita informativa in cui si faceva esplicito riferimento alla pubblicazione dei curricula); legittime e per il solo tempo strettamente necessario all’erogazione dei contributi, in quanto i dati personali sono stati resi disponibili «dal XX (data di approvazione dell’Elenco MISE) al XX (data in cui il sito vetrina che esponeva i CV dei manager è stato chiuso)».
In the note prot. n. XX of the XX century, the Ministry observed, in summary, that the personal data of the managers were collected for specific, explicit purposes (made known through specific information in which explicit reference was made to the publication of the curricula); legitimate and only for the time strictly necessary for the disbursement of contributions, as the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the showcase site that exhibited the CVs of the managers It has been closed)".


Quanto alla possibilità di soluzioni alternative, rispetto alla pubblicazione online di tutti i curricula, quali forme di accesso selettivo ad aree riservate del sito web istituzionale, il MISE – nella medesima nota (il cui contenuto è confermato anche nel «documento inerente alle contestazioni mosse dal Garante» allegato al verbale di audizione) – ha osservato che tale soluzione non poteva essere adeguata al caso di specie, fra l’altro, in quanto:
As for the possibility of alternative solutions, with respect to the online publication of all curricula, such as forms of selective access to restricted areas of the institutional website, the MISE - in the same note (the content of which is also confirmed in the "document concerning the complaints raised by Guarantor "attached to the minutes of the hearing) - noted that this solution could not be adequate to the present case, inter alia, because:


I) limitare l’accesso ai soli soggetti in possesso dei requisiti per la presentazione della domanda di voucher avrebbe comportato:
I) limiting access to only those who meet the requirements for submitting the voucher application would have resulted in:


- un «serio dispendio di tempo e di risorse per il Ministero e [] significative problematiche inerenti all’individuazione dei soggetti che avrebbero potuto effettivamente rientrare tra i possibili beneficiari dei Voucher»;
- a "serious waste of time and resources for the Ministry and [...] significant problems inherent in identifying the subjects who could actually be among the possible beneficiaries of the Vouchers";


- «il perimetro dei soggetti potenzialmente interessati non poteva [] essere noto a priori e men che meno poteva essere individuato da parte del Ministero sulla base di qualsiasi accertamento, poiché il Voucher doveva necessariamente essere accessibile non solo alle imprese già costituite, ma anche a tutti quei soggetti che si sarebbero determinati a costituire un’impresa per il tipico effetto incentivante delle misure di agevolazione»;
- "the perimeter of the potentially interested parties could not [...] be known a priori and even less could it be identified by the Ministry on the basis of any assessment, since the Voucher had to necessarily be accessible not only to companies already established, but also to all those subjects who would have determined to set up a business due to the typical incentive effect of the subsidy measures ";


II) limitare l’accesso a chiunque ne facesse richiesta, senza dover effettuare alcun tipo di controllo:
II) restrict access to anyone who requests it, without having to carry out any type of control:


- avrebbe «vanifica[to], in concreto, la stessa misura dell’accesso riservato, posto che la consultazione dell’Elenco MiSE avrebbe dovuto essere pertanto concessa a chiunque»;
- would have "nullified [to], in practice, the same measure of reserved access, given that the consultation of the MiSE List should therefore have been granted to anyone";


- «avrebbe rappresentato, per il Ministero, un onere sproporzionato e verosimilmente ingestibile in quanto l’implementazione di una soluzione software e dei processi operativi necessari per la gestione di tali attività avrebbe comportato» un «dispendio di risorse economiche»; «tempistiche di attuazione di tali schemi non immediate [che] avrebbero rischiato di compromettere il tempestivo svolgimento di tutte le attività necessarie all’assegnazione delle risorse stanziate per il 2019 per il Voucher – che potevano essere assegnate solo entro la data del 31 dicembre 2019 – e così, pertanto, l’efficienza e l’efficacia dell’iniziativa del Ministero»;
- "would have represented, for the Ministry, a disproportionate and probably unmanageable burden since the implementation of a software solution and operational processes necessary for the management of these activities would have involved" a "waste of economic resources"; "Timing of implementation of these non-immediate schemes [which] would have risked jeopardizing the timely performance of all the activities necessary for the allocation of the resources allocated for 2019 for the Voucher - which could only be assigned by 31 December 2019 - and thus, therefore, the efficiency and effectiveness of the Ministry initiative ";


III) prevedere un accesso selettivo non sarebbe stato conforme alla volontà del legislatore considerando che:
III) providing for selective access would not have been in accordance with the will of the legislator considering that:


- «non [sarebbe stata] rispettat[a] la sequenza normativa prevista dal legislatore, né le finalità di trasparenza connesse all’erogazione di incentivi pubblici. Infatti, solo dopo una trasparente consultazione di un elenco pubblico dei manager le imprese avrebbero potuto effettivamente assumere la decisione di richiedere l’incentivo, ma non prima»;
- "The regulatory sequence provided for by the legislator, nor the transparency objectives related to the provision of public incentives, [would] have not been respected. In fact, only after a transparent consultation of a public list of managers could companies have actually taken the decision to apply for the incentive, but not before ";


- «È indispensabile per le imprese che consultano l’elenco MiSE acquisire tutte le informazioni necessarie ad esercitare una consapevole scelta del manager più adatto al proprio interesse aziendale. I dati indicati nel cv, forniti volontariamente dagli stessi manager, sono stati del resto oggetto di pubblicità secondo le modalità già conosciute e accettate dal manager. L’identificazione soggettiva del consulente, oltre che la qualifica professionale, è elemento discriminante e indispensabile per la finalizzazione dell’incarico. La DGIAI ha offerto un servizio pubblico nell’ambito di un rapporto privatistico tra professionisti e aziende interessate, tant’è che la valutazione dei requisiti del manager non spetta alla DGIAI, che accredita i professionisti nell’elenco in base al possesso dei requisiti di accesso, ma all’impresa per la selezione del manager» (dichiarazione contenuta nell’allegato al verbale di audizione).
- "It is essential for companies that consult the MiSE list to acquire all the information necessary to exercise a conscious choice of the manager most suited to their corporate interest. The data indicated in the CV, provided voluntarily by the managers themselves, were furthermore advertised in the manner already known and accepted by the manager. The subjective identification of the consultant, as well as the professional qualification, is a discriminating and indispensable element for the finalization of the assignment. The DGIAI has offered a public service in the context of a private relationship between professionals and interested companies, so much so that the assessment of the manager's requirements is not up to the DGIAI, which accredits the professionals in the list based on the possession of the access requirements , but to the company for the selection of the manager "(declaration contained in the annex to the minutes of the hearing).


IV) attribuire credenziali di autenticazione, associate all’identità certa del soggetto, da utilizzare per l’accesso a un’eventuale area riservata «avrebbe certamente creato ostacoli al buon andamento dell’iniziativa», fra l’altro, perché:
IV) assigning authentication credentials, associated with the certain identity of the subject, to be used for access to any restricted area "would certainly have created obstacles to the successful running of the initiative", among other things, because:


- «esistono diversi sistemi che consentono di utilizzare credenziali informatiche fornite da terzi, con certezza di identificazione del soggetto a cui sono associate [fra cui il] Sistema Pubblico di Identità Digitale (“SPID”), [la] Carta Nazionale dei Servizi (“CNS”) e [la] Posta Elettronica Certificata (“PEC”) []» e «la medesima certezza di identità non sussiste anche con riferimento al titolare di una casella di posta elettronica ordinaria»;
- "there are various systems that allow the use of computer credentials provided by third parties, with the certainty of identification of the person to which they are associated [including the] Public Digital Identity System (" SPID "), [the] National Service Card (" CNS ") and [the] Certified Electronic Mail (" PEC ") [...]" and "the same certainty of identity does not exist even with reference to the owner of an ordinary electronic mailbox";


- considerando il «fatto che non si sarebbe potuto rendere obbligatorio e vincolante l’utilizzo dei citati strumenti di identificazione per l’accesso ad un elenco pubblico, poiché una simile soluzione pratica avrebbe rappresentato una “barriera” all’acceso ai contributi agevolativi, sarebbe stato conseguentemente necessario prevedere comunque una forma di autenticazione tramite credenziali informatiche, come la tradizionale posta elettronica e password, avendo però cura di acquisire copia del documento di identità del richiedente contestualmente all’istanza di accesso all’Elenco MISE (cfr. art. 38 del DPR 445/2000)»;
- considering the "fact that the use of the aforementioned identification tools could not have been made mandatory and binding for access to a public list, since such a practical solution would have represented a" barrier "to access to subsidized contributions, it would be Consequently, it was necessary in any case to provide for a form of authentication using IT credentials, such as traditional e-mail and password, taking care to acquire a copy of the applicant's identity document at the same time as the request for access to the MISE List (see Article 38 of the Presidential Decree 445/2000) ";


- «Per gestire la consultazione in area riservata dell’elenco dei manager, il MISE avrebbe dovuto, pertanto, implementare (ad esclusione di SPID, che avrebbe richiesto un periodo di implementazione troppo lungo per i nuovi siti web, come nel caso del sito vetrina miq.dgiai.gov.it, e quindi del tutto inconciliabile rispetto alle tempistiche dettate dalla normativa applicabile) un sistema per l’accredito all’accesso con verifica, anche a vista, del documento di identità di tutti i soggetti dotati della sola e-mail ordinaria ma privi di CNS e/o PEC e avrebbe dovuto, al tempo stesso, gestire sistemi per il rilascio e la gestione delle password per gli utenti, con assistenza dedicata e tempestiva in caso di anomalie di accesso e di rilascio della password. Anomalie, queste, la cui gestione sarebbe risultata poi particolarmente critica nelle fasi di chiusura della procedura, in funzione del rischio potenziale per un’impresa di non riuscire, ad esempio, a recuperare per tempo il codice fiscale di un manager a causa di una password dimenticata e per il manager stesso di perdere un’opportunità di lavoro».
- "To manage the consultation in the reserved area of the list of managers, the MISE should therefore have implemented (with the exception of SPID, which would have required an implementation period that was too long for new websites, as in the case of the showcase site miq.dgiai.gov.it, and therefore completely irreconcilable with respect to the timing dictated by the applicable legislation) a system for crediting access with verification, even at sight, of the identity document of all subjects with only the e- ordinary mail but without CNS and / or PEC and should, at the same time, manage systems for the release and management of passwords for users, with dedicated and timely assistance in the event of access anomalies and password release. Anomalies, these, the management of which would have been particularly critical in the closing stages of the procedure, depending on the potential risk for a company of not being able, for example, to recover a manager's tax code in time due to a password forgotten and for the manager himself to lose a job opportunity ».


VALUTAZIONI DEL GARANTE
ASSESSMENTS BY THE GUARANTOR


Anche in questo caso, la ricostruzione offerta del MISE chiarisce molti punti della questione ed è sicuramente utile ai fini della valutazione della condotta, ma non appare idonea a superare del tutto i rilievi critici mossi dall’Ufficio.
Also in this case, the reconstruction offered by the MISE clarifies many points of the question and is certainly useful for the purposes of evaluating the conduct, but it does not appear suitable for completely overcoming the critical findings raised by the Office.


Sotto tale profilo, si condividono in via preliminare le osservazioni del MISE in ordine all’impossibilità di individuare a priori l’insieme dei soggetti che avrebbero potuto effettivamente rientrare tra i possibili beneficiari dei Voucher e quindi potenzialmente autorizzati a consultare l’elenco dei manager comprensivo dei CV (cfr. precedente punto I).
From this point of view, the observations of the MISE are preliminarily shared regarding the impossibility of identifying a priori the set of subjects who could actually have been included among the possible beneficiaries of the Vouchers and therefore potentially authorized to consult the list of managers including CVs (see point I above).


Si condivide, altresì, quanto riportato in ordine al fatto che la consultazione dell’elenco e dei CV dei manager (quanto più possibile completi) da parte delle imprese interessate fosse indispensabile per poter scegliere consapevolmente il soggetto ritenuto più idoneo a fornite la consulenza specialistica inerente ai processi di trasformazione tecnologica e digitale funzionale alle proprie esigenze operative, che costituiva il requisito per poter beneficiare dell’erogazione del contributo statale per questo previsto (cd. “voucher”). Rispetto alla scelta del manager-consulente il Ministero svolgeva anche una sorta di intermediazione per l’instaurazione «di un rapporto privatistico tra professionisti e aziende interessate» rispetto al quale «la valutazione dei requisiti del manager non spetta[va al Ministero]», che si doveva limitare ad «accredita[re] i professionisti nell’elenco in base al possesso dei requisiti di accesso», ma esclusivamente «all’impresa per la selezione del manager».
We also agree with what is reported regarding the fact that consultation of the list and CVs of managers (as complete as possible) by the companies concerned was essential in order to be able to consciously choose the person deemed most suitable to provide the inherent specialist advice. to the processes of technological and digital transformation functional to their own operational needs, which was the requisite to be able to benefit from the disbursement of the state contribution envisaged for this (so-called “voucher”). With respect to the choice of the manager-consultant, the Ministry also carried out a sort of intermediation for the establishment "of a private relationship between professionals and interested companies" with respect to which "the assessment of the manager's requirements is not up to [the Ministry]", which it had to be limited to "accrediting [re] the professionals in the list on the basis of possession of the requisites for access", but exclusively "to the company for the selection of the manager".


Ciò nonostante, a fronte delle circostanze evidenziate, rimane in ogni caso sproporzionato rendere disponibili a chiunque – tramite la pubblicazione online sul sito web del Ministero senza alcun filtro – dati e informazioni personali di un numero così elevato di soggetti interessati per due motivi fondamentali:
Nevertheless, given the circumstances highlighted, it remains disproportionate in any case to make available to anyone - through the online publication on the Ministry's website without any filter - data and personal information of such a large number of interested parties for two fundamental reasons:


- la conoscenza generalizzata dei predetti dati non rispondeva ad alcuna ragione di trasparenza, considerando che la scelta dei manager era rimessa a una discrezionalità da parte delle imprese interessate, non sindacabile dal Ministero, e, inoltre, non tutti i manager iscritti nell’elenco avrebbero instaurato rapporti professionali con le imprese interessate perché da esse scartati;
- the generalized knowledge of the aforementioned data did not respond to any reason for transparency, considering that the choice of managers was left to the discretion of the companies concerned, which could not be questioned by the Ministry, and, moreover, not all the managers enrolled in the list would have established professional relationships with the companies concerned because they were rejected by them;


- tenendo conto dello stato dell'arte e dei costi di attuazione, nonché della natura, dell'ambito di applicazione, del contesto e delle finalità del trattamento, come anche dei rischi aventi probabilità e gravità diverse per i diritti e le libertà delle persone fisiche, esistono strumenti meno invasivi nonché misure tecniche e organizzative più adeguate, rispetto a quelle messe in atto dal MISE, capaci di «attuare in modo efficace i principi di protezione dei dati, quali la minimizzazione, e a integrare nel trattamento le necessarie garanzie al fine di soddisfare i requisiti del presente regolamento e tutelare i diritti degli interessati» (art. 25 del RGPD).
- taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the processing, as well as risks with different probabilities and gravity for the rights and freedoms of individuals , there are less invasive tools as well as more adequate technical and organizational measures, compared to those implemented by the MISE, capable of "effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees in the treatment in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25 of the RGPD).


Sotto tale profilo, infatti, non si può condividere quanto rappresentato dal MISE (cfr. precedente punto II) che la «sequenza normativa prevista dal legislatore» avrebbe impedito la predisposizione di un semplice accesso riservato, anche solo a chiunque ne facesse richiesta, ad esempio prevedendo l’assegnazione agli stessi di username e password, senza dover effettuare alcun tipo di controllo (strumento in grado di limitare l’ambito di circolazione dei dati personali riducendo i rischi di un improprio trattamento da parte di terzi) e che tale accorgimento tecnico «avrebbe rappresentato, per il Ministero, un onere sproporzionato e verosimilmente ingestibile […]». Ciò in quanto nessuna disposizione legislativa lo impediva e l’esistenza di un onere sproporzionato non risulta in alcun modo comprovato in base al principio di accountability (artt. 5, par. 2; 24 del RGPD); né può essere a priori condivisibile, considerando che il titolare del trattamento è un ente di grandi dimensioni quali un Ministero, abituato in quanto tale a trattare enormi quantità di dati personali di diversa natura, anche delicati e appartenenti a categorie particolari. Inoltre, dal momento dell’adozione della norma primaria (30 dicembre 2018) fino all’elaborazione delle relative disposizioni applicative (D.M. 7/5/2019 e D.D. XX) e all’approvazione dell’Elenco MISE (XX) è trascorso un lungo periodo di tempo sicuramente sufficiente a elaborare soluzioni rispettose delle disposizioni contenute nel RGPD prima richiamate.
From this point of view, in fact, we cannot agree with what is represented by the MISE (see previous point II) that the "regulatory sequence envisaged by the legislator" would have prevented the provision of a simple reserved access, even only to anyone who requested it, for example providing for the assignment to them of username and password, without having to carry out any type of control (tool capable of limiting the scope of circulation of personal data by reducing the risks of improper treatment by third parties) and that this technical device " would have represented, for the Ministry, a disproportionate and probably unmanageable burden […] ». This is because no legislative provision prevented it and the existence of a disproportionate burden is in no way proven on the basis of the accountability principle (Articles 5, par. 2; 24 of the GDPR); nor can it be shared a priori, considering that the data controller is a large entity such as a Ministry, accustomed as such to process huge quantities of personal data of different nature, even sensitive and belonging to particular categories. Furthermore, a long period has elapsed from the time of the adoption of the primary standard (30 December 2018) until the drafting of the relative application provisions (DM 7/5/2019 and DD XX) and the approval of the MISE List (XX) certainly sufficient time to develop solutions that comply with the provisions contained in the RGPD referred to above.


Sotto il profilo tecnico, si rilevano inoltre alcune imprecisioni nella ricostruzione del MISE (cfr. precedente punto IV), che potrebbero inoltre averlo indotto in errore in ordine alle decisioni assunte. In particolare, si segnala che la PEC – contrariamente a quanto riportato nella memoria difensiva (cfr. pagg. 14 e 15) – non è uno strumento che presuppone «l’identificazione a monte del soggetto a cui [… è associata] da parte dell’ente/organizzazione deputato al […suo] rilascio», in quanto i gestori PEC non hanno alcun obbligo di verifica dell’identità del soggetto che richiede l’attivazione di una casella di posta elettronica certificata. Inoltre, fra gli strumenti idonei per l’identificazione dei soggetti va ricompresa anche la carta d’identità elettronica (CIE), che, al pari di SPID e CNS, può essere utilizzata per l’accesso ai servizi in rete erogati dalle pubbliche amministrazioni (cfr. art. 64, comma 2-quater, del d. lgs. n. 82 del 7/3/2005, Codice dell'amministrazione digitale-CAD).
From a technical point of view, there are also some inaccuracies in the reconstruction of the MISE (see previous point IV), which could also have misled it with regard to the decisions taken. In particular, it should be noted that the PEC - contrary to what is reported in the defense brief (see pages 14 and 15) - is not an instrument that presupposes "the prior identification of the person [... it is associated with] by the 'body / organization in charge of [… its] release', as the PEC managers have no obligation to verify the identity of the person requesting the activation of a certified e-mail box. Furthermore, the electronic identity card (CIE), which, like SPID and CNS, can be used for access to network services provided by public administrations should also be included among the suitable tools for identifying subjects ( see Article 64, paragraph 2-quater, of Legislative Decree No. 82 of 7/3/2005, Code of digital administration-CAD).


In tale contesto, considerando che la condotta ha esaurito i suoi effetti, in quanto il titolare del trattamento ha dichiarato che i dati personali sono stati resi disponibili «dal XX (data di approvazione dell’Elenco MISE) al XX (data in cui il sito vetrina che esponeva i CV dei manager è stato chiuso)», non si ritiene necessario ingiungere, nell’ambito nel presente procedimento e a posteriori, l’adozione di specifiche misure tecniche e organizzative ritenute idonee al caso concreto già verificatosi.
In this context, considering that the conduct has exhausted its effects, as the data controller declared that the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the site window displaying the CVs of the managers has been closed) ", it is not considered necessary to order, in the context of this proceeding and subsequently, the adoption of specific technical and organizational measures deemed suitable for the specific case that has already occurred.


4.c. sulla nomina del RPD
4.c. on the appointment of the DPO


È stato contestato al MISE che, dall’istruttoria e dalle ricerche esperite all’Ufficio del protocollo del Garante è risultato che la nomina del Responsabile della Protezione dei Dati (RPD) è stata effettuata solo in data XX e che la comunicazione a questa Autorità dei dati di contatto del RPD è stata effettuata solo in data XX. Tale comportamento è risultato non conforme alle previsioni dell’art. 37, parr 1 e 7, del RGPD, laddove è prevista l’obbligatorietà dei predetti adempimenti dalla data del 25/5/2018 in cui è divenuto applicabile il regolamento europeo.
It was contested to the MISE that, from the investigation and from the research carried out at the Office of the Protocol of the Guarantor, it was found that the appointment of the Data Protection Officer (DPO) was made only on date XX and that the communication to this Authority of contact details of the DPO was made only on XX date. This behavior was found not to comply with the provisions of art. 37, paragraphs 1 and 7, of the RGPD, where the obligation of the aforementioned obligations is envisaged from the date of 25/5/2018 in which the European regulation became applicable.


OSSERVAZIONI DEL MISE
COMMENTS OF THE MISE


Al riguardo, nella nota del MISE prot. n. XX del XX è stato rappresentato che:
In this regard, in the note of the MISE prot. n. XX of the XX it was represented that:


- «in attuazione dell’articolo 4-bis del decreto-legge 12 luglio 2018, n. 86, convertito con la legge 9 agosto 2018, n. 97, al fine di armonizzare l’assetto organizzativo con lo sviluppo del quadro normativo in materia di tutela dei dati personali, in considerazione delle prescrizioni contenute nel Regolamento (UE) 2016/679, il Ministero ha avviato un complesso processo di riorganizzazione degli uffici dirigenziali di livello generale e delle funzioni ad essi affidate»;
- "in implementation of article 4-bis of the decree-law of 12 July 2018, no. 86, converted with the law 9 August 2018, n. 97, in order to harmonize the organizational structure with the development of the regulatory framework for the protection of personal data, in consideration of the provisions contained in Regulation (EU) 2016/679, the Ministry has launched a complex process of reorganization of the management offices of general level and of the functions entrusted to them ";


- «Nell’ambito della dotazione organica del MiSE, per le funzioni di RPD, si è inteso procedere all’individuazione di una posizione dirigenziale ad hoc, di livello generale, tra quelle di consulenza, studio e ricerca, conferibili ai sensi dell’art. 19 commi 4 e 10 del decreto legislativo n. 165/2001»;
- "As part of the staffing of the MiSE, for the DPO functions, it was intended to proceed with the identification of an ad hoc managerial position, of a general level, among those of consultancy, study and research, conferred pursuant to art . 19 paragraphs 4 and 10 of the legislative decree n. 165/2001 ";


- «All’esito di numerosi incontri con i Direttori generali e con le Organizzazioni sindacali, la struttura organizzativa del Ministero è stata modificata con il Decreto del Presidente del Consiglio dei Ministri 19 giugno 2019, n. 93, pubblicato in G.U. 21 agosto 2019, n. 195»;
- "As a result of numerous meetings with the General Managers and with the trade unions, the organizational structure of the Ministry was modified with the Decree of the President of the Council of Ministers of 19 June 2019, no. 93, published in G.U. 21 August 2019, n. 195 ";


- «A seguito di pubblicazione in G.U. 21 agosto 2019 n. 195, il citato DPCM, è entrato in vigore il 5 settembre 2019 e ha disciplinato l’organizzazione degli uffici dirigenziali di livello generale modificando il decreto del Presidente del Consiglio 5 dicembre 2013, n. 158»;
- «Following publication in the Official Gazette 21 August 2019 n. 195, the aforementioned Prime Ministerial Decree, entered into force on 5 September 2019 and governed the organization of general management offices by amending the Prime Minister's Decree of 5 December 2013, no. 158 ";


- «Pertanto, con nota n. XX del XX, è stato dato avvio alla procedura di interpello per la copertura della posizione dirigenziale de qua. Il suddetto interpello pubblico è stato rivolto, con nota n. XX (pubblicata in data XX), anche ai dirigenti di ruolo del Ministero e ai dirigenti di ruolo delle amministrazioni statali»
- «Therefore, with note no. XX of the XX, the ruling procedure was initiated for the coverage of the managerial position in question. The aforementioned public question was addressed, with note no. XX (published on XX), also to the permanent managers of the Ministry and to the permanent managers of the state administrations "


- «La procedura di interpello si è conclusa con il conferimento dell’incarico, per le attività di RPD, ai sensi dell'articolo 19, commi 4 e 10 del decreto legislativo 30 marzo 2001, n. 165, per la durata di tre anni»;
- "The ruling procedure ended with the assignment of the assignment, for the activities of DPO, pursuant to Article 19, paragraphs 4 and 10 of Legislative Decree 30 March 2001, n. 165, for a period of three years ";


- «Il conseguente decreto del Presidente del Consiglio dei Ministri adottato in data 29 ottobre 2019 ha disposto la nomina del RPD del Ministero ed è stato registrato dalla Corte dei Conti il XX, Reg. Prev. n. XX, nonché trasmesso al Ministero della Funzione Pubblica in data XX. Nella medesima data il Segretariato Generale ha inviato il DPCM di nomina, con allegato contratto di lavoro, al soggetto designato».
- «The consequent decree of the President of the Council of Ministers adopted on 29 October 2019 ordered the appointment of the DPO of the Ministry and was registered by the Court of Auditors on XX, Reg. Prev. N. XX, as well as sent to the Ministry of Public Administration on XX. On the same date, the General Secretariat sent the DPCM of appointment, with attached employment contract, to the designated person ".


Appare, inoltre, rilevante quanto riportato nel «documento inerente alle contestazioni mosse dal Garante» allegato al verbale di audizione del XX, laddove, a integrazione di quanto precedentemente rappresentato, è stato evidenziato, fra l’altro, che il ritardo negli adempimenti previsti «è dipeso dall’avvicendarsi degli organi di indirizzo politico, con l’insediamento di un nuovo Governo in data XX e l’avvio della procedura di riorganizzazione – a seguito della nomina del nuovo Ministro – degli uffici dirigenziali di livello generale, in riforma del precedente assetto risalente al DPCM 5 dicembre 2013, n.158. La riorganizzazione è culminata nell’adozione del DPCM del 19/06/2019, n. 93 successivamente modificato dal DPCM 12/12/2019, n. 178. Con la modifica organizzativa si è inteso rafforzare il ruolo del responsabile per la protezione dei dati previsto dal regolamento europeo, creando ex novo tale posizione, qualificando il relativo posto di funzione quale posizione dirigenziale di livello generale da attribuirsi con incarico ai sensi dell’art. 19 commi 4 e 10 del d. lgs. n. 165/2001; distinguendo tale figura da quella del Responsabile per la prevenzione della corruzione e della trasparenza. La nomina del RPD è avvenuta con DPCM 21/10/2019, registrato dalla Corte dei Conti, in data XX, al n. XX».
Furthermore, what is reported in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XXth is relevant, where, in addition to what was previously represented, it was highlighted, among other things, that the delay in the formalities required " it depended on the alternation of political bodies, with the installation of a new government on the 20th and the start of the reorganization procedure - following the appointment of the new Minister - of the general management offices, in reform of the previous structure dating back to DPCM December 5, 2013, n.158. The reorganization culminated in the adoption of the Prime Ministerial Decree of 06/19/2019, no. 93 subsequently amended by DPCM 12/12/2019, n. 178. With the organizational change it was intended to strengthen the role of the data protection officer provided for by the European regulation, creating this position from scratch, qualifying the relevant post as a general managerial position to be assigned with a mandate pursuant to art. 19 paragraphs 4 and 10 of the d. lgs. n. 165/2001; distinguishing this figure from that of the Manager for the prevention of corruption and transparency. The appointment of the DPO took place with DPCM 21/10/2019, registered by the Court of Auditors, on XX, at no. XX ".


VALUTAZIONI DEL GARANTE
ASSESSMENTS BY THE GUARANTOR


Il MISE ha confermato l’avvenuto ritardo negli adempimenti previsti dal RGPD relativi alla nomina del RPD, descrivendone le circostanze.
The MISE confirmed the delay in the obligations provided for by the RGPD relating to the appointment of the DPO, describing the circumstances.


Quanto riportato – anche se utile al fine della comprensione e della valutazione della condotta tenuta – non consente però di superare le contestazioni sollevate dall’Ufficio. Ciò soprattutto considerando che, fin dal maggio XX (quindi molto prima della data del 25/5/2018 di applicazione del RGPD), questa Autorità ha messo in atto una articolata attività informativa rivolta a tutti i soggetti pubblici in ordine agli adempimenti da effettuare, ai sensi del nuovo RGPD (compreso l’obbligo della nomina del RPD), che ha previsto il coinvolgimento in tempo utile di tutti i Ministeri, tramite inoltro di un’apposita comunicazione ai Ministri competenti, cui sono seguiti specifici incontri con i referenti designati dal Ministero, avvenuti presso il Garante, in data XX, e presso la sede della Banca d’Italia in data XX.
The information reported - even if useful for the purpose of understanding and evaluating the conduct held - does not, however, allow for overcoming the disputes raised by the Office. This especially considering that, since May XX (therefore long before the date of 25/5/2018 of application of the RGPD), this Authority has put in place an articulated information activity aimed at all public subjects regarding the obligations to be carried out, pursuant to the new RGPD (including the obligation to appoint the DPO), which provided for the timely involvement of all the Ministries, by sending a specific communication to the competent Ministers, which was followed by specific meetings with the representatives designated by the Ministry, which took place at the Guarantor, on XX, and at the headquarters of the Bank of Italy on XX.


Con riferimento allo specifico caso in esame è stata inviata, dal Presidente del Garante al Ministro dello Sviluppo Economico, la nota prot. n. XX del XX, riscontrata con nota del Capo di Gabinetto del MISE prot. n. XX del XX.
With reference to the specific case in question, the note prot. n. XX of the XX, found with a note of the Head of Cabinet of the MISE prot. n. XX of the XX.


Nell’allegato alla predetta nota, il Garante aveva espressamente indicato alle amministrazioni pubbliche le priorità che avrebbero dovuto tenere in considerazione nel percorso di adeguamento al nuovo quadro giuridico del Regolamento; al primo posto di tale priorità era riportata proprio la designazione del Responsabile della protezione dei dati – RPD (artt. 37-39), evidenziando che “questa nuova figura che il Regolamento richiede sia individuata in funzione delle qualità professionali e della conoscenza specialistica della normativa e della prassi in materia di protezione dati costituisce il fulcro del processo di attuazione del principio di “responsabilizzazione” e che “il diretto coinvolgimento del RPD in tutte le questioni che riguardano la protezione dei dati personali, sin dalla fase transitoria, è sicuramente garanzia di qualità del risultato del processo di adeguamento in atto”.
In the annex to the aforementioned note, the Guarantor had expressly indicated to the public administrations the priorities that should have been taken into consideration in the process of adapting to the new legal framework of the Regulation; the first place of this priority was the designation of the Data Protection Officer - DPO (articles 37-39), highlighting that "this new figure that the Regulation requires is identified on the basis of professional qualities and specialist knowledge of the legislation and of data protection practice constitutes the fulcrum of the process of implementing the principle of "accountability" and that "the direct involvement of the DPO in all matters concerning the protection of personal data, right from the transitional phase, is certainly a guarantee of quality of the result of the ongoing adjustment process ".


5. Esito dell’istruttoria relativa al complesso della vicenda sottoposta all’attenzione del Garante
5. Outcome of the investigation relating to the whole of the matter submitted to the attention of the Guarantor


Alla luce di tutto quanto sopra descritto, gli elementi rappresentati negli scritti difensivi del MISE in ogni caso rilevanti ai fini della valutazione della condotta – non risultano sufficienti a consentire l’archiviazione del presente procedimento ai sensi dell’art. 11 del Regolamento del Garante n. 1/2019.
In light of all the above, the elements represented in the defensive writings of the MISE - in any case relevant to the assessment of the conduct - are not sufficient to allow the filing of this proceeding pursuant to art. 11 of the Guarantor Regulation n. 1/2019.


In tale quadro, si confermano i rilievi notificati dall’Ufficio con la nota prot. n. XX del XX e si rileva la non conformità del trattamento di dati personali oggetto del presente procedimento alla disciplina rilevante in materia di protezione dei dati personali, in quanto il Ministero dello Sviluppo economico:
In this context, the findings notified by the Office with the note prot. n. XX of the XX and the non-compliance of the processing of personal data subject of this proceeding with the relevant legislation on the protection of personal data is noted, as the Ministry of Economic Development:


1. pubblicando online dati personali (nominativo, codice fiscale, e-mail) e curriculum vitae integrale (con ulteriori dati personali come, ad esempio, telefono cellulare, istruzione e formazione, esperienze professionali, ecc.), riferiti a più di cinquemila soggetti interessati, inseriti nell’elenco dei «Manager qualificati e delle società di consulenza», ha diffuso dati personali:
1. publishing online personal data (name, tax code, e-mail) and full curriculum vitae (with additional personal data such as, for example, mobile phone, education and training, professional experiences, etc.), referring to more than five thousand subjects interested parties, included in the list of "Qualified managers and consulting companies", has disclosed personal data:


a) in assenza di un idoneo presupposto normativo, in violazione dell’art. 2-ter, commi 1 e 3, del Codice e dell’art. 6, par. 1, lett. c) ed e); par. 2 e par. 3, lett. b), del RGPD;
a) in the absence of a suitable regulatory requirement, in violation of art. 2-ter, paragraphs 1 and 3, of the Code and art. 6, par. 1, lett. c) and e); par. 2 and par. 3, lett. b), of the GDPR;


b) in maniera non conforme al rispetto dei principi di “liceità”, “limitazione della finalità” e “minimizzazione dei dati”, in violazione dell’art. 5, par. 1, lett. a), b) e c), del RGPD;
b) in a manner that does not comply with the principles of "lawfulness", "purpose limitation" and "data minimization", in violation of art. 5, par. 1, lett. a), b) and c) of the GDPR;


2. non ha designato, essendovi tenuto, il Responsabile della Protezione dei Dati (RPD), né ha comunicato a questa a questa Autorità i relativi dati di contatto dopo averlo nominato, entro la data del 25/5/2018 in cui è divenuto applicabile il RGPD, avendo provveduto a tale adempimento solo a distanza di circa anno e mezzo e precisamente in data XX (per la nomina del RPD) e in data XX (per la comunicazione dei dati di contatto), in violazione dell’art. 37, parr 1 e 7, del RGPD.
2. has not designated, being required, the Data Protection Officer (DPO), nor has he communicated his contact details to this Authority after having appointed him, by the date of 25/5/2018 in which it became applicable the RGPD, having provided this fulfillment only after about a year and a half and precisely on XX (for the appointment of the DPO) and on XX (for the communication of contact data), in violation of art. 37, paragraphs 1 and 7, of the GDPR.


Considerato, tuttavia, che la condotta ha esaurito i suoi effetti, in quanto il titolare del trattamento ha provveduto a rimuovere dal sito web istituzionale i dati personali e a dare esecuzione agli adempimenti previsti dall’art. 37 del RGPD in relazione al RPD, fermo restando quanto si dirà sull’applicazione della sanzione amministrativa pecuniaria e sull’adozione dell’ammonimento, non ricorrono i presupposti per l’adozione di ulteriori misure correttive di cui all’art. 58, par. 2, del RGPD.
Considering, however, that the conduct has exhausted its effects, as the data controller has taken steps to remove the personal data from the institutional website and to implement the obligations provided for by art. 37 of the GDPR in relation to the DPO, without prejudice to what will be said on the application of the pecuniary administrative sanction and the adoption of the warning, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR.


6. Adozione dell’ordinanza ingiunzione per l’applicazione della sanzione amministrativa pecuniaria (artt. 58, par. 2, lett. i; 83 del RGPD)
6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Articles 58, paragraph 2, letter i; 83 of the GDPR)


Il Ministero dello Sviluppo Economico risulta aver violato gli artt. 5, par. 1, lett. a), b) e c); 6, par. 1, lett. c) ed e), par. 2 e par. 3, lett. b); 37, parr. 1 e 7, del RGPD; nonché dell’art. 2-ter, commi 1 e 3, del Codice.
The Ministry of Economic Development appears to have violated Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code.


Per la violazione delle predette disposizioni – considerando anche il richiamo contenuto nell’art. 166, comma 2, del Codice – è prevista l’applicazione delle sanzioni amministrative di cui all’art. 83, parr. 4 e 5, del RGPD.
For the violation of the aforementioned provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - the application of the administrative sanctions referred to in art. 83, para. 4 and 5, of the GDPR.


Al riguardo, l’art. 83, par. 3, del RGPD, prevede che «Se, in relazione allo stesso trattamento o a trattamenti collegati, un titolare del trattamento o un responsabile del trattamento viola, con dolo o colpa, varie disposizioni del presente regolamento, l’importo totale della sanzione amministrativa pecuniaria non supera l’importo specificato per la violazione più grave».
In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.


Nel caso di specie, pertanto, la violazione delle disposizioni citate è soggetta alla sanzione amministrativa pecuniaria più grave prevista dall’art. 83, par. 5, del RGPD, che si applica pertanto al caso di specie.
In this case, therefore, the violation of the aforementioned provisions is subject to the most serious administrative fine provided for by art. 83, par. 5, of the GDPR, which therefore applies to the present case.


Il Garante, ai sensi ai sensi degli artt. 58, par. 2, lett. i), e 83 del RGPD, nonché dell’art. 166 del Codice, ha il potere correttivo di «infliggere una sanzione amministrativa pecuniaria ai sensi dell’articolo 83, in aggiunta alle [altre] misure [correttive] di cui al presente paragrafo, o in luogo di tali misure, in funzione delle circostanze di ogni singolo caso». In tale quadro, «il Collegio [del Garante] adotta l’ordinanza ingiunzione, con la quale dispone altresì in ordine all’applicazione della sanzione amministrativa accessoria della sua pubblicazione, per intero o per estratto, sul sito web del Garante ai sensi dell’articolo 166, comma 7, del Codice» (art. 16, comma 1, del Regolamento del Garante n. 1/2019).
The Guarantor, pursuant to art. 58, par. 2, lett. i), and 83 of the RGPD, as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).


La predetta sanzione amministrativa pecuniaria inflitta, in funzione delle circostanze di ogni singolo caso, va determinata nell’ammontare, tenendo in debito conto gli elementi previsti dall’art. 83, par. 2, del RGPD.
The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking into account the elements provided for by art. 83, par. 2, of the GDPR.


In tal senso, la violazione della disciplina in materia di protezione dei dati personali ha avuto a oggetto la diffusione di dati personali; nonché il ritardo nella nomina del RPD.
In this sense, the violation of the regulations on the protection of personal data had as its object the dissemination of personal data; as well as the delay in the appointment of the DPO.


Quanto al primo profilo, l’avvenuta diffusione ha avuto a oggetto dati personali che non appartengono a categorie particolari né a condanne penali o reati (artt. 9 e 10 del RGPD), riferiti a circa 5000 manager e si è protratta per un tempo limitato pari a circa 30 giorni. La condotta tenuta, basata su un’errata valutazione circa la relativa conformità alla normativa in materia di protezione dei dati personali, è di natura colposa. Va considerato, come ulteriore elemento attenuante, il contesto in cui è avvenuto il trattamento e l’incertezza del quadro normativo derivante dalla coesistenza di numerose fonti approvate nel tempo (legge, decreto ministeriale, decreto direttoriale), contenenti reciproci rinvii, che, adottate in assenza del parere obbligatorio del Garante, non potevano in ogni caso essere autonomamente disapplicate dagli operatori del MISE. Inoltre, va tenuto conto anche della circostanza che il titolare del trattamento pur sottovalutando, in buona fede, i rischi del trattamento, ha dichiarato di aver comunque «prontamente istruito ed evaso tutte le richieste di cancellazione dall’Elenco MiSE 11 (undici) – e tutte le richieste di modifica dei CV e/o cancellazione di dati personali sul sito vetrina – 85 (ottantacinque)» (nota prot. n. XX del XX, pag. 12).
As for the first profile, the disclosure concerned personal data that do not belong to particular categories or to criminal convictions or offenses (articles 9 and 10 of the RGPD), referring to about 5,000 managers and lasted for a limited time. equal to about 30 days. The conduct, based on an incorrect assessment of its compliance with the legislation on the protection of personal data, is of a culpable nature. As a further mitigating element, the context in which the treatment took place and the uncertainty of the regulatory framework deriving from the coexistence of numerous sources approved over time (law, ministerial decree, directorial decree), containing reciprocal references, which, adopted in absence of the mandatory opinion of the Guarantor, could not in any case be autonomously disapplied by the MISE operators. Furthermore, it should also be taken into account that the data controller, while underestimating, in good faith, the risks of the processing, declared that he had in any case "promptly instructed and processed all requests for cancellation from the MiSE List - 11 (eleven) - and all requests for modification of CVs and / or cancellation of personal data on the showcase site - 85 (eighty-five) "(prot. note no. XX of XX, page 12).


Quanto, invece, al ritardo nella nomina del RPD, la violazione delle disposizioni contenute nell’art. 37, parr. 1 e 7, del RGPD, si è protratta per circa un anno e mezzo. Sul punto, pur prendendo atto delle circostanze – descritte nel precedente paragrafo 4.c – legate alle contingenze dell’alternarsi del nuovo organo di vertice politico e alla connessa riorganizzazione amministrativa, si ritiene che la condotta posta in essere, pur di natura colposa, non sia giustificabile in particolare alla luce della comunicazione inviata dal Presidente dell’Autorità al Ministro il XX e dell’attività informativa sopra descritta (par. 4.c)) messa in atto dal Garante anche nei confronti del MISE.
As for the delay in the appointment of the DPO, the violation of the provisions contained in art. 37, para. 1 and 7, of the GDPR, lasted for about a year and a half. On this point, while taking note of the circumstances - described in paragraph 4.c above - linked to the contingencies of the alternation of the new political top body and the related administrative reorganization, it is believed that the conduct put in place, albeit of a culpable nature, does not is justifiable in particular in the light of the communication sent by the President of the Authority to the Minister on the 20th and the information activity described above (par. 4.c)) implemented by the Guarantor also towards the MISE.


Si deve in ogni caso tenere, altresì, conto che il MISE ha collaborato con l’Autorità nel corso dell’istruttoria del presente procedimento e non risultano eventuali precedenti violazioni del RGPD pertinenti commesse dal citato Ministero
In any case, it must also be taken into account that the MISE collaborated with the Authority during the investigation of this proceeding and there are no previous violations of the relevant RGPD committed by the aforementioned Ministry


In ragione dei suddetti elementi, valutati nel loro complesso, si ritiene di dover determinare ai sensi dell’art. 83, parr. 2 e 3, del RGPD l’ammontare della sanzione pecuniaria, prevista dall’art. 83, par. 5, del RGPD, nella misura di euro 75.000,00 (settantacinquemila) per la violazione degli artt. 5, par. 1, lett. a), b) e c); 6, par. 1, lett. c) ed e), par. 2 e par. 3, lett. b); 37, parr. 1 e 7, del RGPD; nonché dell’art. 2-ter, commi 1 e 3, del Codice, quale sanzione amministrativa pecuniaria ritenuta effettiva, proporzionata e dissuasiva sensi dell’art. 83, par. 1, del medesimo RGPD.
Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 75,000.00 (seventy-five thousand) for the violation of Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.


Si ritiene, altresì, che – date le specifiche circostanze della fattispecie sottoposta all’attenzione del Garante, relative alla pubblicazione in Internet dei dati personali contenuti nel curriculum dei manager in assenza di un’idonea base normativa e alla nomina del RPD – debba essere applicata la sanzione accessoria della pubblicazione del presente provvedimento sul sito Internet del Garante, prevista dall’art. 166, comma 7, del Codice e dall’art. 16, comma 1, del Regolamento del Garante n. 1/2019.
It is also believed that - given the specific circumstances of the case submitted to the attention of the Guarantor, relating to the publication on the Internet of the personal data contained in the curriculum of managers in the absence of an appropriate regulatory basis and the appointment of the DPO - should be applied the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.


Si ritiene, infine, che ricorrono i presupposti di cui all’art. 17 del Regolamento del Garante n. 1/2019.
Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.


TUTTO CIÒ PREMESSO IL GARANTE
WHEREAS, THE GUARANTOR


rilevata l’illiceità del trattamento effettuato dal Ministero dello Sviluppo Economico nei termini indicati in motivazione ai sensi degli artt. 58, par. 2, lett. i), e 83 del RGPD
the unlawfulness of the processing carried out by the Ministry of Economic Development in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i), and 83 of the GDPR


ORDINA
ORDER


al Ministero dello Sviluppo Economico, in persona del legale rappresentante pro-tempore, con sede legale Via Veneto, 33 - 00187 Roma (RM) C.F. 80230390587 di pagare la somma di euro 75.000,00 (settantacinquemila) a titolo di sanzione amministrativa pecuniaria per le violazioni di cui in motivazione
to the Ministry of Economic Development, in the person of the pro-tempore legal representative, with registered office in Via Veneto, 33 - 00187 Rome (RM) - C.F. 80230390587 to pay the sum of € 75,000.00 (seventy-five thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation


INGIUNGE
INJUNCES


al medesimo Ministero di pagare la somma complessiva di euro 75.000,00 (settantacinquemila), secondo le modalità indicate in allegato, entro 30 giorni dalla notifica del presente provvedimento, pena l’adozione dei conseguenti atti esecutivi a norma dall’art. 27 della l. n. 689/1981.
to the same Ministry to pay the total sum of € 75,000.00 (seventy-five thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.


Si ricorda che resta salva la facoltà per il trasgressore di definire la controversia mediante il pagamento – sempre secondo le modalità indicate in allegato – di un importo pari alla metà della sanzione irrogata, entro il termine di cui all’art. 10, comma 3, del d. lgs. n. 150 dell’1/9/2011 previsto per la proposizione del ricorso come sotto indicato (art. 166, comma 8, del Codice).
Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1/9/2011 provided for the filing of the appeal as indicated below (Article 166, paragraph 8, of the Code).


DISPONE
HAS


- la pubblicazione del presente provvedimento sul sito web del Garante ai sensi dell’art. 166, comma 7, del Codice e dall’art. 16, comma 1, del Regolamento del Garante n. 1/2019;
- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;
 
- l'annotazione nel registro interno dell'Autorità delle violazioni e delle misure adottate ai sensi dell'art. 58, par. 2, del RGPD con il presente provvedimento, come previsto dall’art. 17 del Regolamento del Garante n. 1/2019.
Ai sensi dell’art. 78 del RGPD, degli artt. 152 del Codice e 10 del d.lgs. n. 150/2011, avverso il presente provvedimento è possibile proporre ricorso dinnanzi all’autorità giudiziaria ordinaria, a pena di inammissibilità, entro trenta giorni dalla data di comunicazione del provvedimento stesso ovvero entro sessanta giorni se il ricorrente risiede all’estero


- the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.
Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad
</pre>
</pre>

Latest revision as of 15:55, 6 December 2023

Garante per la protezione dei dati personali - 9556625
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6(2) GDPR
Article 37(1) GDPR
Article 37(7) GDPR
art. 2-ter of the Italian Privacy Code
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.02.2021
Published: 11.03.2021
Fine: 75,000 EUR
Parties: Ministero dello sviluppo economico (Ministry of Economic Development)
National Case Number/Name: 9556625
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian data protection authority website (in IT)
Initial Contributor: Davide C.

The Italian DPA (Garante per la protezione dei dati personali) fined the Ministry of Economic Development ('MISE') €75,000 for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website, including their CVs.

English Summary

Facts

Following some reports, the Italian DPA ascertained that the MISE uploaded on its website a list of more than 5,000 managers containing their personal data, including name, tax code, e-mail address, CV, mobile phone and, in some cases, ID and health card. All this data was freely visible and downloadable. The MISE published that list to help SMEs in booking advice from experienced business professionals on the technological and digital processes to manage vouchers provided in compliance with the 2019 Budget Law.

The DPA has also found that the MISE did not appoint a DPO by May 25, 2018, as required for all public bodies according to art. 37 GDPR.

Holding

The Italian DPA noted that MISE failed to appoint a DPO by the established deadline (May 25, 2018).

Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data.

In light of the above and given that the MISE has appointed a DPO then, the Italian DPA issued a fine of €75,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 5/15/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Speaker prof. Pasquale Stanzione;

WHEREAS

1. Introduction

Following the publication of some press reports, this Authority has opened an investigation against the Ministry of Economic Development (MISE) regarding the dissemination of personal data and information on the institutional website in a manner that does not comply with the regulations on personal data protection. On the same issue, several reports and a complaint from Mr. XX were also received shortly after.

Specifically, from the preliminary assessment carried out by the Office it emerged that at the url https: // ... there was a web page entitled "Manager List" in which personal data (name, tax code, and -mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, detailed professional experiences, in some cases also a copy of the identification document and health card, etc.) referring to more than five thousand subjects interested, included in the list of "Qualified Managers and Consulting Firms".

Furthermore, at the url https: // ... it was possible to download the attachment to the directorial decree of the 20th century Ministry of Economic Development with which the aforementioned "list of qualified managers and consultancy companies established pursuant to the decree was approved ministerial XX and formed on the basis of the data and information declared by the applicants ", containing data and personal information of all the aforementioned subjects (including name, tax code, e-mail).

2. Reference regulatory context of the successful publication.

The 2019 budget law provided for specific forms of incentives through the provision of contributions for innovation consultancy ("Vouchers") in favor of micro, small and medium-sized enterprises "for the purchase of specialist consultancy services aimed at supporting technological and digital transformation processes [...] »provided by consultancy companies or qualified managers, registered in a special list (hereinafter the" MISE List "or" Manager List ") established by a specific decree of the Minister of Economic Development (art. 1, paragraphs 228 ss., Of the law 30/12/2018, n. 145).

The aforementioned law provided that this decree should establish "the necessary requirements for registration in the list of consultancy companies and qualified managers, as well as the criteria, methods and formal requirements for the disbursement of contributions and for the any reserve of a portion of the resources to be allocated primarily to micro and small enterprises and business networks "(paragraph 228).

In implementation of the provisions of the aforementioned paragraph, the Ministerial Decree of 7/5/2019 (hereinafter "DM") was adopted which governed the matter, dictating the provisions «applying the non-repayable grant, in the form of a voucher ".

Furthermore, this Ministerial Decree, in order to detail some aspects related to the concrete delivery of the voucher, has delegated to a further administrative act - specifically, to a "decree of the Director General for incentives for businesses" - the detailed identification of "modalities and deadlines for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial positions "as well as the approval of the" application form for admission to the contribution ", the" deadlines for submitting [the itself] ", of the" criteria for evaluating applications and for the priority allocation of available resources "(articles 5, paragraph 1; 6, paragraph 1).

In this regulatory framework, the Decree of the Director General for business incentives of the twentieth century entitled «Voucher for innovation advice was approved. Procedures and deadlines for submitting applications for registration on the list »(hereinafter" directorial decree ").

In the aforementioned directorial decree, in addition to containing the provisions for submitting applications for registration to the list, it was established that "After the deadline for the transmission of applications for registration [...], with a provision of the Director General for incentives to companies, the Mise list is published, according to the format set out in attachment no. 4, made available in the special section "Voucher for innovation consultancy" of the Ministry website (www.mise.gov.it) "(art. 4, paragraph 1). Annex no. 4 cited appears to contain a table to be filled in with the following fields: surname, name, tax code, contact e-mail (personal or consulting company), cv link, consulting company, subject already registered in other lists of innovation managers , professional experience in carrying out managerial positions in the areas referred to in Article 3 of the Ministerial Decree of 7 May 2019 (number of years), area of interest.

3. Preliminary assessments of the Office on the processing of personal data carried out.

With the note prot. n. XX of the XX the MISE has provided a reply to the request for information of the Office (prot. No. XX of the XX).

With respect to what is represented, following the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Ministry of Economic Development - by disseminating personal data online (name, tax code, e-mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, professional experiences, etc.) referring to more than five thousand interested parties, included in the list of "Qualified managers and consultancy companies" - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD.

The delay in the appointment of the Data Protection Officer (DPO) of the MISE was also ascertained, as well as the communication to this Authority of the related contact data, both occurred after 25/5/2018 in which the RGPD became mandatory. , in violation of art. 37, paragraphs 1 and 7, of the European Regulation.

Therefore, with the same note no. XX the violations carried out (pursuant to art. 166, paragraph 5, of the Code) were notified to the aforementioned Ministry, communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, par. 2, of the RGPD, inviting the MISE to send to the Guarantor defensive writings or documents and possibly to ask to be heard by this Authority, within the term of 30 days (art.166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law no. 689 of 11/24/1981).

4. Defensive memoirs, hearing and evaluations by the Guarantor.

The Ministry of Economic Development sent the Guarantor - with prot. n. XX of the XX, prot. n. XX of the XX - own defensive writings in relation to the notified violations. Furthermore, on the 20th, the hearing requested by the MISE pursuant to art. 166, paragraph 6, of the Code, on the occasion of which further documentation was filed and additional clarifications were provided.

In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".

4.a. On the legal basis of the processing

The Office accused the MISE of the violation of art. 2-ter, paragraphs 1 and 3, of the Code - which provides for the possibility, for public entities, to disclose personal data only if this operation is envisaged "by a law or, in the cases provided for by law, by regulation" - as it has held that the discipline provided for by art. 3 ss. of the Directorial Decree of the XXth, could not constitute a suitable regulatory prerequisite for the dissemination of personal data pursuant to the Code, taking into account that the aforementioned directorial decree does not have a regulatory nature and is not, in any case, in any way referred to by art . 1, paragraphs 228, 230 and 231, of law no. 145/2018 (which provide for the establishment of the list of managers).

It was also pointed out that art. 4 of the aforementioned directorial decree does not provide for the full publication of the curriculum vitae of the managers sent, including all the personal data contained therein, but, at the most, of the "MISE list", that is, the list including the "persons authorized to carry out the tasks managerial subject to facilitation "(according to the definition contained in Article 1, paragraph 1, letter b, of the directorial decree).

COMMENTS OF THE MISE

In this regard, the MISE in the note prot. n. XX of the XX - the contents of which are also partly included in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XX - provided an articulated reconstruction that is substantially based on the following arguments:

- "art. 4 of the DD [i.e. the Directorial Decree] refers for the publication of the MISE List to the scheme referred to in Annex 4, which includes, among other things, a section containing the link to the manager's CV. Therefore, the combined provisions of art. 4 and Annex 4, referred to therein, allows you to peacefully believe that the DD expressly provided for the dissemination of the data that have been published by the Ministry ";

- "the reference to the" regulation "[contained in the Code], given the aseptic formulation, is reasonably to be understood as a generic and broad reference to provisions of a secondary nature, therefore regulatory side";

- "the" regulations "can be made up of all secondary regulatory sources, and therefore with the subjective provenance of the executive, which underlie the laws. And in this context both the DM and the DD who execute it are framed ";

- "art. 2-ter, paragraph 1, of the Privacy Code, in referring to the "regulation", given the absence of any regulatory reference to the law of 23 August 1988, n. 400, which specifically governs the procedure for the adoption of traditional regulatory sources, that is the "container regulation", and given the diffusion already at the time of the issue of atypical secondary sources, intends to recall - in general and not particular terms - a regulatory act having the nature of a source subordinated to the law [...] ";

- "[as regards the] interpretation of the condition to which the regulatory source must submit in order to identify the legal basis for the processing of personal data (" in the cases provided for by law ") [, a literal interpretation of this sentence allows us to detect how the legislator has not in any way circumscribed even the reference to the prior identification of the processing of personal data in a rule of primary rank. [...] In other words, in order for a regulation to be able to constitute an appropriate legal basis, it must be considered sufficient that the law identifies, even only indirectly - and therefore through the implementation rules which it adopts - the processing of personal data, having the primary source only the role of legitimizing source for the exercise of regulatory power by the administration ".

- "On the other hand, reasoning the other way around, it seems completely unreasonable to imagine that the law must always directly identify the legal bases for the processing of personal data, regulating in detail the executive procedures, not being able to delegate the identification of such cases ";

- "[...] where a reading of art. 2-ter, paragraph 1, of the Privacy Code which is more restrictive than the one set out, it would inevitably end up in contrast with the provisions of the RGPD regarding the provisions that may constitute - within the legal systems of the various Member States - the "basis legal "for the processing of personal data";

- "In this regard, it must be reiterated that in the structure of the Regulation - and in particular according to what is expressly provided for in recital 41 - this legal basis can be constituted by any provision, expressly even not of primary rank and not necessarily adopted following a procedure legislative: "where this regulation refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament" ";

- "Therefore, it would be inconsistent with the clear provisions dictated by the EU legislator an interpretative approach aimed at restricting (moreover without reason, given the respect of the principle of legal certainty, guaranteed by the advertising guaranteed to the sources de quibus) the scope of the regulatory sources that they can constitute a legal basis for the processing, excluding rules that, in compliance with the aforementioned constitutional coordinates on the subject of implementation rules, are clear, precise and predictable in their application, such as those dictated by the DD ".

- "As required by art. 6, co. 3, 2nd para. of the GDPR, the law or regulation that constitutes the legal basis referred to in letters c) and e) of co. 1 of art. 6 of the GDPR, could contain, among other things, an indication of the types of data being processed, the subjects to whom the personal data may be disclosed, processing operations and procedures, etc. The term "could contain" implies and also admits the possibility that the law (in the case in question the 2019 budget law) does not specify this information, the identification of which is presumed to be left to the Owner. Considering the silence of the budget law in this regard, it is the owner, therefore the MiSE, who found himself having to define the type of data processed (identification and professional), the subjects to whom the personal data can be communicated (indeterminate subjects), processing operations (collection and dissemination) "(declaration contained in the annex to the minutes of the hearing).

ASSESSMENTS BY THE GUARANTOR

The legal reconstruction offered by the MISE, certainly useful for the purposes of assessing the conduct, does not appear to be suitable for overcoming the critical remarks raised and is based on an interpretation of the combined provisions of the rules of the RGPD with those of the Code, which cannot be accepted in this venue for the following reasons.

The RGPD provides that the processing of personal data carried out by public subjects is lawful if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c and e). In this context, as correctly recalled also by the MISE, recital no. 41 of the GDPR indicates that where the aforementioned European regulation "refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament, without prejudice to the requirements of the constitutional order of the Member State interested. [The important thing is that] this legal basis or legislative measure [is] clear and precise, and its application foreseeable, for the persons subject to it, in accordance with the jurisprudence of the Court of Justice of the European Union (the "Court of Justice ") and of the European Court of Human Rights".

Recital no. 41 should therefore not be interpreted in an isolated and decontextualized manner, as the Ministry would seem to do, but in a systematic manner and in conjunction with the other provisions in force applicable to the case in question - already referred to by the Office in the note prot. n. XX of the XX - such as art. 6, par. 2, of the RGPD and art. 2-ter, paragraphs 1 and 3, of the Code.

Indeed, the RGPD explicitly provides that "Member States may maintain [...] more specific provisions to adapt the application of the rules of the [RGPD] with regard to processing, in accordance with paragraph 1, letters c) and e) [of 'art. 6, par. 1], determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] "(Article 6, paragraph 2, of the RGPD). It is, in this context, that the Code has provided for specific requirements for the processing, establishing that, in the case of the dissemination of personal data (such as publication on the Internet) by public entities, this operation can be admitted only if provided for " by a law or, in the cases provided for by law, by regulation "(art. 2-ter, paragraphs 1 and 3, of the Code).

In this context, the legal basis referred to by the Ministry to justify the dissemination of personal data subject to dispute and contained in the Directorate Decree of the twentieth century does not constitute an appropriate legal basis for the dissemination of personal data, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

This is because, by adopting a substantial criterion, the nature of the aforementioned directorial decree - contrary to what is claimed by the MISE - appears to be attributable more to the category of the "general administrative act" (than to that of the "regulation", intended as a legislative act with general and abstract), considering that its applicability is limited to the presentation of the application for registration in the MISE list, with deadline 25/10/2019, and ends with the provision of the one-off voucher provided for by the 2019 budget law for "the two tax periods subsequent to the one in progress at 31 December 2018" (on this point, reference is made to the reconstruction of the category of the "general administrative act" contained, ex plurimis, in Cons. St., ad.plen. , n. 9 of 4/5/2012; section III, n. 6028 of 22/12/2017).

In addition, the use of a directorial decree to establish the management data disclosure regime was in no way provided for by the primary rank rule, contained in art. 1, paragraph 228 of law no. 145/2018, which sanctioned the establishment of the list of managers, referring, for the related discipline, to a specific Decree of the Minister of Economic Development (and not to another general administrative act such as a directorial decree).

In this sense, therefore, even if the Ministerial Decree approved (dated 7/5/2019) made, in turn, a "second degree" postponement to a subsequent "decree of the Director General for business incentives", it should be noted that the subject of the discipline of the decree of general manager for business incentives had to be limited - pursuant to art. 5, paragraph 1, of the ministerial decree - to the sole discipline of identifying "methods and terms for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial duties", and could not be extended up to the point of identifying personal data advertising schemes and online dissemination operations.

Moreover, the Directorial Decree of the twentieth century provided for the publication on the website of the Ministry of the "Mise list" - which, pursuant to art. 1, paragraph 1, lett. b), of the aforementioned decree, is the list including the "persons authorized to carry out managerial duties subject to facilitation" - and not the related documents. Therefore, this provision - despite the reference to the «scheme referred to in attachment no. 4 "of the directorial decree contained a field dedicated to the link of the manager's CV (art. 4, paragraph 1) - it could not be interpreted, as the MISE claims, in such an extensive way as to authorize the publication of thousands of curricula with all the data personal data contained therein, but at most only the fields provided for by the aforementioned scheme (surname, name, tax code, contact e-mail, consultancy company, indication of the inclusion in other lists of innovation managers, professional experience in carrying out of managerial positions with indication of the number of years, area of interest).

Finally, complicating the case in question is the circumstance, as already highlighted (see supra paragraph 2), that - despite the evident impact on the protection of personal data - is the Decree of the Minister for Economic Development dated 7/5 / 2019, both the Directorial Decree of the XXth (which the MISE claims to have a "regulatory" nature) were adopted without the opinion of the Guarantor, compulsorily provided for by art. 36, par. 4; 57, par. 1, lett. c); 58, par. 3, lett. b), of the GDPR (see also recital 96). This element also constitutes a procedural defect in the aforementioned administrative acts.

The circumstances described above, considered as a whole, therefore prevent us from believing that the aforementioned Directorial Decree of the XXth could constitute an appropriate regulatory basis for disseminating the personal data contained in the MISE list and in the curricula of managers, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

4.b. On compliance with the principle of purpose limitation and minimization

The MISE highlighted that the purpose of publishing the personal data and curricula of the managers lay in the need "to allow companies potentially benefiting from the Voucher to identify, easily and completely, the managers they can use to support their transformation processes technological and digital, as well as allowing the companies themselves to get in touch with such professionals "(prott. n. XX of the XX and n. XX of the XX).

The Office represented to the Ministry that, for the declared purpose, i.e. the meeting between the demand of the companies and the offer of consultancy by the managers, as required by the relevant legislation, it would have been sufficient to use less invasive tools than the publication on the web of data and information concerning all managers, which represents the widest form of dissemination of personal data, with the risk of making them easily vulnerable to further forms of use, not legitimate, by third parties (eg. : identity theft, illicit profiling, phishing, etc.). It could have been envisaged - for example - forms of selective access to restricted areas of the institutional website that would allow the consultation of information regarding the managers included in the MISE list only to those who intended to apply for a voucher; through the attribution to the latter of authentication credentials (e.g. username or password, or other authentication tools provided by the administration or provided for by Legislative Decree no. 82 of 7/3/2005, Digital Administration Code- CAD).

In this respect, the violation of the principles of "purpose limitation" and "data minimization" and proportionality was therefore contested, also considering that the data controller is required to implement "adequate technical and organizational measures [...] aimed at effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees into the processing in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25, paragraph 1, of GDPR).

COMMENTS OF THE MISE

In the note prot. n. XX of the XX century, the Ministry observed, in summary, that the personal data of the managers were collected for specific, explicit purposes (made known through specific information in which explicit reference was made to the publication of the curricula); legitimate and only for the time strictly necessary for the disbursement of contributions, as the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the showcase site that exhibited the CVs of the managers It has been closed)".

As for the possibility of alternative solutions, with respect to the online publication of all curricula, such as forms of selective access to restricted areas of the institutional website, the MISE - in the same note (the content of which is also confirmed in the "document concerning the complaints raised by Guarantor "attached to the minutes of the hearing) - noted that this solution could not be adequate to the present case, inter alia, because:

I) limiting access to only those who meet the requirements for submitting the voucher application would have resulted in:

- a "serious waste of time and resources for the Ministry and [...] significant problems inherent in identifying the subjects who could actually be among the possible beneficiaries of the Vouchers";

- "the perimeter of the potentially interested parties could not [...] be known a priori and even less could it be identified by the Ministry on the basis of any assessment, since the Voucher had to necessarily be accessible not only to companies already established, but also to all those subjects who would have determined to set up a business due to the typical incentive effect of the subsidy measures ";

II) restrict access to anyone who requests it, without having to carry out any type of control:

- would have "nullified [to], in practice, the same measure of reserved access, given that the consultation of the MiSE List should therefore have been granted to anyone";

- "would have represented, for the Ministry, a disproportionate and probably unmanageable burden since the implementation of a software solution and operational processes necessary for the management of these activities would have involved" a "waste of economic resources"; "Timing of implementation of these non-immediate schemes [which] would have risked jeopardizing the timely performance of all the activities necessary for the allocation of the resources allocated for 2019 for the Voucher - which could only be assigned by 31 December 2019 - and thus, therefore, the efficiency and effectiveness of the Ministry initiative ";

III) providing for selective access would not have been in accordance with the will of the legislator considering that:

- "The regulatory sequence provided for by the legislator, nor the transparency objectives related to the provision of public incentives, [would] have not been respected. In fact, only after a transparent consultation of a public list of managers could companies have actually taken the decision to apply for the incentive, but not before ";

- "It is essential for companies that consult the MiSE list to acquire all the information necessary to exercise a conscious choice of the manager most suited to their corporate interest. The data indicated in the CV, provided voluntarily by the managers themselves, were furthermore advertised in the manner already known and accepted by the manager. The subjective identification of the consultant, as well as the professional qualification, is a discriminating and indispensable element for the finalization of the assignment. The DGIAI has offered a public service in the context of a private relationship between professionals and interested companies, so much so that the assessment of the manager's requirements is not up to the DGIAI, which accredits the professionals in the list based on the possession of the access requirements , but to the company for the selection of the manager "(declaration contained in the annex to the minutes of the hearing).

IV) assigning authentication credentials, associated with the certain identity of the subject, to be used for access to any restricted area "would certainly have created obstacles to the successful running of the initiative", among other things, because:

- "there are various systems that allow the use of computer credentials provided by third parties, with the certainty of identification of the person to which they are associated [including the] Public Digital Identity System (" SPID "), [the] National Service Card (" CNS ") and [the] Certified Electronic Mail (" PEC ") [...]" and "the same certainty of identity does not exist even with reference to the owner of an ordinary electronic mailbox";

- considering the "fact that the use of the aforementioned identification tools could not have been made mandatory and binding for access to a public list, since such a practical solution would have represented a" barrier "to access to subsidized contributions, it would be Consequently, it was necessary in any case to provide for a form of authentication using IT credentials, such as traditional e-mail and password, taking care to acquire a copy of the applicant's identity document at the same time as the request for access to the MISE List (see Article 38 of the Presidential Decree 445/2000) ";

- "To manage the consultation in the reserved area of the list of managers, the MISE should therefore have implemented (with the exception of SPID, which would have required an implementation period that was too long for new websites, as in the case of the showcase site miq.dgiai.gov.it, and therefore completely irreconcilable with respect to the timing dictated by the applicable legislation) a system for crediting access with verification, even at sight, of the identity document of all subjects with only the e- ordinary mail but without CNS and / or PEC and should, at the same time, manage systems for the release and management of passwords for users, with dedicated and timely assistance in the event of access anomalies and password release. Anomalies, these, the management of which would have been particularly critical in the closing stages of the procedure, depending on the potential risk for a company of not being able, for example, to recover a manager's tax code in time due to a password forgotten and for the manager himself to lose a job opportunity ».

ASSESSMENTS BY THE GUARANTOR

Also in this case, the reconstruction offered by the MISE clarifies many points of the question and is certainly useful for the purposes of evaluating the conduct, but it does not appear suitable for completely overcoming the critical findings raised by the Office.

From this point of view, the observations of the MISE are preliminarily shared regarding the impossibility of identifying a priori the set of subjects who could actually have been included among the possible beneficiaries of the Vouchers and therefore potentially authorized to consult the list of managers including CVs (see point I above).

We also agree with what is reported regarding the fact that consultation of the list and CVs of managers (as complete as possible) by the companies concerned was essential in order to be able to consciously choose the person deemed most suitable to provide the inherent specialist advice. to the processes of technological and digital transformation functional to their own operational needs, which was the requisite to be able to benefit from the disbursement of the state contribution envisaged for this (so-called “voucher”). With respect to the choice of the manager-consultant, the Ministry also carried out a sort of intermediation for the establishment "of a private relationship between professionals and interested companies" with respect to which "the assessment of the manager's requirements is not up to [the Ministry]", which it had to be limited to "accrediting [re] the professionals in the list on the basis of possession of the requisites for access", but exclusively "to the company for the selection of the manager".

Nevertheless, given the circumstances highlighted, it remains disproportionate in any case to make available to anyone - through the online publication on the Ministry's website without any filter - data and personal information of such a large number of interested parties for two fundamental reasons:

- the generalized knowledge of the aforementioned data did not respond to any reason for transparency, considering that the choice of managers was left to the discretion of the companies concerned, which could not be questioned by the Ministry, and, moreover, not all the managers enrolled in the list would have established professional relationships with the companies concerned because they were rejected by them;

- taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the processing, as well as risks with different probabilities and gravity for the rights and freedoms of individuals , there are less invasive tools as well as more adequate technical and organizational measures, compared to those implemented by the MISE, capable of "effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees in the treatment in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25 of the RGPD).

From this point of view, in fact, we cannot agree with what is represented by the MISE (see previous point II) that the "regulatory sequence envisaged by the legislator" would have prevented the provision of a simple reserved access, even only to anyone who requested it, for example providing for the assignment to them of username and password, without having to carry out any type of control (tool capable of limiting the scope of circulation of personal data by reducing the risks of improper treatment by third parties) and that this technical device " would have represented, for the Ministry, a disproportionate and probably unmanageable burden […] ». This is because no legislative provision prevented it and the existence of a disproportionate burden is in no way proven on the basis of the accountability principle (Articles 5, par. 2; 24 of the GDPR); nor can it be shared a priori, considering that the data controller is a large entity such as a Ministry, accustomed as such to process huge quantities of personal data of different nature, even sensitive and belonging to particular categories. Furthermore, a long period has elapsed from the time of the adoption of the primary standard (30 December 2018) until the drafting of the relative application provisions (DM 7/5/2019 and DD XX) and the approval of the MISE List (XX) certainly sufficient time to develop solutions that comply with the provisions contained in the RGPD referred to above.

From a technical point of view, there are also some inaccuracies in the reconstruction of the MISE (see previous point IV), which could also have misled it with regard to the decisions taken. In particular, it should be noted that the PEC - contrary to what is reported in the defense brief (see pages 14 and 15) - is not an instrument that presupposes "the prior identification of the person [... it is associated with] by the 'body / organization in charge of [… its] release', as the PEC managers have no obligation to verify the identity of the person requesting the activation of a certified e-mail box. Furthermore, the electronic identity card (CIE), which, like SPID and CNS, can be used for access to network services provided by public administrations should also be included among the suitable tools for identifying subjects ( see Article 64, paragraph 2-quater, of Legislative Decree No. 82 of 7/3/2005, Code of digital administration-CAD).

In this context, considering that the conduct has exhausted its effects, as the data controller declared that the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the site window displaying the CVs of the managers has been closed) ", it is not considered necessary to order, in the context of this proceeding and subsequently, the adoption of specific technical and organizational measures deemed suitable for the specific case that has already occurred.

4.c. on the appointment of the DPO

It was contested to the MISE that, from the investigation and from the research carried out at the Office of the Protocol of the Guarantor, it was found that the appointment of the Data Protection Officer (DPO) was made only on date XX and that the communication to this Authority of contact details of the DPO was made only on XX date. This behavior was found not to comply with the provisions of art. 37, paragraphs 1 and 7, of the RGPD, where the obligation of the aforementioned obligations is envisaged from the date of 25/5/2018 in which the European regulation became applicable.

COMMENTS OF THE MISE

In this regard, in the note of the MISE prot. n. XX of the XX it was represented that:

- "in implementation of article 4-bis of the decree-law of 12 July 2018, no. 86, converted with the law 9 August 2018, n. 97, in order to harmonize the organizational structure with the development of the regulatory framework for the protection of personal data, in consideration of the provisions contained in Regulation (EU) 2016/679, the Ministry has launched a complex process of reorganization of the management offices of general level and of the functions entrusted to them ";

- "As part of the staffing of the MiSE, for the DPO functions, it was intended to proceed with the identification of an ad hoc managerial position, of a general level, among those of consultancy, study and research, conferred pursuant to art . 19 paragraphs 4 and 10 of the legislative decree n. 165/2001 ";

- "As a result of numerous meetings with the General Managers and with the trade unions, the organizational structure of the Ministry was modified with the Decree of the President of the Council of Ministers of 19 June 2019, no. 93, published in G.U. 21 August 2019, n. 195 ";

- «Following publication in the Official Gazette 21 August 2019 n. 195, the aforementioned Prime Ministerial Decree, entered into force on 5 September 2019 and governed the organization of general management offices by amending the Prime Minister's Decree of 5 December 2013, no. 158 ";

- «Therefore, with note no. XX of the XX, the ruling procedure was initiated for the coverage of the managerial position in question. The aforementioned public question was addressed, with note no. XX (published on XX), also to the permanent managers of the Ministry and to the permanent managers of the state administrations "

- "The ruling procedure ended with the assignment of the assignment, for the activities of DPO, pursuant to Article 19, paragraphs 4 and 10 of Legislative Decree 30 March 2001, n. 165, for a period of three years ";

- «The consequent decree of the President of the Council of Ministers adopted on 29 October 2019 ordered the appointment of the DPO of the Ministry and was registered by the Court of Auditors on XX, Reg. Prev. N. XX, as well as sent to the Ministry of Public Administration on XX. On the same date, the General Secretariat sent the DPCM of appointment, with attached employment contract, to the designated person ".

Furthermore, what is reported in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XXth is relevant, where, in addition to what was previously represented, it was highlighted, among other things, that the delay in the formalities required " it depended on the alternation of political bodies, with the installation of a new government on the 20th and the start of the reorganization procedure - following the appointment of the new Minister - of the general management offices, in reform of the previous structure dating back to DPCM December 5, 2013, n.158. The reorganization culminated in the adoption of the Prime Ministerial Decree of 06/19/2019, no. 93 subsequently amended by DPCM 12/12/2019, n. 178. With the organizational change it was intended to strengthen the role of the data protection officer provided for by the European regulation, creating this position from scratch, qualifying the relevant post as a general managerial position to be assigned with a mandate pursuant to art. 19 paragraphs 4 and 10 of the d. lgs. n. 165/2001; distinguishing this figure from that of the Manager for the prevention of corruption and transparency. The appointment of the DPO took place with DPCM 21/10/2019, registered by the Court of Auditors, on XX, at no. XX ".

ASSESSMENTS BY THE GUARANTOR

The MISE confirmed the delay in the obligations provided for by the RGPD relating to the appointment of the DPO, describing the circumstances.

The information reported - even if useful for the purpose of understanding and evaluating the conduct held - does not, however, allow for overcoming the disputes raised by the Office. This especially considering that, since May XX (therefore long before the date of 25/5/2018 of application of the RGPD), this Authority has put in place an articulated information activity aimed at all public subjects regarding the obligations to be carried out, pursuant to the new RGPD (including the obligation to appoint the DPO), which provided for the timely involvement of all the Ministries, by sending a specific communication to the competent Ministers, which was followed by specific meetings with the representatives designated by the Ministry, which took place at the Guarantor, on XX, and at the headquarters of the Bank of Italy on XX.

With reference to the specific case in question, the note prot. n. XX of the XX, found with a note of the Head of Cabinet of the MISE prot. n. XX of the XX.

In the annex to the aforementioned note, the Guarantor had expressly indicated to the public administrations the priorities that should have been taken into consideration in the process of adapting to the new legal framework of the Regulation; the first place of this priority was the designation of the Data Protection Officer - DPO (articles 37-39), highlighting that "this new figure that the Regulation requires is identified on the basis of professional qualities and specialist knowledge of the legislation and of data protection practice constitutes the fulcrum of the process of implementing the principle of "accountability" and that "the direct involvement of the DPO in all matters concerning the protection of personal data, right from the transitional phase, is certainly a guarantee of quality of the result of the ongoing adjustment process ".

5. Outcome of the investigation relating to the whole of the matter submitted to the attention of the Guarantor

In light of all the above, the elements represented in the defensive writings of the MISE - in any case relevant to the assessment of the conduct - are not sufficient to allow the filing of this proceeding pursuant to art. 11 of the Guarantor Regulation n. 1/2019.

In this context, the findings notified by the Office with the note prot. n. XX of the XX and the non-compliance of the processing of personal data subject of this proceeding with the relevant legislation on the protection of personal data is noted, as the Ministry of Economic Development:

1. publishing online personal data (name, tax code, e-mail) and full curriculum vitae (with additional personal data such as, for example, mobile phone, education and training, professional experiences, etc.), referring to more than five thousand subjects interested parties, included in the list of "Qualified managers and consulting companies", has disclosed personal data:

a) in the absence of a suitable regulatory requirement, in violation of art. 2-ter, paragraphs 1 and 3, of the Code and art. 6, par. 1, lett. c) and e); par. 2 and par. 3, lett. b), of the GDPR;

b) in a manner that does not comply with the principles of "lawfulness", "purpose limitation" and "data minimization", in violation of art. 5, par. 1, lett. a), b) and c) of the GDPR;

2. has not designated, being required, the Data Protection Officer (DPO), nor has he communicated his contact details to this Authority after having appointed him, by the date of 25/5/2018 in which it became applicable the RGPD, having provided this fulfillment only after about a year and a half and precisely on XX (for the appointment of the DPO) and on XX (for the communication of contact data), in violation of art. 37, paragraphs 1 and 7, of the GDPR.

Considering, however, that the conduct has exhausted its effects, as the data controller has taken steps to remove the personal data from the institutional website and to implement the obligations provided for by art. 37 of the GDPR in relation to the DPO, without prejudice to what will be said on the application of the pecuniary administrative sanction and the adoption of the warning, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Articles 58, paragraph 2, letter i; 83 of the GDPR)

The Ministry of Economic Development appears to have violated Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code.

For the violation of the aforementioned provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - the application of the administrative sanctions referred to in art. 83, para. 4 and 5, of the GDPR.

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In this case, therefore, the violation of the aforementioned provisions is subject to the most serious administrative fine provided for by art. 83, par. 5, of the GDPR, which therefore applies to the present case.

The Guarantor, pursuant to art. 58, par. 2, lett. i), and 83 of the RGPD, as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking into account the elements provided for by art. 83, par. 2, of the GDPR.

In this sense, the violation of the regulations on the protection of personal data had as its object the dissemination of personal data; as well as the delay in the appointment of the DPO.

As for the first profile, the disclosure concerned personal data that do not belong to particular categories or to criminal convictions or offenses (articles 9 and 10 of the RGPD), referring to about 5,000 managers and lasted for a limited time. equal to about 30 days. The conduct, based on an incorrect assessment of its compliance with the legislation on the protection of personal data, is of a culpable nature. As a further mitigating element, the context in which the treatment took place and the uncertainty of the regulatory framework deriving from the coexistence of numerous sources approved over time (law, ministerial decree, directorial decree), containing reciprocal references, which, adopted in absence of the mandatory opinion of the Guarantor, could not in any case be autonomously disapplied by the MISE operators. Furthermore, it should also be taken into account that the data controller, while underestimating, in good faith, the risks of the processing, declared that he had in any case "promptly instructed and processed all requests for cancellation from the MiSE List - 11 (eleven) - and all requests for modification of CVs and / or cancellation of personal data on the showcase site - 85 (eighty-five) "(prot. note no. XX of XX, page 12).

As for the delay in the appointment of the DPO, the violation of the provisions contained in art. 37, para. 1 and 7, of the GDPR, lasted for about a year and a half. On this point, while taking note of the circumstances - described in paragraph 4.c above - linked to the contingencies of the alternation of the new political top body and the related administrative reorganization, it is believed that the conduct put in place, albeit of a culpable nature, does not is justifiable in particular in the light of the communication sent by the President of the Authority to the Minister on the 20th and the information activity described above (par. 4.c)) implemented by the Guarantor also towards the MISE.

In any case, it must also be taken into account that the MISE collaborated with the Authority during the investigation of this proceeding and there are no previous violations of the relevant RGPD committed by the aforementioned Ministry

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 75,000.00 (seventy-five thousand) for the violation of Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.

It is also believed that - given the specific circumstances of the case submitted to the attention of the Guarantor, relating to the publication on the Internet of the personal data contained in the curriculum of managers in the absence of an appropriate regulatory basis and the appointment of the DPO - should be applied the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

the unlawfulness of the processing carried out by the Ministry of Economic Development in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i), and 83 of the GDPR

ORDER

to the Ministry of Economic Development, in the person of the pro-tempore legal representative, with registered office in Via Veneto, 33 - 00187 Rome (RM) - C.F. 80230390587 to pay the sum of € 75,000.00 (seventy-five thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation

INJUNCES

to the same Ministry to pay the total sum of € 75,000.00 (seventy-five thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.

Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1/9/2011 provided for the filing of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.
Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9556625&oldid=37106"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki