Garante per la protezione dei dati personali (Italy) - 9697724

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9697724
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 22.07.2021
Published:
Fine: 200,000 EUR
Parties: Regione Lombardia
National Case Number/Name: 9697724
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) imposed a fine of €200,000 on the Region of Lombardia (Italy) for publishing personal data of students requiring financial contributions on its website.

English Summary

Facts

The Lombardia region, disseminated personal data on its institutional website relating to students accepted or rejected as beneficiaries of grants. The grants were intended for the purchase of textbooks, technological equipment, teaching tools or the the provision of scholarships. These grants, however, were particularly reserved for students with a particular low income (according to the Italian indicator for economic situations ISEE).

Holding

The Garante found that the publication was violating Italian national law according to Article 26(4) Legislative Decree 33/2013 that sets - among others - limits to publish personal data on recipients of economic grants.

Furthermore, the DPA found the disclosure of data on subject with a low income suitable to reveal a situation of economic and social hardship of the interested parties. In this regard, the Garante considered that the Region Lombardia violated Article 5(1)(a)(c) GDPR due to the dissemination not being necessary as well as Article 6(1)(c)(e) GDPR due to the absence of suitable regulatory national law. Therefore, the Garante imposed a fine of €200,000 on the Region.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.














SEE ALSO Newsletter of 10 September 2021



[doc. web n. 9697724]

Injunction order against the Lombardy Region - 22 July 2021

Record of measures
n. 296 of 22 July 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD"); ù

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Professor Ginevra Cerrina Feroni will be the speaker;

WHEREAS

1. Introduction

This Authority received a report, with which a violation of the legislation on the protection of personal data by the Lombardy Region caused by the dissemination of personal data on the institutional website was contested.

Specifically, as emerged from the preliminary verification carried out by the Office, from the home page of the institutional website of the aforementioned Region, through the path "XX" / "XX", the web page dedicated to "XX" was opened. From the links included in the part dedicated to "Communications", and precisely to the communication dated XX (url: https: // ...), it was possible to view and download the following documents:

1) "XX" (url: https: // ....). This list clearly reported data referring to no. 23,975 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

2) "XX" (url: https: // ...). This list clearly reported data referring to no. 59,989 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

3) "XX" (url: https: // ...). This list clearly reported data referring to no. 20143 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

4) "XX" (url: https: // ...). This list clearly reported data referring to no. 57 interested parties, such as application ID, applicant's name, student's class, school code and name, application number.

From the documents it emerged that these were lists relating to the selection for the provision of financial contributions for the purchase of textbooks, technological equipment and teaching tools, or for the provision of scholarships by the State, in favor of students resident in Lombardy, enrolled and attending ordinary management courses (both education and vocational training and education), at first and second grade secondary schools, state and equal, or attending accredited educational institutions, based in Lombardy or neighboring regions, on condition that the student returns to his / her residence every day.

To access the grant, it was necessary to have an ISEE value not exceeding approximately € 15,000.00 and the financial contribution for each student could vary from a minimum of € 200 to a maximum of € 500.

2. The legislation on the protection of personal data

Pursuant to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person (" interested party ")" and "the natural person who can be identified, directly or indirectly, with particular reference to a identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(art. 4, par. 1 , No. 1, of the GDPR).

In this regard, with particular reference to the case submitted to the attention of this Authority, it is recalled that public entities, such as the Region, may disclose "personal data" only if this operation is provided for "by a law or, in the cases provided for by law, regulation "(Article 2-ter, paragraphs 1 and 3, of the Code), in compliance - in any case - with the principles of data protection, including that of" minimization ", on the basis of which personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter c, of the GDPR).

The state legislation of the sector on transparency provides, with reference to the "obligations of publication of the deeds of granting grants, contributions, subsidies and attribution of economic advantages to individuals and public and private entities", that "Public administrations publish the deeds of granting grants, contributions, subsidies and financial aids […], and in any case of economic advantages of any kind to people […] of an amount exceeding one thousand euros »during the calendar year. In any case, "The publication of the identification data of the natural persons recipients of the measures referred to in this article is excluded, if from such data it is possible to obtain information relating [...] to the economic and social hardship of the interested parties" (art. 26 , paragraphs 2-4, of Legislative Decree no. 33 of 14/3/2013).

With regard to the online dissemination of personal data of beneficiaries of financial contributions, since 2014, the Guarantor has provided specific indications to public administrations on the precautions to be taken, with general provision no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in GU n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (currently being updated, but still current in the substantial part).

In the Guidelines of the Guarantor cited above, it is expressly established, with reference to the obligation to publish the deeds of granting economic benefits (part one, paragraph 9.e), that "the same d. lgs. n. 33/2013 identifies a series of limits to the obligation to publish deeds of granting economic benefits, however named. In fact, the identification data of the natural persons recipients of the granting of grants, contributions, subsidies and allocation of economic advantages, as well as the lists of the relative recipients, cannot be published:

a) for a total amount of less than one thousand euros during the calendar year in favor of the same beneficiary;

[...]

c) of an amount exceeding one thousand euros during the calendar year in favor of the same beneficiary "if from such data it is possible to obtain information relating [...] to the economic and social hardship of the interested parties" (Article 26, paragraph 4, Legislative Decree no. 33/2013) ".

3. Preliminary assessments of the Office on the processing of personal data carried out.

Following the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Lombardy Region - by disseminating the data and information contained in the documents published online described above - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD. Therefore, with the same note the violations carried out (pursuant to art.166, paragraph 5, of the Code) were notified to the Region, communicating the start of the procedure for the adoption of the measures referred to in Article . 2, of the RGPD and inviting the aforementioned administration to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within the term of 30 days (Article 166, paragraphs 6 and 7, of the Code; as well as art.18, paragraph 1, of law no. 689 of 11/24/1981).

4. Defensive memories.

The Lombardy Region, with the note prot. n. XX of the XX, has sent to the Guarantor its defensive writings in relation to the notified violations.

In this regard, please note that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".

Specifically, with regard to the conduct held, the entity highlighted, among other things, that:

- "The acts relating to the aforementioned call, as relating to the granting of concessions for the purchase of textbooks, technological equipment and teaching tools, or relating to the provision, by the State, of a scholarship , and in any case aimed at supporting the expenditure of families in completing the school course, both in the education system and in the education and professional training system, are certainly attributable to the cases recorded in the aforementioned art. 26, paragraph 2, of Legislative Decree 33/2013 ";

- "Lombardy Region has not considered applicable, to the present case, the exception provided for under art. 26, paragraph 4, legislative decree 33/2013, by virtue of which the publication of the identification data of the natural persons recipients of the measures referred to in this article would be excluded, if from such data it is possible to obtain information relating to the state of health or the situation of economic and social hardship of the interested parties "";

- «It is noted, in fact, that the rule in question identifies two distinct cases of derogation from the general obligation to publish data, namely: *) if from such data it is possible to obtain information relating to the state of health; or *) if from such data it is possible to obtain information relating to a situation of economic and social hardship of the interested parties. While the first case considered refers to an objective circumstance (information relating to the state of health), the second case contemplated presupposes a discretionary assessment of the nature of the data processed and their ability to describe, or not, an actual situation of economic and social hardship [...] ";

- "Lombardy Region, as data controller and in the exercise of the aforementioned discretionary power of assessment, has held that the ISEE value, required for admission to the benefits referred to in the notice in question and indicated in accordance with the law at € 15,748, 78, was a mere threshold of access to the benefit itself and not identifying an actual state of social and / or economic hardship. In support of similar reasoning, we recall the definition criteria of "condition of social and / or economic hardship" used by the jurisprudence of legitimacy (see Cass. Civ. N. 6505/2015), which has always reiterated as the "state of discomfort "Must be understood in a rigorous sense and consists of a" condition that is objectively worse than that of the generality of the associates "";

- «To this we must add that in general every situation of economic and social disadvantage must be verified in the specific case, so that“ presumed ”conditions of disadvantage actually correspond to a state of particular weakness worthy of protection and attention. Furthermore, the real objective of the regional measure in question was to provide auxiliary support simply according to the ISEE parameter. Starting from these assumptions, the Region has always acted in the conviction of carrying out a treatment that complies with the rules referred to in EU REG 679/2016 ";

- «From a different point of view, it is highlighted how other measures provide for income thresholds. Think for example of the cd. Citizenship Income, where a threshold of € 9,360 is set, while the common local initiatives to combat poverty establish access limits that are on average also much lower. All these values are well below the threshold for access to the tender in question, so it seems unlikely that the indication of the above ISEE value (below which, according to ISTAT data, almost half of the Italian population) may in itself be a direct or indirect indication of social hardship. In this case, the Lombardy Region acknowledges only the data deriving from the liquidation of the subsidies and / or scholarships, adding nothing in relation to the income positions of either the students or, least of all, the relative family unit. An ISEE value of approximately 15,000 euros represents the parameter of a significant percentage of Italian families. In fact, if we refer to ISTAT data (query http://dati.istat.it/ on 27/5/2021), the net incomes of Italian families residing in the North West in 2018 amounted to an average of 35,000 euros per year. , which correspond to an average ISEE of approximately 12 thousand euros. In this typical income context of our country, not being able to provide the book contribution to all those entitled to it, the Lombardy Region has established as a priority criterion for assignment an economic parameter that could affect a wide range of beneficiaries (contributions for a total of 21,862,470 euros, to 104,107 beneficiary students) and, as such, certainly not identifying a condition of "economic and social hardship" ";

- "Believing that it operates in compliance with current legislation on data protection, the Lombardy Region has also deemed it appropriate to publish the list of subjects admitted to the benefit, in simple alphabetical order, without reproducing any type of" ranking "from which any elements of discrimination or circumstances inherent in the balance sheet of the individual applicant could be deduced ";

- "A final consideration is made in relation to the minimum contribution threshold (quantified in € 1,000.00), considered by art. 26, paragraph 2, of Legislative Decree 33/2013. On this point it is appropriate to recall the general provision of the Guarantor Authority no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", expressly certifying that, "where the administration has issued several provisions which, during the calendar year, have ordered the granting of economic advantages to the same subject, exceeding the ceiling of one thousand euros, the amount of the economic advantage paid, of referred to in art. 27, c. 1, lett. b), of the decree, is to be understood as the sum of all the disbursements made in the reference period. In such cases, the administration must necessarily publish, as a legal condition of effectiveness, the deed that involves exceeding the threshold of one thousand euros, also referring to the previous attributions that overall contributed to the aforementioned exceeding the threshold ". On these assumptions, the Lombardy Region deemed it necessary to fulfill the transparency obligations imposed by art. 26, Legislative Decree 33/2013, considering that at least part of the 104 thousand beneficiaries of the Dote Scuola - Didactic material for the year 2020 has been the beneficiary of other regional contributions (including the contributions of other components of the Dote Scuola) , thus exceeding the aforementioned threshold, a discriminating criterion for the purposes of the obligation to publish ";

- «In compliance with Law no. 241/1990 the Lombardy Region has assessed to protect the interest of non-beneficiaries to be able to view the documents (results of the announcement). This is in order to allow non-beneficiary participants to access the documents [...]. The list of those not admitted has also been drawn up and published in alphabetical order ";

- «The Lombardy Region believes that it has operated in accordance with the legislation on the protection of personal data. Nevertheless, aware of the importance that any further technical and organizational measure that can be adopted in order to raise the level of protection of the rights of the data subjects - and having taken note of the findings highlighted by the Guarantor Authority - it promptly took action, on the one hand to cease the processing of disputed data, and on the other hand to program (privacy by design) and adopt new solutions, to manage the processes of publication of the results of the calls, in accordance with the indications provided by the Authority ";

- "In any case, the personal data in question were promptly removed from the institutional site and are no longer accessible at the URLs indicated in the notification of violation of 05.17.2021";
- "In any case, with a view to loyal cooperation and in the light of what emerged from the notification, the Regional Directorates General called" Education, University, Research, Innovation and Simplification "and" Job Training "have started a careful reflection on on the improvement actions to be undertaken, also for the future, and this to protect the end users of the affiliates according to the principles of the EU REG 679/2016 and the specific directives of the Guarantor Authority. With regard to the "School voucher" measure for the school year 2020/2021, we inform you that, in relation to the regional decrees with which the lists of beneficiaries were approved, adequate technical measures have been adopted for the purposes of data processing: such as identification with the ID code of the application, acknowledging the indications of the Authority ";

- "Based on the analyzes carried out in the design phase of the measure" Good school for the school year 2021/2022 "the main technical and organizational measures being evaluated would be the following:

communication to applicants / beneficiaries about the outcome of the call in a "one to one" mode directly within the BandiOnLine regional platform;

“strong” authentication via SPID, CIE and PIN or CNS / TS and PIN to access the BandiOnLine platform. This authentication method would guarantee secure and digital access to the platform by the user who submits the application for assistance;

use of a unique and unique identification of the application - automatically generated in the initial phase of preparation of the request - associated with the user authenticated in the system. This initially temporary identifier (id) will be consolidated at the same time as the application is sent and registered and will be associated exclusively with the profiled user ";

- "It should be noted that in this operating system only through certified access to the platform it will be possible to trace the id of the application forwarded to the Lombardy Region (unless the user has printed locally the receipt of the transmission with the application protocol) and - consequently - search through the same the status and information relating to the administrative procedure in progress. In essence, the profiling (SPID, CIE and PIN and / or CNS / TS and PIN) would allow the exclusive display of the ID of the profiled person and not of others. It follows that with the id alone, it will not be possible in any way to trace personal information and / or content present in the system ".

5. Evaluations of the Guarantor

The issue that is the subject of the case submitted to the attention of the Guarantor concerns the online dissemination on the institutional website of the Lombardy Region of personal data and information referring to students who are beneficiaries and non-beneficiaries of financial contributions (from 200 to 500 euros) - for the purchase of textbooks, technological equipment and tools for teaching, or for the provision of scholarships, by the State - reserved for subjects with an ISEE value not exceeding approximately 15,000.00 euros.

As part of the investigation opened in this regard by this Authority, the Lombardy Region confirmed, in its defense briefs, the online dissemination of the personal data described, justifying its conduct "from the absolute conviction that the processing carried out did not show any situation of cd "Economic and social hardship of the interested parties" recipients of the provisions for granting the school voucher ", having considered that the ISEE value required for admission to the benefits (equal to € 15,748.78)" was a mere threshold of access to the benefit itself and not identifying an actual state of social and / or economic hardship ".

In this regard, however, it should be remembered that the ISEE is the "Indicator of the Equivalent Economic Situation" - calculated, among other things, on the basis of the number of family members, the sum of their income and a percentage of their assets - , which serves, among other things, to evaluate and compare the economic situation of families.

The prohibition provided for by art. 26, paragraph 4, of the d. lgs. n. 33/2013 to disclose, for transparency purposes, identification data of recipients of economic contributions from which information relating to "the economic and social hardship of the interested parties" - as also highlighted by the Guarantor in the Guidelines on transparency - is "A ban functional to the protection of the dignity, rights and fundamental freedoms of the interested party (Article 2 of the Code), in order to avoid that subjects who find themselves in disadvantaged conditions - economic or social - suffer the embarrassment of the diffusion of such information, or may be subjected to undesirable consequences, due to the knowledge of third parties of the particular personal situation "(see part one, par. 9.e). From this point of view, in the same Guidelines it was also specified that in any case - in the light of the principle of necessity, relevance and not excess (today all converged into the more general principle of "minimization" of the data referred to in Article 5, part. 1, letter c, of the RGPD) - it is not justified to disseminate, among other things, data such as, for example, [...] the breakdown of assignees according to the bands of the Equivalent Economic Situation Indicator-Isee, 'indication of analytical income situations, conditions of need [...], etc. " (ibid).

For all the foregoing - contrary to what is held by the Lombardy Region - it is believed that the dissemination of the identification data of students benefiting from financial contributions (for the purchase of textbooks, technological equipment and teaching tools, or for the disbursement of scholarships) together with the fact that they are holders of an ISEE not exceeding € 15,748.78 (requirement to be admitted to the economic benefit) does not comply with the prohibition of dissemination for purposes of transparency of the identification data of beneficiaries of economic contributions from which it is possible to obtain information relating to "the economic and social hardship of the interested parties" provided for by art. 26, paragraph 4, of the d. lgs. n. 33/2013, as it is suitable in any case to make known to a general public the particular economic situation of the student's family associated with the relative not particularly high ISEE. Furthermore, in any case, the dissemination of information relating to the Isee equivalent economic situation indicator of the interested parties is completely disproportionate to the purpose of transparency provided for by the sector regulations, as the data disclosed are not "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed "in violation of the principle of minimization (Article 5, paragraph 1, letter c, of the GDPR; Guidelines of the Guarantor on transparency, part one, paragraph 9 .And).

For the profiles considered, the observations contained in the jurisprudence cited by the Region (Cass. Civ. N. 6505/2015) cannot be considered in the present case, taking into account that the case concerned a completely different case from the one in question. Nor is it clear how the circumstance - highlighted in the defense briefs - for which an "ISEE value equal to about 15,000 euros" represents the proper parameter of a significant percentage of Italian families "can represent a useful indicator for deciding whether or not to disseminate the data personnel of the relative members, especially taking into account that undoubtedly the aforementioned ISEE does not refer to particularly high incomes.

Instead, in relation to the fact that "at least a part of the 104 thousand beneficiaries of the Dote Scuola - Didactic Material for the year 2020 [would] have been the beneficiary of other regional contributions (including the contributions of other components of the Dote Scuola)", exceeding the threshold of one thousand euros which obliges the administration to publish the related personal data pursuant to art. 26, paragraph 2, of the d. lgs. n. 33/2013, it should be noted that this circumstance - on the one hand - has not been proven in the documents and - on the other - in any case it would not apply to all the 104,000 students concerned. In any case, it is believed that even for this hypothesis - in light of the observations reported above regarding the existence of the exception contained in art. 26, paragraph 4, of the d. lgs. n. 33/2013 and the principle of data minimization (Article 5, paragraph 1, letter c, RGPD) - the identification data of the beneficiaries cannot be disseminated.

As for the dissemination of personal data of subjects who were not beneficiaries of any economic contribution, it is not possible to accept the exception advanced by the Lombardy Region for which the relative publication was necessary to "protect the interest of non-beneficiaries to be able to view the documents (results of the call for proposals) [and] allow non-beneficiary participants to access the documents as well '. This is because the related publication is not supported by any suitable regulatory provision (law or, in the cases provided for by law, regulation) that may justify the online dissemination of the related personal data pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

6. Outcome of the investigation relating to the report submitted

For all of the above, the circumstances highlighted in the defense writings examined as a whole, certainly worthy of consideration for the purpose of evaluating the conduct, are not sufficient to allow the filing of this proceeding, since none of the hypotheses provided for by art. 11 of the Guarantor Regulation n. 1/2019. This also considering that since 2014 the Authority, in the Guidelines on transparency and online publication mentioned above, has provided all pp.aa. specific indications on how to reconcile the transparency and publicity obligations of the administrative action with the right to the protection of the personal data of the interested parties.

In this context - while understanding the difficult balance between the need for transparency and protection of personal data subject to evaluation, case by case, by the data controller, especially in relation to the identification of cases in which provisions for the provision of economic benefits reveal the ´existence of a situation of economic or social hardship in which the interested party finds himself who does not allow its disclosure - the preliminary assessments of the Office contained in the note prot. n. XX of the XX and the unlawfulness of the processing of personal data carried out by the Lombardy Region is noted, as with the online publication of the documents identified above in nos. from 1 to 4 of par. 1:

a) personal data of beneficiaries of economic contributions of less than one thousand euros have been disclosed, reserved for subjects with a low ISEE, suitable for revealing a situation of economic and social hardship of the interested parties, in the absence of suitable regulatory conditions, in violation of the art. 2-ter, paragraphs 1 and 3, of the Code and art. 26, paragraph 4, of the d. lgs. 33/2013; as well as the basic principles of processing contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

b) information relating to the ISEE of the students benefiting from the financial contribution has been disclosed in violation of the principle of minimization (Article 5, paragraph 1, letter c, of the RGPD);

c) personal data of subjects who have not been admitted to any economic benefit have been disclosed (see "XX" identified above in paragraph 1, no. 4), in the absence of suitable regulatory conditions, in violation of art. 2-ter, paragraphs 1 and 3, of the Code, as well as the basic principles of processing contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

Considering, however, that the conduct has exhausted its effects, as the data controller declared that "the personal data in question have been promptly removed from the institutional site and are no longer accessible to the URLs indicated in the violation notification", without prejudice to without prejudice to what will be said on the application of the pecuniary administrative sanction, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR.

7. Adoption of the injunction order for the application of the pecuniary administrative sanction (Articles 58, paragraph 2, letter i; 83 of the GDPR)

The Lombardy Region appears to have violated Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code (see also Article 26, paragraph 4, of Legislative Decree 33/2013).

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the GDPR, which therefore applies to the case in question.

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the RGPD, as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking into account the elements provided for by art. 83, par. 2, of the GDPR.

In this sense, the detected conduct in violation of the regulations on the protection of personal data is of a culpable nature and involved the online dissemination of personal data, for an extended period of time, almost 11 months, not belonging to particular categories or criminal convictions or offenses (articles 9 and 10, of the RGPD), however referring to a considerable number of interested parties (more than one hundred thousand students). The Lombardy Region is a large territorial body with almost 10,000,000 inhabitants. Following the request of the Office, the administration intervened promptly, collaborating with the Authority during the investigation of this proceeding in order to remedy the violation, mitigating its possible negative effects. In any case, the difficult balance between the need for transparency and protection of personal data must be taken into account, subject to evaluation, case by case, by the data controller, especially in relation to the identification of cases in which measures for the provision of economic benefits reveal the existence of a situation of economic or social hardship in which the interested party finds himself who does not allow its disclosure. In this regard, the technical and organizational measures described in the defense briefs that can be implemented pursuant to Articles 25-32 for compliance with the RGPD. In any case, there are no previous relevant violations of the RGPD committed by the entity.

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 200,000.00 (two hundred thousand) for the violation of Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD, as well as of art. 2-ter, paragraphs 1 and 3, of the Code (see also Article 26, paragraph 4, of Legislative Decree 33/2013); as a pecuniary administrative sanction deemed effective, proportionate and sufficiently dissuasive due to its amount pursuant to art. 83, par. 1, of the same RGPD.

In relation to the specific circumstances of this case, relating to the dissemination of personal data online in the absence of a suitable legal basis and in violation of the principle of data minimization (Article 5, paragraph 1, letter c, GDPR), it is considered also that the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

detected the unlawfulness of the processing carried out by the Lombardy Region in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i), and 83 of the GDPR

ORDER

to the Lombardy Region, in the person of the pro-tempore legal representative, with registered office in Piazza Città di Lombardia, 1 - 20124 Milan (MI) - C.F. 80050050154 to pay the sum of Euro 200,000.00 (two hundred thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation;

INJUNCES

to the same Region to pay the sum of EUR 200,000.00 (two hundred thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.

Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1/9/2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, July 22, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }




SEE ALSO Newsletter of 10 September 2021



[doc. web n. 9697724]

Injunction order against the Lombardy Region - 22 July 2021

Record of measures
n. 296 of 22 July 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD"); ù

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Professor Ginevra Cerrina Feroni will be the speaker;

WHEREAS

1. Introduction

This Authority received a report, with which a violation of the legislation on the protection of personal data by the Lombardy Region caused by the dissemination of personal data on the institutional website was contested.

Specifically, as emerged from the preliminary verification carried out by the Office, from the home page of the institutional website of the aforementioned Region, through the path "XX" / "XX", the web page dedicated to "XX" was opened. From the links included in the part dedicated to "Communications", and precisely to the communication dated XX (url: https: // ...), it was possible to view and download the following documents:

1) "XX" (url: https: // ....). This list clearly reported data referring to no. 23,975 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

2) "XX" (url: https: // ...). This list clearly reported data referring to no. 59,989 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

3) "XX" (url: https: // ...). This list clearly reported data referring to no. 20143 interested parties, such as application ID, applicant's name, student's class, school code and name, application number;

4) "XX" (url: https: // ...). This list clearly reported data referring to no. 57 interested parties, such as application ID, applicant's name, student's class, school code and name, application number.

From the documents it emerged that these were lists relating to the selection for the provision of financial contributions for the purchase of textbooks, technological equipment and teaching tools, or for the provision of scholarships by the State, in favor of students resident in Lombardy, enrolled and attending ordinary management courses (both education and vocational training and education), at first and second grade secondary schools, state and equal, or attending accredited educational institutions, based in Lombardy or neighboring regions, on condition that the student returns to his / her residence every day.

To access the grant, it was necessary to have an ISEE value not exceeding approximately € 15,000.00 and the financial contribution for each student could vary from a minimum of € 200 to a maximum of € 500.

2. The legislation on the protection of personal data

Pursuant to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person (" interested party ")" and "the natural person who can be identified, directly or indirectly, with particular reference to a identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(art. 4, par. 1 , No. 1, of the GDPR).

In this regard, with particular reference to the case submitted to the attention of this Authority, it is recalled that public entities, such as the Region, may disclose "personal data" only if this operation is provided for "by a law or, in the cases provided for by law, regulation "(Article 2-ter, paragraphs 1 and 3, of the Code), in compliance - in any case - with the principles of data protection, including that of" minimization ", on the basis of which personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter c, of the GDPR).

The state legislation of the sector on transparency provides, with reference to the "obligations of publication of the deeds of granting grants, contributions, subsidies and attribution of economic advantages to individuals and public and private entities", that "Public administrations publish the deeds of granting grants, contributions, subsidies and financial aids […], and in any case of economic advantages of any kind to people […] of an amount exceeding one thousand euros »during the calendar year. In any case, "The publication of the identification data of the natural persons recipients of the measures referred to in this article is excluded, if from such data it is possible to obtain information relating [...] to the economic and social hardship of the interested parties" (art. 26 , paragraphs 2-4, of Legislative Decree no. 33 of 14/3/2013).

With regard to the online dissemination of personal data of beneficiaries of financial contributions, since 2014, the Guarantor has provided specific indications to public administrations on the precautions to be taken, with general provision no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in GU n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (currently being updated, but still current in the substantial part).

In the Guidelines of the Guarantor cited above, it is expressly established, with reference to the obligation to publish the deeds of granting economic benefits (part one, paragraph 9.e), that "the same d. lgs. n. 33/2013 identifies a series of limits to the obligation to publish deeds of granting economic benefits, however named. In fact, the identification data of the natural persons recipients of the granting of grants, contributions, subsidies and allocation of economic advantages, as well as the lists of the relative recipients, cannot be published:

a) for a total amount of less than one thousand euros during the calendar year in favor of the same beneficiary;

[...]

c) of an amount exceeding one thousand euros during the calendar year in favor of the same beneficiary "if from such data it is possible to obtain information relating [...] to the economic and social hardship of the interested parties" (Article 26, paragraph 4, Legislative Decree no. 33/2013) ".

3. Preliminary assessments of the Office on the processing of personal data carried out.

Following the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Lombardy Region - by disseminating the data and information contained in the documents published online described above - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD. Therefore, with the same note the violations carried out (pursuant to art.166, paragraph 5, of the Code) were notified to the Region, communicating the start of the procedure for the adoption of the measures referred to in Article . 2, of the RGPD and inviting the aforementioned administration to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within the term of 30 days (Article 166, paragraphs 6 and 7, of the Code; as well as art.18, paragraph 1, of law no. 689 of 11/24/1981).

4. Defensive memories.

The Lombardy Region, with the note prot. n. XX of the XX, has sent to the Guarantor its defensive writings in relation to the notified violations.

In this regard, please note that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".

Specifically, with regard to the conduct held, the entity highlighted, among other things, that:

- "The acts relating to the aforementioned call, as relating to the granting of concessions for the purchase of textbooks, technological equipment and teaching tools, or relating to the provision, by the State, of a scholarship , and in any case aimed at supporting the expenditure of families in completing the school course, both in the education system and in the education and professional training system, are certainly attributable to the cases recorded in the aforementioned art. 26, paragraph 2, of Legislative Decree 33/2013 ";

- "Lombardy Region has not considered applicable, to the present case, the exception provided for under art. 26, paragraph 4, legislative decree 33/2013, by virtue of which the publication of the identification data of the natural persons recipients of the measures referred to in this article would be excluded, if from such data it is possible to obtain information relating to the state of health or the situation of economic and social hardship of the interested parties "";

- «It is noted, in fact, that the rule in question identifies two distinct cases of derogation from the general obligation to publish data, namely: *) if from such data it is possible to obtain information relating to the state of health; or *) if from such data it is possible to obtain information relating to a situation of economic and social hardship of the interested parties. While the first case considered refers to an objective circumstance (information relating to the state of health), the second case contemplated presupposes a discretionary assessment of the nature of the data processed and their ability to describe, or not, an actual situation of economic and social hardship [...] ";

- "Lombardy Region, as data controller and in the exercise of the aforementioned discretionary power of assessment, has held that the ISEE value, required for admission to the benefits referred to in the notice in question and indicated in accordance with the law at € 15,748, 78, was a mere threshold of access to the benefit itself and not identifying an actual state of social and / or economic hardship. In support of similar reasoning, we recall the definition criteria of "condition of social and / or economic hardship" used by the jurisprudence of legitimacy (see Cass. Civ. N. 6505/2015), which has always reiterated as the "state of discomfort "Must be understood in a rigorous sense and consists of a" condition that is objectively worse than that of the generality of the associates "";

- «To this we must add that in general every situation of economic and social disadvantage must be verified in the specific case, so that“ presumed ”conditions of disadvantage actually correspond to a state of particular weakness worthy of protection and attention. Furthermore, the real objective of the regional measure in question was to provide auxiliary support simply according to the ISEE parameter. Starting from these assumptions, the Region has always acted in the conviction of carrying out a treatment that complies with the rules referred to in EU REG 679/2016 ";

- «From a different point of view, it is highlighted how other measures provide for income thresholds. Think for example of the cd. Citizenship Income, where a threshold of € 9,360 is set, while the common local initiatives to combat poverty establish access limits that are on average also much lower. All these values are well below the threshold for access to the tender in question, so it seems unlikely that the indication of the above ISEE value (below which, according to ISTAT data, almost half of the Italian population) may in itself be a direct or indirect indication of social hardship. In this case, the Lombardy Region acknowledges only the data deriving from the liquidation of the subsidies and / or scholarships, adding nothing in relation to the income positions of either the students or, least of all, the relative family unit. An ISEE value of approximately 15,000 euros represents the parameter of a significant percentage of Italian families. In fact, if we refer to ISTAT data (query http://dati.istat.it/ on 27/5/2021), the net incomes of Italian families residing in the North West in 2018 amounted to an average of 35,000 euros per year. , which correspond to an average ISEE of approximately 12 thousand euros. In this typical income context of our country, not being able to provide the book contribution to all those entitled to it, the Lombardy Region has established as a priority criterion for assignment an economic parameter that could affect a wide range of beneficiaries (contributions for a total of 21,862,470 euros, to 104,107 beneficiary students) and, as such, certainly not identifying a condition of "economic and social hardship" ";

- "Believing that it operates in compliance with current legislation on data protection, the Lombardy Region has also deemed it appropriate to publish the list of subjects admitted to the benefit, in simple alphabetical order, without reproducing any type of" ranking "from which any elements of discrimination or circumstances inherent in the balance sheet of the individual applicant could be deduced ";

- "A final consideration is made in relation to the minimum contribution threshold (quantified in € 1,000.00), considered by art. 26, paragraph 2, of Legislative Decree 33/2013. On this point it is appropriate to recall the general provision of the Guarantor Authority no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", expressly certifying that, "where the administration has issued several provisions which, during the calendar year, have ordered the granting of economic advantages to the same subject, exceeding the ceiling of one thousand euros, the amount of the economic advantage paid, of referred to in art. 27, c. 1, lett. b), of the decree, is to be understood as the sum of all the disbursements made in the reference period. In such cases, the administration must necessarily publish, as a legal condition of effectiveness, the deed that involves exceeding the threshold of one thousand euros, also referring to the previous attributions that overall contributed to the aforementioned exceeding the threshold ". On these assumptions, the Lombardy Region deemed it necessary to fulfill the transparency obligations imposed by art. 26, Legislative Decree 33/2013, considering that at least part of the 104 thousand beneficiaries of the Dote Scuola - Didactic material for the year 2020 has been the beneficiary of other regional contributions (including the contributions of other components of the Dote Scuola) , thus exceeding the aforementioned threshold, a discriminating criterion for the purposes of the obligation to publish ";

- «In compliance with Law no. 241/1990 the Lombardy Region has assessed to protect the interest of non-beneficiaries to be able to view the documents (results of the announcement). This is in order to allow non-beneficiary participants to access the documents [...]. The list of those not admitted has also been drawn up and published in alphabetical order ";

- «The Lombardy Region believes that it has operated in accordance with the legislation on the protection of personal data. Nevertheless, aware of the importance that any further technical and organizational measure that can be adopted in order to raise the level of protection of the rights of the data subjects - and having taken note of the findings highlighted by the Guarantor Authority - it promptly took action, on the one hand to cease the processing of disputed data, and on the other hand to program (privacy by design) and adopt new solutions, to manage the processes of publication of the results of the calls, in accordance with the indications provided by the Authority ";

- "In any case, the personal data in question were promptly removed from the institutional site and are no longer accessible at the URLs indicated in the notification of violation of 05.17.2021";
- "In any case, with a view to loyal cooperation and in the light of what emerged from the notification, the Regional Directorates General called" Education, University, Research, Innovation and Simplification "and" Job Training "have started a careful reflection on on the improvement actions to be undertaken, also for the future, and this to protect the end users of the affiliates according to the principles of the EU REG 679/2016 and the specific directives of the Guarantor Authority. With regard to the "School voucher" measure for the school year 2020/2021, we inform you that, in relation to the regional decrees with which the lists of beneficiaries were approved, adequate technical measures have been adopted for the purposes of data processing: such as identification with the ID code of the application, acknowledging the indications of the Authority ";

- "Based on the analyzes carried out in the design phase of the measure" Good school for the school year 2021/2022 "the main technical and organizational measures being evaluated would be the following:

communication to applicants / beneficiaries about the outcome of the call in a "one to one" mode directly within the BandiOnLine regional platform;

“strong” authentication via SPID, CIE and PIN or CNS / TS and PIN to access the BandiOnLine platform. This authentication method would guarantee secure and digital access to the platform by the user who submits the application for assistance;

use of a unique and unique identification of the application - automatically generated in the initial phase of preparation of the request - associated with the user authenticated in the system. This initially temporary identifier (id) will be consolidated at the same time as the application is sent and registered and will be associated exclusively with the profiled user ";

- "It should be noted that in this operating system only through certified access to the platform it will be possible to trace the id of the application forwarded to the Lombardy Region (unless the user has printed locally the receipt of the transmission with the application protocol) and - consequently - search through the same the status and information relating to the administrative procedure in progress. In essence, the profiling (SPID, CIE and PIN and / or CNS / TS and PIN) would allow the exclusive display of the ID of the profiled person and not of others. It follows that with the id alone, it will not be possible in any way to trace personal information and / or content present in the system ".

5. Evaluations of the Guarantor

The issue that is the subject of the case submitted to the attention of the Guarantor concerns the online dissemination on the institutional website of the Lombardy Region of personal data and information referring to students who are beneficiaries and non-beneficiaries of financial contributions (from 200 to 500 euros) - for the purchase of textbooks, technological equipment and tools for teaching, or for the provision of scholarships, by the State - reserved for subjects with an ISEE value not exceeding approximately 15,000.00 euros.

As part of the investigation opened in this regard by this Authority, the Lombardy Region confirmed, in its defense briefs, the online dissemination of the personal data described, justifying its conduct "from the absolute conviction that the processing carried out did not show any situation of cd "Economic and social hardship of the interested parties" recipients of the provisions for granting the school voucher ", having considered that the ISEE value required for admission to the benefits (equal to € 15,748.78)" was a mere threshold of access to the benefit itself and not identifying an actual state of social and / or economic hardship ".

In this regard, however, it should be remembered that the ISEE is the "Indicator of the Equivalent Economic Situation" - calculated, among other things, on the basis of the number of family members, the sum of their income and a percentage of their assets - , which serves, among other things, to evaluate and compare the economic situation of families.

The prohibition provided for by art. 26, paragraph 4, of the d. lgs. n. 33/2013 to disclose, for transparency purposes, identification data of recipients of economic contributions from which information relating to "the economic and social hardship of the interested parties" - as also highlighted by the Guarantor in the Guidelines on transparency - is "A ban functional to the protection of the dignity, rights and fundamental freedoms of the interested party (Article 2 of the Code), in order to avoid that subjects who find themselves in disadvantaged conditions - economic or social - suffer the embarrassment of the diffusion of such information, or may be subjected to undesirable consequences, due to the knowledge of third parties of the particular personal situation "(see part one, par. 9.e). From this point of view, in the same Guidelines it was also specified that in any case - in the light of the principle of necessity, relevance and not excess (today all converged into the more general principle of "minimization" of the data referred to in Article 5, part. 1, letter c, of the RGPD) - it is not justified to disseminate, among other things, data such as, for example, [...] the breakdown of assignees according to the bands of the Equivalent Economic Situation Indicator-Isee, 'indication of analytical income situations, conditions of need [...], etc. " (ibid).

For all the foregoing - contrary to what is held by the Lombardy Region - it is believed that the dissemination of the identification data of students benefiting from financial contributions (for the purchase of textbooks, technological equipment and teaching tools, or for the disbursement of scholarships) together with the fact that they are holders of an ISEE not exceeding € 15,748.78 (requirement to be admitted to the economic benefit) does not comply with the prohibition of dissemination for purposes of transparency of the identification data of beneficiaries of economic contributions from which it is possible to obtain information relating to "the economic and social hardship of the interested parties" provided for by art. 26, paragraph 4, of the d. lgs. n. 33/2013, as it is suitable in any case to make known to a general public the particular economic situation of the student's family associated with the relative not particularly high ISEE. Furthermore, in any case, the dissemination of information relating to the Isee equivalent economic situation indicator of the interested parties is completely disproportionate to the purpose of transparency provided for by the sector regulations, as the data disclosed are not "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed "in violation of the principle of minimization (Article 5, paragraph 1, letter c, of the GDPR; Guidelines of the Guarantor on transparency, part one, paragraph 9 .And).

For the profiles considered, the observations contained in the jurisprudence cited by the Region (Cass. Civ. N. 6505/2015) cannot be considered in the present case, taking into account that the case concerned a completely different case from the one in question. Nor is it clear how the circumstance - highlighted in the defense briefs - for which an "ISEE value equal to about 15,000 euros" represents the proper parameter of a significant percentage of Italian families "can represent a useful indicator for deciding whether or not to disseminate the data personnel of the relative members, especially taking into account that undoubtedly the aforementioned ISEE does not refer to particularly high incomes.

Instead, in relation to the fact that "at least a part of the 104 thousand beneficiaries of the Dote Scuola - Didactic Material for the year 2020 [would] have been the beneficiary of other regional contributions (including the contributions of other components of the Dote Scuola)", exceeding the threshold of one thousand euros which obliges the administration to publish the related personal data pursuant to art. 26, paragraph 2, of the d. lgs. n. 33/2013, it should be noted that this circumstance - on the one hand - has not been proven in the documents and - on the other - in any case it would not apply to all the 104,000 students concerned. In any case, it is believed that even for this hypothesis - in light of the observations reported above regarding the existence of the exception contained in art. 26, paragraph 4, of the d. lgs. n. 33/2013 and the principle of data minimization (Article 5, paragraph 1, letter c, RGPD) - the identification data of the beneficiaries cannot be disseminated.

As for the dissemination of personal data of subjects who were not beneficiaries of any economic contribution, it is not possible to accept the exception advanced by the Lombardy Region for which the relative publication was necessary to "protect the interest of non-beneficiaries to be able to view the documents (results of the call for proposals) [and] allow non-beneficiary participants to access the documents as well '. This is because the related publication is not supported by any suitable regulatory provision (law or, in the cases provided for by law, regulation) that may justify the online dissemination of the related personal data pursuant to art. 2-ter, paragraphs 1 and 3, of the Code.

6. Outcome of the investigation relating to the report submitted

For all of the above, the circumstances highlighted in the defense writings examined as a whole, certainly worthy of consideration for the purpose of evaluating the conduct, are not sufficient to allow the filing of this proceeding, since none of the hypotheses provided for by art. 11 of the Guarantor Regulation n. 1/2019. This also considering that since 2014 the Authority, in the Guidelines on transparency and online publication mentioned above, has provided all pp.aa. specific indications on how to reconcile the transparency and publicity obligations of the administrative action with the right to the protection of the personal data of the interested parties.

In this context - while understanding the difficult balance between the need for transparency and protection of personal data subject to evaluation, case by case, by the data controller, especially in relation to the identification of cases in which provisions for the provision of economic benefits reveal the ´existence of a situation of economic or social hardship in which the interested party finds himself who does not allow its disclosure - the preliminary assessments of the Office contained in the note prot. n. XX of the XX and the unlawfulness of the processing of personal data carried out by the Lombardy Region is noted, as with the online publication of the documents identified above in nos. from 1 to 4 of par. 1:

a) personal data of beneficiaries of economic contributions of less than one thousand euros have been disclosed, reserved for subjects with a low ISEE, suitable for revealing a situation of economic and social hardship of the interested parties, in the absence of suitable regulatory conditions, in violation of the art. 2-ter, paragraphs 1 and 3, of the Code and art. 26, paragraph 4, of the d. lgs. 33/2013; as well as the basic principles of processing contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

b) information relating to the ISEE of the students benefiting from the financial contribution has been disclosed in violation of the principle of minimization (Article 5, paragraph 1, letter c, of the RGPD);

c) personal data of subjects who have not been admitted to any economic benefit have been disclosed (see "XX" identified above in paragraph 1, no. 4), in the absence of suitable regulatory conditions, in violation of art. 2-ter, paragraphs 1 and 3, of the Code, as well as the basic principles of processing contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

Considering, however, that the conduct has exhausted its effects, as the data controller declared that "the personal data in question have been promptly removed from the institutional site and are no longer accessible to the URLs indicated in the violation notification", without prejudice to without prejudice to what will be said on the application of the pecuniary administrative sanction, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR.

7. Adoption of the injunction order for the application of the pecuniary administrative sanction (Articles 58, paragraph 2, letter i; 83 of the GDPR)

The Lombardy Region appears to have violated Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code (see also Article 26, paragraph 4, of Legislative Decree 33/2013).

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the GDPR, which therefore applies to the case in question.

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the RGPD, as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking into account the elements provided for by art. 83, par. 2, of the GDPR.

In this sense, the detected conduct in violation of the regulations on the protection of personal data is of a culpable nature and involved the online dissemination of personal data, for an extended period of time, almost 11 months, not belonging to particular categories or criminal convictions or offenses (articles 9 and 10, of the RGPD), however referring to a considerable number of interested parties (more than one hundred thousand students). The Lombardy Region is a large territorial body with almost 10,000,000 inhabitants. Following the request of the Office, the administration intervened promptly, collaborating with the Authority during the investigation of this proceeding in order to remedy the violation, mitigating its possible negative effects. In any case, the difficult balance between the need for transparency and protection of personal data must be taken into account, subject to evaluation, case by case, by the data controller, especially in relation to the identification of cases in which measures for the provision of economic benefits reveal the existence of a situation of economic or social hardship in which the interested party finds himself who does not allow its disclosure. In this regard, the technical and organizational measures described in the defense briefs that can be implemented pursuant to Articles 25-32 for compliance with the RGPD. In any case, there are no previous relevant violations of the RGPD committed by the entity.

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 200,000.00 (two hundred thousand) for the violation of Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD, as well as of art. 2-ter, paragraphs 1 and 3, of the Code (see also Article 26, paragraph 4, of Legislative Decree 33/2013); as a pecuniary administrative sanction deemed effective, proportionate and sufficiently dissuasive due to its amount pursuant to art. 83, par. 1, of the same RGPD.

In relation to the specific circumstances of this case, relating to the dissemination of personal data online in the absence of a suitable legal basis and in violation of the principle of data minimization (Article 5, paragraph 1, letter c, GDPR), it is considered also that the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

detected the unlawfulness of the processing carried out by the Lombardy Region in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i), and 83 of the GDPR

ORDER

to the Lombardy Region, in the person of the pro-tempore legal representative, with registered office in Piazza Città di Lombardia, 1 - 20124 Milan (MI) - C.F. 80050050154 to pay the sum of Euro 200,000.00 (two hundred thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation;

INJUNCES

to the same Region to pay the sum of EUR 200,000.00 (two hundred thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.

Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of the d. lgs. n. 150 of 1/9/2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- the annotation in the internal register of the Authority of the violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, July 22, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei