Garante per la protezione dei dati personali (Italy) - 9556625

From GDPRhub
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9556625
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6(2) GDPR
Article 37(1) GDPR
Article 37(7) GDPR
art. 2-ter of the Italian Privacy Code
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.02.2021
Published: 11.03.2021
Fine: 75,000 EUR
Parties: Ministero dello sviluppo economico (Ministry of Economic Development)
National Case Number/Name: 9556625
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian data protection authority website (in IT)
Initial Contributor: Davide C.

The Italian DPA (Garante per la protezione dei dati personali) fined the Ministry of Economic Development ('MISE') €75,000 for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website, including their CVs.

English Summary

Facts

Following some reports, the Italian DPA ascertained that the MISE uploaded on its website a list of more than 5,000 managers containing their personal data, including name, tax code, e-mail address, CV, mobile phone and, in some cases, ID and health card. All this data was freely visible and downloadable. The MISE published that list to help SMEs in booking advice from experienced business professionals on the technological and digital processes to manage vouchers provided in compliance with the 2019 Budget Law.

The DPA has also found that the MISE did not appoint a DPO by May 25, 2018, as required for all public bodies according to art. 37 GDPR.

Holding

The Italian DPA noted that MISE failed to appoint a DPO by the established deadline (May 25, 2018).

Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data.

In light of the above and given that the MISE has appointed a DPO then, the Italian DPA issued a fine of €75,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 5/15/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Speaker prof. Pasquale Stanzione;

WHEREAS

1. Introduction

Following the publication of some press reports, this Authority has opened an investigation against the Ministry of Economic Development (MISE) regarding the dissemination of personal data and information on the institutional website in a manner that does not comply with the regulations on personal data protection. On the same issue, several reports and a complaint from Mr. XX were also received shortly after.

Specifically, from the preliminary assessment carried out by the Office it emerged that at the url https: // ... there was a web page entitled "Manager List" in which personal data (name, tax code, and -mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, detailed professional experiences, in some cases also a copy of the identification document and health card, etc.) referring to more than five thousand subjects interested, included in the list of "Qualified Managers and Consulting Firms".

Furthermore, at the url https: // ... it was possible to download the attachment to the directorial decree of the 20th century Ministry of Economic Development with which the aforementioned "list of qualified managers and consultancy companies established pursuant to the decree was approved ministerial XX and formed on the basis of the data and information declared by the applicants ", containing data and personal information of all the aforementioned subjects (including name, tax code, e-mail).

2. Reference regulatory context of the successful publication.

The 2019 budget law provided for specific forms of incentives through the provision of contributions for innovation consultancy ("Vouchers") in favor of micro, small and medium-sized enterprises "for the purchase of specialist consultancy services aimed at supporting technological and digital transformation processes [...] »provided by consultancy companies or qualified managers, registered in a special list (hereinafter the" MISE List "or" Manager List ") established by a specific decree of the Minister of Economic Development (art. 1, paragraphs 228 ss., Of the law 30/12/2018, n. 145).

The aforementioned law provided that this decree should establish "the necessary requirements for registration in the list of consultancy companies and qualified managers, as well as the criteria, methods and formal requirements for the disbursement of contributions and for the any reserve of a portion of the resources to be allocated primarily to micro and small enterprises and business networks "(paragraph 228).

In implementation of the provisions of the aforementioned paragraph, the Ministerial Decree of 7/5/2019 (hereinafter "DM") was adopted which governed the matter, dictating the provisions «applying the non-repayable grant, in the form of a voucher ".

Furthermore, this Ministerial Decree, in order to detail some aspects related to the concrete delivery of the voucher, has delegated to a further administrative act - specifically, to a "decree of the Director General for incentives for businesses" - the detailed identification of "modalities and deadlines for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial positions "as well as the approval of the" application form for admission to the contribution ", the" deadlines for submitting [the itself] ", of the" criteria for evaluating applications and for the priority allocation of available resources "(articles 5, paragraph 1; 6, paragraph 1).

In this regulatory framework, the Decree of the Director General for business incentives of the twentieth century entitled «Voucher for innovation advice was approved. Procedures and deadlines for submitting applications for registration on the list »(hereinafter" directorial decree ").

In the aforementioned directorial decree, in addition to containing the provisions for submitting applications for registration to the list, it was established that "After the deadline for the transmission of applications for registration [...], with a provision of the Director General for incentives to companies, the Mise list is published, according to the format set out in attachment no. 4, made available in the special section "Voucher for innovation consultancy" of the Ministry website (www.mise.gov.it) "(art. 4, paragraph 1). Annex no. 4 cited appears to contain a table to be filled in with the following fields: surname, name, tax code, contact e-mail (personal or consulting company), cv link, consulting company, subject already registered in other lists of innovation managers , professional experience in carrying out managerial positions in the areas referred to in Article 3 of the Ministerial Decree of 7 May 2019 (number of years), area of interest.

3. Preliminary assessments of the Office on the processing of personal data carried out.

With the note prot. n. XX of the XX the MISE has provided a reply to the request for information of the Office (prot. No. XX of the XX).

With respect to what is represented, following the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Ministry of Economic Development - by disseminating personal data online (name, tax code, e-mail) and full curriculum vitae (with further personal data such as, for example, mobile phone, education and training, professional experiences, etc.) referring to more than five thousand interested parties, included in the list of "Qualified managers and consultancy companies" - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD.

The delay in the appointment of the Data Protection Officer (DPO) of the MISE was also ascertained, as well as the communication to this Authority of the related contact data, both occurred after 25/5/2018 in which the RGPD became mandatory. , in violation of art. 37, paragraphs 1 and 7, of the European Regulation.

Therefore, with the same note no. XX the violations carried out (pursuant to art. 166, paragraph 5, of the Code) were notified to the aforementioned Ministry, communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, par. 2, of the RGPD, inviting the MISE to send to the Guarantor defensive writings or documents and possibly to ask to be heard by this Authority, within the term of 30 days (art.166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law no. 689 of 11/24/1981).

4. Defensive memoirs, hearing and evaluations by the Guarantor.

The Ministry of Economic Development sent the Guarantor - with prot. n. XX of the XX, prot. n. XX of the XX - own defensive writings in relation to the notified violations. Furthermore, on the 20th, the hearing requested by the MISE pursuant to art. 166, paragraph 6, of the Code, on the occasion of which further documentation was filed and additional clarifications were provided.

In this regard, it should be noted that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".

4.a. On the legal basis of the processing

The Office accused the MISE of the violation of art. 2-ter, paragraphs 1 and 3, of the Code - which provides for the possibility, for public entities, to disclose personal data only if this operation is envisaged "by a law or, in the cases provided for by law, by regulation" - as it has held that the discipline provided for by art. 3 ss. of the Directorial Decree of the XXth, could not constitute a suitable regulatory prerequisite for the dissemination of personal data pursuant to the Code, taking into account that the aforementioned directorial decree does not have a regulatory nature and is not, in any case, in any way referred to by art . 1, paragraphs 228, 230 and 231, of law no. 145/2018 (which provide for the establishment of the list of managers).

It was also pointed out that art. 4 of the aforementioned directorial decree does not provide for the full publication of the curriculum vitae of the managers sent, including all the personal data contained therein, but, at the most, of the "MISE list", that is, the list including the "persons authorized to carry out the tasks managerial subject to facilitation "(according to the definition contained in Article 1, paragraph 1, letter b, of the directorial decree).

COMMENTS OF THE MISE

In this regard, the MISE in the note prot. n. XX of the XX - the contents of which are also partly included in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XX - provided an articulated reconstruction that is substantially based on the following arguments:

- "art. 4 of the DD [i.e. the Directorial Decree] refers for the publication of the MISE List to the scheme referred to in Annex 4, which includes, among other things, a section containing the link to the manager's CV. Therefore, the combined provisions of art. 4 and Annex 4, referred to therein, allows you to peacefully believe that the DD expressly provided for the dissemination of the data that have been published by the Ministry ";

- "the reference to the" regulation "[contained in the Code], given the aseptic formulation, is reasonably to be understood as a generic and broad reference to provisions of a secondary nature, therefore regulatory side";

- "the" regulations "can be made up of all secondary regulatory sources, and therefore with the subjective provenance of the executive, which underlie the laws. And in this context both the DM and the DD who execute it are framed ";

- "art. 2-ter, paragraph 1, of the Privacy Code, in referring to the "regulation", given the absence of any regulatory reference to the law of 23 August 1988, n. 400, which specifically governs the procedure for the adoption of traditional regulatory sources, that is the "container regulation", and given the diffusion already at the time of the issue of atypical secondary sources, intends to recall - in general and not particular terms - a regulatory act having the nature of a source subordinated to the law [...] ";

- "[as regards the] interpretation of the condition to which the regulatory source must submit in order to identify the legal basis for the processing of personal data (" in the cases provided for by law ") [, a literal interpretation of this sentence allows us to detect how the legislator has not in any way circumscribed even the reference to the prior identification of the processing of personal data in a rule of primary rank. [...] In other words, in order for a regulation to be able to constitute an appropriate legal basis, it must be considered sufficient that the law identifies, even only indirectly - and therefore through the implementation rules which it adopts - the processing of personal data, having the primary source only the role of legitimizing source for the exercise of regulatory power by the administration ".

- "On the other hand, reasoning the other way around, it seems completely unreasonable to imagine that the law must always directly identify the legal bases for the processing of personal data, regulating in detail the executive procedures, not being able to delegate the identification of such cases ";

- "[...] where a reading of art. 2-ter, paragraph 1, of the Privacy Code which is more restrictive than the one set out, it would inevitably end up in contrast with the provisions of the RGPD regarding the provisions that may constitute - within the legal systems of the various Member States - the "basis legal "for the processing of personal data";

- "In this regard, it must be reiterated that in the structure of the Regulation - and in particular according to what is expressly provided for in recital 41 - this legal basis can be constituted by any provision, expressly even not of primary rank and not necessarily adopted following a procedure legislative: "where this regulation refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament" ";

- "Therefore, it would be inconsistent with the clear provisions dictated by the EU legislator an interpretative approach aimed at restricting (moreover without reason, given the respect of the principle of legal certainty, guaranteed by the advertising guaranteed to the sources de quibus) the scope of the regulatory sources that they can constitute a legal basis for the processing, excluding rules that, in compliance with the aforementioned constitutional coordinates on the subject of implementation rules, are clear, precise and predictable in their application, such as those dictated by the DD ".

- "As required by art. 6, co. 3, 2nd para. of the GDPR, the law or regulation that constitutes the legal basis referred to in letters c) and e) of co. 1 of art. 6 of the GDPR, could contain, among other things, an indication of the types of data being processed, the subjects to whom the personal data may be disclosed, processing operations and procedures, etc. The term "could contain" implies and also admits the possibility that the law (in the case in question the 2019 budget law) does not specify this information, the identification of which is presumed to be left to the Owner. Considering the silence of the budget law in this regard, it is the owner, therefore the MiSE, who found himself having to define the type of data processed (identification and professional), the subjects to whom the personal data can be communicated (indeterminate subjects), processing operations (collection and dissemination) "(declaration contained in the annex to the minutes of the hearing).

ASSESSMENTS BY THE GUARANTOR

The legal reconstruction offered by the MISE, certainly useful for the purposes of assessing the conduct, does not appear to be suitable for overcoming the critical remarks raised and is based on an interpretation of the combined provisions of the rules of the RGPD with those of the Code, which cannot be accepted in this venue for the following reasons.

The RGPD provides that the processing of personal data carried out by public subjects is lawful if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c and e). In this context, as correctly recalled also by the MISE, recital no. 41 of the GDPR indicates that where the aforementioned European regulation "refers to a legal basis or a legislative measure, this does not necessarily require the adoption of a legislative act by a parliament, without prejudice to the requirements of the constitutional order of the Member State interested. [The important thing is that] this legal basis or legislative measure [is] clear and precise, and its application foreseeable, for the persons subject to it, in accordance with the jurisprudence of the Court of Justice of the European Union (the "Court of Justice ") and of the European Court of Human Rights".

Recital no. 41 should therefore not be interpreted in an isolated and decontextualized manner, as the Ministry would seem to do, but in a systematic manner and in conjunction with the other provisions in force applicable to the case in question - already referred to by the Office in the note prot. n. XX of the XX - such as art. 6, par. 2, of the RGPD and art. 2-ter, paragraphs 1 and 3, of the Code.

Indeed, the RGPD explicitly provides that "Member States may maintain [...] more specific provisions to adapt the application of the rules of the [RGPD] with regard to processing, in accordance with paragraph 1, letters c) and e) [of 'art. 6, par. 1], determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] "(Article 6, paragraph 2, of the RGPD). It is, in this context, that the Code has provided for specific requirements for the processing, establishing that, in the case of the dissemination of personal data (such as publication on the Internet) by public entities, this operation can be admitted only if provided for " by a law or, in the cases provided for by law, by regulation "(art. 2-ter, paragraphs 1 and 3, of the Code).

In this context, the legal basis referred to by the Ministry to justify the dissemination of personal data subject to dispute and contained in the Directorate Decree of the twentieth century does not constitute an appropriate legal basis for the dissemination of personal data, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

This is because, by adopting a substantial criterion, the nature of the aforementioned directorial decree - contrary to what is claimed by the MISE - appears to be attributable more to the category of the "general administrative act" (than to that of the "regulation", intended as a legislative act with general and abstract), considering that its applicability is limited to the presentation of the application for registration in the MISE list, with deadline 25/10/2019, and ends with the provision of the one-off voucher provided for by the 2019 budget law for "the two tax periods subsequent to the one in progress at 31 December 2018" (on this point, reference is made to the reconstruction of the category of the "general administrative act" contained, ex plurimis, in Cons. St., ad.plen. , n. 9 of 4/5/2012; section III, n. 6028 of 22/12/2017).

In addition, the use of a directorial decree to establish the management data disclosure regime was in no way provided for by the primary rank rule, contained in art. 1, paragraph 228 of law no. 145/2018, which sanctioned the establishment of the list of managers, referring, for the related discipline, to a specific Decree of the Minister of Economic Development (and not to another general administrative act such as a directorial decree).

In this sense, therefore, even if the Ministerial Decree approved (dated 7/5/2019) made, in turn, a "second degree" postponement to a subsequent "decree of the Director General for business incentives", it should be noted that the subject of the discipline of the decree of general manager for business incentives had to be limited - pursuant to art. 5, paragraph 1, of the ministerial decree - to the sole discipline of identifying "methods and terms for submitting applications for registration in the list of qualified managers and consultancy companies authorized to carry out managerial duties", and could not be extended up to the point of identifying personal data advertising schemes and online dissemination operations.

Moreover, the Directorial Decree of the twentieth century provided for the publication on the website of the Ministry of the "Mise list" - which, pursuant to art. 1, paragraph 1, lett. b), of the aforementioned decree, is the list including the "persons authorized to carry out managerial duties subject to facilitation" - and not the related documents. Therefore, this provision - despite the reference to the «scheme referred to in attachment no. 4 "of the directorial decree contained a field dedicated to the link of the manager's CV (art. 4, paragraph 1) - it could not be interpreted, as the MISE claims, in such an extensive way as to authorize the publication of thousands of curricula with all the data personal data contained therein, but at most only the fields provided for by the aforementioned scheme (surname, name, tax code, contact e-mail, consultancy company, indication of the inclusion in other lists of innovation managers, professional experience in carrying out of managerial positions with indication of the number of years, area of interest).

Finally, complicating the case in question is the circumstance, as already highlighted (see supra paragraph 2), that - despite the evident impact on the protection of personal data - is the Decree of the Minister for Economic Development dated 7/5 / 2019, both the Directorial Decree of the XXth (which the MISE claims to have a "regulatory" nature) were adopted without the opinion of the Guarantor, compulsorily provided for by art. 36, par. 4; 57, par. 1, lett. c); 58, par. 3, lett. b), of the GDPR (see also recital 96). This element also constitutes a procedural defect in the aforementioned administrative acts.

The circumstances described above, considered as a whole, therefore prevent us from believing that the aforementioned Directorial Decree of the XXth could constitute an appropriate regulatory basis for disseminating the personal data contained in the MISE list and in the curricula of managers, pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

4.b. On compliance with the principle of purpose limitation and minimization

The MISE highlighted that the purpose of publishing the personal data and curricula of the managers lay in the need "to allow companies potentially benefiting from the Voucher to identify, easily and completely, the managers they can use to support their transformation processes technological and digital, as well as allowing the companies themselves to get in touch with such professionals "(prott. n. XX of the XX and n. XX of the XX).

The Office represented to the Ministry that, for the declared purpose, i.e. the meeting between the demand of the companies and the offer of consultancy by the managers, as required by the relevant legislation, it would have been sufficient to use less invasive tools than the publication on the web of data and information concerning all managers, which represents the widest form of dissemination of personal data, with the risk of making them easily vulnerable to further forms of use, not legitimate, by third parties (eg. : identity theft, illicit profiling, phishing, etc.). It could have been envisaged - for example - forms of selective access to restricted areas of the institutional website that would allow the consultation of information regarding the managers included in the MISE list only to those who intended to apply for a voucher; through the attribution to the latter of authentication credentials (e.g. username or password, or other authentication tools provided by the administration or provided for by Legislative Decree no. 82 of 7/3/2005, Digital Administration Code- CAD).

In this respect, the violation of the principles of "purpose limitation" and "data minimization" and proportionality was therefore contested, also considering that the data controller is required to implement "adequate technical and organizational measures [...] aimed at effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees into the processing in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25, paragraph 1, of GDPR).

COMMENTS OF THE MISE

In the note prot. n. XX of the XX century, the Ministry observed, in summary, that the personal data of the managers were collected for specific, explicit purposes (made known through specific information in which explicit reference was made to the publication of the curricula); legitimate and only for the time strictly necessary for the disbursement of contributions, as the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the showcase site that exhibited the CVs of the managers It has been closed)".

As for the possibility of alternative solutions, with respect to the online publication of all curricula, such as forms of selective access to restricted areas of the institutional website, the MISE - in the same note (the content of which is also confirmed in the "document concerning the complaints raised by Guarantor "attached to the minutes of the hearing) - noted that this solution could not be adequate to the present case, inter alia, because:

I) limiting access to only those who meet the requirements for submitting the voucher application would have resulted in:

- a "serious waste of time and resources for the Ministry and [...] significant problems inherent in identifying the subjects who could actually be among the possible beneficiaries of the Vouchers";

- "the perimeter of the potentially interested parties could not [...] be known a priori and even less could it be identified by the Ministry on the basis of any assessment, since the Voucher had to necessarily be accessible not only to companies already established, but also to all those subjects who would have determined to set up a business due to the typical incentive effect of the subsidy measures ";

II) restrict access to anyone who requests it, without having to carry out any type of control:

- would have "nullified [to], in practice, the same measure of reserved access, given that the consultation of the MiSE List should therefore have been granted to anyone";

- "would have represented, for the Ministry, a disproportionate and probably unmanageable burden since the implementation of a software solution and operational processes necessary for the management of these activities would have involved" a "waste of economic resources"; "Timing of implementation of these non-immediate schemes [which] would have risked jeopardizing the timely performance of all the activities necessary for the allocation of the resources allocated for 2019 for the Voucher - which could only be assigned by 31 December 2019 - and thus, therefore, the efficiency and effectiveness of the Ministry initiative ";

III) providing for selective access would not have been in accordance with the will of the legislator considering that:

- "The regulatory sequence provided for by the legislator, nor the transparency objectives related to the provision of public incentives, [would] have not been respected. In fact, only after a transparent consultation of a public list of managers could companies have actually taken the decision to apply for the incentive, but not before ";

- "It is essential for companies that consult the MiSE list to acquire all the information necessary to exercise a conscious choice of the manager most suited to their corporate interest. The data indicated in the CV, provided voluntarily by the managers themselves, were furthermore advertised in the manner already known and accepted by the manager. The subjective identification of the consultant, as well as the professional qualification, is a discriminating and indispensable element for the finalization of the assignment. The DGIAI has offered a public service in the context of a private relationship between professionals and interested companies, so much so that the assessment of the manager's requirements is not up to the DGIAI, which accredits the professionals in the list based on the possession of the access requirements , but to the company for the selection of the manager "(declaration contained in the annex to the minutes of the hearing).

IV) assigning authentication credentials, associated with the certain identity of the subject, to be used for access to any restricted area "would certainly have created obstacles to the successful running of the initiative", among other things, because:

- "there are various systems that allow the use of computer credentials provided by third parties, with the certainty of identification of the person to which they are associated [including the] Public Digital Identity System (" SPID "), [the] National Service Card (" CNS ") and [the] Certified Electronic Mail (" PEC ") [...]" and "the same certainty of identity does not exist even with reference to the owner of an ordinary electronic mailbox";

- considering the "fact that the use of the aforementioned identification tools could not have been made mandatory and binding for access to a public list, since such a practical solution would have represented a" barrier "to access to subsidized contributions, it would be Consequently, it was necessary in any case to provide for a form of authentication using IT credentials, such as traditional e-mail and password, taking care to acquire a copy of the applicant's identity document at the same time as the request for access to the MISE List (see Article 38 of the Presidential Decree 445/2000) ";

- "To manage the consultation in the reserved area of the list of managers, the MISE should therefore have implemented (with the exception of SPID, which would have required an implementation period that was too long for new websites, as in the case of the showcase site miq.dgiai.gov.it, and therefore completely irreconcilable with respect to the timing dictated by the applicable legislation) a system for crediting access with verification, even at sight, of the identity document of all subjects with only the e- ordinary mail but without CNS and / or PEC and should, at the same time, manage systems for the release and management of passwords for users, with dedicated and timely assistance in the event of access anomalies and password release. Anomalies, these, the management of which would have been particularly critical in the closing stages of the procedure, depending on the potential risk for a company of not being able, for example, to recover a manager's tax code in time due to a password forgotten and for the manager himself to lose a job opportunity ».

ASSESSMENTS BY THE GUARANTOR

Also in this case, the reconstruction offered by the MISE clarifies many points of the question and is certainly useful for the purposes of evaluating the conduct, but it does not appear suitable for completely overcoming the critical findings raised by the Office.

From this point of view, the observations of the MISE are preliminarily shared regarding the impossibility of identifying a priori the set of subjects who could actually have been included among the possible beneficiaries of the Vouchers and therefore potentially authorized to consult the list of managers including CVs (see point I above).

We also agree with what is reported regarding the fact that consultation of the list and CVs of managers (as complete as possible) by the companies concerned was essential in order to be able to consciously choose the person deemed most suitable to provide the inherent specialist advice. to the processes of technological and digital transformation functional to their own operational needs, which was the requisite to be able to benefit from the disbursement of the state contribution envisaged for this (so-called “voucher”). With respect to the choice of the manager-consultant, the Ministry also carried out a sort of intermediation for the establishment "of a private relationship between professionals and interested companies" with respect to which "the assessment of the manager's requirements is not up to [the Ministry]", which it had to be limited to "accrediting [re] the professionals in the list on the basis of possession of the requisites for access", but exclusively "to the company for the selection of the manager".

Nevertheless, given the circumstances highlighted, it remains disproportionate in any case to make available to anyone - through the online publication on the Ministry's website without any filter - data and personal information of such a large number of interested parties for two fundamental reasons:

- the generalized knowledge of the aforementioned data did not respond to any reason for transparency, considering that the choice of managers was left to the discretion of the companies concerned, which could not be questioned by the Ministry, and, moreover, not all the managers enrolled in the list would have established professional relationships with the companies concerned because they were rejected by them;

- taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of the processing, as well as risks with different probabilities and gravity for the rights and freedoms of individuals , there are less invasive tools as well as more adequate technical and organizational measures, compared to those implemented by the MISE, capable of "effectively implementing the principles of data protection, such as minimization, and integrating the necessary guarantees in the treatment in order to meet the requirements of this regulation and protect the rights of data subjects "(Article 25 of the RGPD).

From this point of view, in fact, we cannot agree with what is represented by the MISE (see previous point II) that the "regulatory sequence envisaged by the legislator" would have prevented the provision of a simple reserved access, even only to anyone who requested it, for example providing for the assignment to them of username and password, without having to carry out any type of control (tool capable of limiting the scope of circulation of personal data by reducing the risks of improper treatment by third parties) and that this technical device " would have represented, for the Ministry, a disproportionate and probably unmanageable burden […] ». This is because no legislative provision prevented it and the existence of a disproportionate burden is in no way proven on the basis of the accountability principle (Articles 5, par. 2; 24 of the GDPR); nor can it be shared a priori, considering that the data controller is a large entity such as a Ministry, accustomed as such to process huge quantities of personal data of different nature, even sensitive and belonging to particular categories. Furthermore, a long period has elapsed from the time of the adoption of the primary standard (30 December 2018) until the drafting of the relative application provisions (DM 7/5/2019 and DD XX) and the approval of the MISE List (XX) certainly sufficient time to develop solutions that comply with the provisions contained in the RGPD referred to above.

From a technical point of view, there are also some inaccuracies in the reconstruction of the MISE (see previous point IV), which could also have misled it with regard to the decisions taken. In particular, it should be noted that the PEC - contrary to what is reported in the defense brief (see pages 14 and 15) - is not an instrument that presupposes "the prior identification of the person [... it is associated with] by the 'body / organization in charge of [… its] release', as the PEC managers have no obligation to verify the identity of the person requesting the activation of a certified e-mail box. Furthermore, the electronic identity card (CIE), which, like SPID and CNS, can be used for access to network services provided by public administrations should also be included among the suitable tools for identifying subjects ( see Article 64, paragraph 2-quater, of Legislative Decree No. 82 of 7/3/2005, Code of digital administration-CAD).

In this context, considering that the conduct has exhausted its effects, as the data controller declared that the personal data were made available "from the XX (date of approval of the MISE List) to the XX (date on which the site window displaying the CVs of the managers has been closed) ", it is not considered necessary to order, in the context of this proceeding and subsequently, the adoption of specific technical and organizational measures deemed suitable for the specific case that has already occurred.

4.c. on the appointment of the DPO

It was contested to the MISE that, from the investigation and from the research carried out at the Office of the Protocol of the Guarantor, it was found that the appointment of the Data Protection Officer (DPO) was made only on date XX and that the communication to this Authority of contact details of the DPO was made only on XX date. This behavior was found not to comply with the provisions of art. 37, paragraphs 1 and 7, of the RGPD, where the obligation of the aforementioned obligations is envisaged from the date of 25/5/2018 in which the European regulation became applicable.

COMMENTS OF THE MISE

In this regard, in the note of the MISE prot. n. XX of the XX it was represented that:

- "in implementation of article 4-bis of the decree-law of 12 July 2018, no. 86, converted with the law 9 August 2018, n. 97, in order to harmonize the organizational structure with the development of the regulatory framework for the protection of personal data, in consideration of the provisions contained in Regulation (EU) 2016/679, the Ministry has launched a complex process of reorganization of the management offices of general level and of the functions entrusted to them ";

- "As part of the staffing of the MiSE, for the DPO functions, it was intended to proceed with the identification of an ad hoc managerial position, of a general level, among those of consultancy, study and research, conferred pursuant to art . 19 paragraphs 4 and 10 of the legislative decree n. 165/2001 ";

- "As a result of numerous meetings with the General Managers and with the trade unions, the organizational structure of the Ministry was modified with the Decree of the President of the Council of Ministers of 19 June 2019, no. 93, published in G.U. 21 August 2019, n. 195 ";

- «Following publication in the Official Gazette 21 August 2019 n. 195, the aforementioned Prime Ministerial Decree, entered into force on 5 September 2019 and governed the organization of general management offices by amending the Prime Minister's Decree of 5 December 2013, no. 158 ";

- «Therefore, with note no. XX of the XX, the ruling procedure was initiated for the coverage of the managerial position in question. The aforementioned public question was addressed, with note no. XX (published on XX), also to the permanent managers of the Ministry and to the permanent managers of the state administrations "

- "The ruling procedure ended with the assignment of the assignment, for the activities of DPO, pursuant to Article 19, paragraphs 4 and 10 of Legislative Decree 30 March 2001, n. 165, for a period of three years ";

- «The consequent decree of the President of the Council of Ministers adopted on 29 October 2019 ordered the appointment of the DPO of the Ministry and was registered by the Court of Auditors on XX, Reg. Prev. N. XX, as well as sent to the Ministry of Public Administration on XX. On the same date, the General Secretariat sent the DPCM of appointment, with attached employment contract, to the designated person ".

Furthermore, what is reported in the "document relating to the objections raised by the Guarantor" attached to the hearing minutes of the XXth is relevant, where, in addition to what was previously represented, it was highlighted, among other things, that the delay in the formalities required " it depended on the alternation of political bodies, with the installation of a new government on the 20th and the start of the reorganization procedure - following the appointment of the new Minister - of the general management offices, in reform of the previous structure dating back to DPCM December 5, 2013, n.158. The reorganization culminated in the adoption of the Prime Ministerial Decree of 06/19/2019, no. 93 subsequently amended by DPCM 12/12/2019, n. 178. With the organizational change it was intended to strengthen the role of the data protection officer provided for by the European regulation, creating this position from scratch, qualifying the relevant post as a general managerial position to be assigned with a mandate pursuant to art. 19 paragraphs 4 and 10 of the d. lgs. n. 165/2001; distinguishing this figure from that of the Manager for the prevention of corruption and transparency. The appointment of the DPO took place with DPCM 21/10/2019, registered by the Court of Auditors, on XX, at no. XX ".

ASSESSMENTS BY THE GUARANTOR

The MISE confirmed the delay in the obligations provided for by the RGPD relating to the appointment of the DPO, describing the circumstances.

The information reported - even if useful for the purpose of understanding and evaluating the conduct held - does not, however, allow for overcoming the disputes raised by the Office. This especially considering that, since May XX (therefore long before the date of 25/5/2018 of application of the RGPD), this Authority has put in place an articulated information activity aimed at all public subjects regarding the obligations to be carried out, pursuant to the new RGPD (including the obligation to appoint the DPO), which provided for the timely involvement of all the Ministries, by sending a specific communication to the competent Ministers, which was followed by specific meetings with the representatives designated by the Ministry, which took place at the Guarantor, on XX, and at the headquarters of the Bank of Italy on XX.

With reference to the specific case in question, the note prot. n. XX of the XX, found with a note of the Head of Cabinet of the MISE prot. n. XX of the XX.

In the annex to the aforementioned note, the Guarantor had expressly indicated to the public administrations the priorities that should have been taken into consideration in the process of adapting to the new legal framework of the Regulation; the first place of this priority was the designation of the Data Protection Officer - DPO (articles 37-39), highlighting that "this new figure that the Regulation requires is identified on the basis of professional qualities and specialist knowledge of the legislation and of data protection practice constitutes the fulcrum of the process of implementing the principle of "accountability" and that "the direct involvement of the DPO in all matters concerning the protection of personal data, right from the transitional phase, is certainly a guarantee of quality of the result of the ongoing adjustment process ".

5. Outcome of the investigation relating to the whole of the matter submitted to the attention of the Guarantor

In light of all the above, the elements represented in the defensive writings of the MISE - in any case relevant to the assessment of the conduct - are not sufficient to allow the filing of this proceeding pursuant to art. 11 of the Guarantor Regulation n. 1/2019.

In this context, the findings notified by the Office with the note prot. n. XX of the XX and the non-compliance of the processing of personal data subject of this proceeding with the relevant legislation on the protection of personal data is noted, as the Ministry of Economic Development:

1. publishing online personal data (name, tax code, e-mail) and full curriculum vitae (with additional personal data such as, for example, mobile phone, education and training, professional experiences, etc.), referring to more than five thousand subjects interested parties, included in the list of "Qualified managers and consulting companies", has disclosed personal data:

a) in the absence of a suitable regulatory requirement, in violation of art. 2-ter, paragraphs 1 and 3, of the Code and art. 6, par. 1, lett. c) and e); par. 2 and par. 3, lett. b), of the GDPR;

b) in a manner that does not comply with the principles of "lawfulness", "purpose limitation" and "data minimization", in violation of art. 5, par. 1, lett. a), b) and c) of the GDPR;

2. has not designated, being required, the Data Protection Officer (DPO), nor has he communicated his contact details to this Authority after having appointed him, by the date of 25/5/2018 in which it became applicable the RGPD, having provided this fulfillment only after about a year and a half and precisely on XX (for the appointment of the DPO) and on XX (for the communication of contact data), in violation of art. 37, paragraphs 1 and 7, of the GDPR.

Considering, however, that the conduct has exhausted its effects, as the data controller has taken steps to remove the personal data from the institutional website and to implement the obligations provided for by art. 37 of the GDPR in relation to the DPO, without prejudice to what will be said on the application of the pecuniary administrative sanction and the adoption of the warning, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Articles 58, paragraph 2, letter i; 83 of the GDPR)

The Ministry of Economic Development appears to have violated Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code.

For the violation of the aforementioned provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - the application of the administrative sanctions referred to in art. 83, para. 4 and 5, of the GDPR.

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In this case, therefore, the violation of the aforementioned provisions is subject to the most serious administrative fine provided for by art. 83, par. 5, of the GDPR, which therefore applies to the present case.

The Guarantor, pursuant to art. 58, par. 2, lett. i), and 83 of the RGPD, as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking into account the elements provided for by art. 83, par. 2, of the GDPR.

In this sense, the violation of the regulations on the protection of personal data had as its object the dissemination of personal data; as well as the delay in the appointment of the DPO.

As for the first profile, the disclosure concerned personal data that do not belong to particular categories or to criminal convictions or offenses (articles 9 and 10 of the RGPD), referring to about 5,000 managers and lasted for a limited time. equal to about 30 days. The conduct, based on an incorrect assessment of its compliance with the legislation on the protection of personal data, is of a culpable nature. As a further mitigating element, the context in which the treatment took place and the uncertainty of the regulatory framework deriving from the coexistence of numerous sources approved over time (law, ministerial decree, directorial decree), containing reciprocal references, which, adopted in absence of the mandatory opinion of the Guarantor, could not in any case be autonomously disapplied by the MISE operators. Furthermore, it should also be taken into account that the data controller, while underestimating, in good faith, the risks of the processing, declared that he had in any case "promptly instructed and processed all requests for cancellation from the MiSE List - 11 (eleven) - and all requests for modification of CVs and / or cancellation of personal data on the showcase site - 85 (eighty-five) "(prot. note no. XX of XX, page 12).

As for the delay in the appointment of the DPO, the violation of the provisions contained in art. 37, para. 1 and 7, of the GDPR, lasted for about a year and a half. On this point, while taking note of the circumstances - described in paragraph 4.c above - linked to the contingencies of the alternation of the new political top body and the related administrative reorganization, it is believed that the conduct put in place, albeit of a culpable nature, does not is justifiable in particular in the light of the communication sent by the President of the Authority to the Minister on the 20th and the information activity described above (par. 4.c)) implemented by the Guarantor also towards the MISE.

In any case, it must also be taken into account that the MISE collaborated with the Authority during the investigation of this proceeding and there are no previous violations of the relevant RGPD committed by the aforementioned Ministry

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 75,000.00 (seventy-five thousand) for the violation of Articles 5, par. 1, lett. a), b) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b); 37, para. 1 and 7, of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.

It is also believed that - given the specific circumstances of the case submitted to the attention of the Guarantor, relating to the publication on the Internet of the personal data contained in the curriculum of managers in the absence of an appropriate regulatory basis and the appointment of the DPO - should be applied the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

the unlawfulness of the processing carried out by the Ministry of Economic Development in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i), and 83 of the GDPR

ORDER

to the Ministry of Economic Development, in the person of the pro-tempore legal representative, with registered office in Via Veneto, 33 - 00187 Rome (RM) - C.F. 80230390587 to pay the sum of € 75,000.00 (seventy-five thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation

INJUNCES

to the same Ministry to pay the total sum of € 75,000.00 (seventy-five thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.

Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1/9/2011 provided for the filing of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.
Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad