Garante per la protezione dei dati personali (Italy) - 9744655

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9744655
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started: 21.01.2020
Decided: 13.01.2022
Published: 13.01.2022
Fine: 4000 EUR
Parties: Medicina & Lavoro s.r.l.
National Case Number/Name: 9744655
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Eva Opsenica

The Italian DPA fined a medical center €4000 for violating Articles 12(3) and 15 GDPR by providing an incomplete response to the data subject’s first access request and ignoring a subsequent request.

English Summary

Facts

The data subject submitted a request under Article 15 GDPR on 13 December 2019 seeking access to their health record from Medicina & Lavoro s.r.l. medical center. After receiving an incomplete response from the controller, the data subject made a subsequent request on 17 December 2019, which was ignored. Accordingly, the data subject decided to lodge a complaint with the DPA pursuant to Article 77 GDPR.

On 7 September 2020, the DPA invited the controller to provide comments on the alleged breach of the GDPR and to comply with the data subject’s request. On 25 September 2020, the controller responded, stating that the data subject’s request was not formulated as a request, as it only included a description of the procedures to be followed by the controller to provide the health record. On 23 October 2020, the controller provided the data subject and the DPA with information under Article 15(1)(b) GDPR (‘categories of personal data concerned’) without tailoring the information to the data subject’s request.

On 24 February 2021, the DPA initiated the sanctioning procedure according to Article 166(5) Codice in materia di protezione dei dati personali for violations of Articles 12(3) and 15 GDPR. The investigation revealed that the controller’s response, dated 16 December 2019, to the data subject’s request only indicated how the data subject could obtain a copy of his health record, for which he would have to pay an administrative fee.

Holding

The DPA found that the controller’s response to the request violated Articles 12(3) and 15 GDPR, as it did not contain all the elements listed in Article 15 GDPR but merely indicated how the data subject could obtain a copy of personal data subject to the payment of an administrative fee. The DPA stressed that a request under Article 15 GDPR cannot be interpreted as a request made under another legal provision, which would require a data subject to pay an administrative fee. The DPA also found that the controller did not provide any response to the data subject’s subsequent request despite it being adequate in light of the previous one.

The DPA thus concluded that the data subject’s complaint was well-founded. Based on its powers granted by Article 58(2) GDPR, Article 166 Codice in materia di protezione dei dati personali, and in line with Article 83(5) GDPR, it imposed a €4000 administrative fine on the controller. The DPA justified the effectiveness, proportionality, and dissuasiveness of the sanction (Article 83(1) GDPR) on the basis of the nature and duration of the infringement, the absence of previous infringements by the controller, and the degree of the controller’s cooperation with the DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9744655]

Injunction order against Medicina & Lavoro s.r.l. - January 13, 2022

Record of measures
n. 6 of 13 January 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX on 21/01/2020 pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by Medicina & Lavoro s.r.l was complained;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The initiation of the procedure.

1.1. With the complaint presented to this Authority on 21/01/2020, Mr. XX represented that on 13/12/2019, against Medicina & Lavoro s.r.l., a company appointed by the complainant's employer to carry out mandatory health surveillance (hereinafter "the Company"), an application aimed at obtaining "Copy of personal data stored in their archives" and to have obtained an unsuitable response, "on a topic that did not concern the request". Therefore, the complainant proceeded to submit a new application to exercise the rights, pursuant to art. 15 of the Regulation, dated 17/12/2019, to which, however, no reply was received.

With the note dated 07/09/2020 (prot. No. 32715), the Office invited the Company to provide comments on what is represented in the complaint and to adhere to the complainant's requests.

The Company, with a note dated 25/09/2020, declared that following the first application presented by Mr. XX on 13/12/2019, had sent an e-mail on 16/12/2019, in which he limited himself to describing the procedures on the basis of which the Company provided to deliver "the medical record" and the related costs to be incurred.

With a subsequent note dated 23/10/2020, the Company communicated to this Authority and to the complainant the categories of personal data relating to Mr. XX, object of treatment (consisting of common data and particular data), without however providing the specific information object of the request.

1.2. The Office, therefore, notified the Company of the act of initiating the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 12, par. 3, and 15 of the Regulation (prot. N. 11052 of 24/02/2021).

1.3. The Company, on 11/03/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which it preliminarily declared that:

"Following the request made (...), on March 8, 2021 the Data Controller underwriting proceeded to send, via certified e-mail, to Mr. XX a scanned copy of the health record complete with information containing all the information provided for in art. 15 of the Regulation (...) ";

"The universality of personal data referable to workers subjected to health surveillance, employees of client companies of Medicina e Lavoro s.r.l., is contained in the individual health records of the workers themselves and therefore there is full correspondence between the data subject to the request made by the interested party and the contents of the medical record ";

finally, it was found that the delay in the response was determined by the need to "transfer the medical record, containing data of a health nature, following the confidentiality protocol in use (...), which provides that such documents are delivered shortly by hand to the direct interested or in the alternative (...) by post or other means ".

2. The outcome of the investigation.

2.1. Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Company, in the face of two requests to exercise the rights formulated respectively on 12/13/2019 and 12/17/2019, first provided unsuitable feedback and, subsequently, did not disclose any information .

2.2. Preliminarily, it is noted that art. 15 of the Regulation recognizes the right of the interested party to obtain from the data controller confirmation that data concerning him is being processed and, consequently, to obtain access to such data and to the information listed in letters a) -h ) of the same article. The Cons. 63 also specifies that this right also includes the right to “access data relating to health, for example medical records containing information such as diagnoses, test results, the opinions of treating doctors or any therapies or interventions practiced”. It is also noted that pursuant to articles 12, par. 5 and 15, par. 3 of the Regulations, the owner may "charge a reasonable fee, taking into account the administrative costs incurred to provide the information (...)", where the data subject's requests are manifestly unfounded or excessive or in the case of further copies.

2.3. Having said this, it is represented that, in the present case, the feedback provided by the Company on 16/12/2019, in which the methods by which the applicant could have obtained a copy of the medical record after payment of the costs were generically indicated of reproduction, must be considered unsuitable, in the light of the aforementioned provisions of art. 12, par. 5 and 15 of the Regulations, as well as clarifications made in the Cons. 63. In fact, the request for access to personal data and information contained in the medical record must not be interpreted as a request for access to "deeds and / or documents", which can be acquired on the basis of other legal regulations, and which underlies the payment of an expense contribution for administrative costs.

2.4. It is also ascertained that the Company has not provided any feedback even to the second application presented by the complainant, considering that the clarifications provided with the aforementioned e-mail dated 12/16/2019 were adequate and relevant to the request made.

3. Conclusions: illegality of the treatments carried out.

3.1. In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ whose truthfulness may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.

3.2. For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulations, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

4. Order of injunction.

4.1. The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.

4.2. With reference to the elements listed in art. 83, par. 2, of the Regulation for the purpose of applying the pecuniary administrative sanction and related quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), that, in the present case, the following circumstances were taken into consideration:

with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the circumstance that the violation lasted for a long period and that, only following the intervention of this Authority, the Company provided feedback to the complainant's request;

the absence of previous relevant violations committed by the data controller;

the degree of cooperation provided by the Company, which participated in the procedure, indicating the measures adopted to comply with the provisions on the protection of personal data.

4.3. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2020.

4.4. Based on the aforementioned elements, assessed as a whole, it is believed to determine the amount of the financial penalty in the amount of 4,000.00 (four thousand) euros for the violation of Articles 12 and 15 of the Regulation.

4.5. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulations, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 12, par. 3. and 15 of the Regulations;

ORDER

to Medicina & Lavoro s.r.l., in the person of the pro-tempore legal representative, with registered office in Cologno Monzese (MI), via M. Buonarroti n. 50, P.I. 03524410960, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of 4,000.00 (four thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

to the same Company to pay the sum of 4,000.00 (four thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1 September 2011 foreseen for the proposition of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.

Rome, January 13, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei

[doc. web n. 9744655]

Injunction order against Medicina & Lavoro s.r.l. - January 13, 2022

Record of measures
n. 6 of 13 January 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX on 21/01/2020 pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by Medicina & Lavoro s.r.l was complained;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The initiation of the procedure.

1.1. With the complaint presented to this Authority on 21/01/2020, Mr. XX represented that on 13/12/2019, against Medicina & Lavoro s.r.l., a company appointed by the complainant's employer to carry out mandatory health surveillance (hereinafter "the Company"), an application aimed at obtaining "Copy of personal data stored in their archives" and to have obtained an unsuitable response, "on a topic that did not concern the request". Therefore, the complainant proceeded to submit a new application to exercise the rights, pursuant to art. 15 of the Regulation, dated 17/12/2019, to which, however, no reply was received.

With the note dated 07/09/2020 (prot. No. 32715), the Office invited the Company to provide comments on what is represented in the complaint and to adhere to the complainant's requests.

The Company, with a note dated 25/09/2020, declared that following the first application presented by Mr. XX on 13/12/2019, had sent an e-mail on 16/12/2019, in which he limited himself to describing the procedures on the basis of which the Company provided to deliver "the medical record" and the related costs to be incurred.

With a subsequent note dated 23/10/2020, the Company communicated to this Authority and to the complainant the categories of personal data relating to Mr. XX, object of treatment (consisting of common data and particular data), without however providing the specific information object of the request.

1.2. The Office, therefore, notified the Company of the act of initiating the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 12, par. 3, and 15 of the Regulation (prot. N. 11052 of 24/02/2021).

1.3. The Company, on 11/03/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which it preliminarily declared that:

"Following the request made (...), on March 8, 2021 the Data Controller underwriting proceeded to send, via certified e-mail, to Mr. XX a scanned copy of the health record complete with information containing all the information provided for in art. 15 of the Regulation (...) ";

"The universality of personal data referable to workers subjected to health surveillance, employees of client companies of Medicina e Lavoro s.r.l., is contained in the individual health records of the workers themselves and therefore there is full correspondence between the data subject to the request made by the interested party and the contents of the medical record ";

finally, it was found that the delay in the response was determined by the need to "transfer the medical record, containing data of a health nature, following the confidentiality protocol in use (...), which provides that such documents are delivered shortly by hand to the direct interested or in the alternative (...) by post or other means ".

2. The outcome of the investigation.

2.1. Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Company, in the face of two requests to exercise the rights formulated respectively on 13/12/2019 and 17/12/2019, first provided an unsuitable reply and, subsequently, did not disclose any information .

2.2. Preliminarily, it is noted that art. 15 of the Regulation recognizes the right of the interested party to obtain from the data controller confirmation that data concerning him is being processed and, consequently, to obtain access to such data and to the information listed in letters a) -h ) of the same article. The Cons. 63 also specifies that this right also includes the right to “access data relating to health, for example medical records containing information such as diagnoses, test results, the opinions of treating doctors or any therapies or interventions practiced”. It is also noted that pursuant to articles 12, par. 5 and 15, par. 3 of the Regulations, the owner may "charge a reasonable fee, taking into account the administrative costs incurred to provide the information (...)", where the data subject's requests are manifestly unfounded or excessive or in the case of further copies.

2.3. Having said this, it is represented that, in the present case, the feedback provided by the Company on 16/12/2019, in which the methods by which the applicant could have obtained a copy of the medical record after payment of the costs were generically indicated of reproduction, must be considered unsuitable, in the light of the aforementioned provisions of art. 12, par. 5 and 15 of the Regulations, as well as clarifications made in the Cons. 63. In fact, the request for access to personal data and information contained in the medical record must not be interpreted as a request for access to "deeds and / or documents", which can be acquired on the basis of other legal regulations, and which underlies the payment of an expense contribution for administrative costs.

2.4. It is also ascertained that the Company has not provided any feedback even to the second application presented by the complainant, considering that the clarifications provided with the aforementioned e-mail dated 12/16/2019 were adequate and relevant to the request made.

3. Conclusions: illegality of the treatments carried out.

3.1. In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ whose truthfulness may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.

3.2. For the above reasons, therefore, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulations, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

4. Order of injunction.

4.1. The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.

4.2. With reference to the elements listed in art. 83, par. 2, of the Regulation for the purpose of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), that, in the present case, the following circumstances were taken into consideration:

with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the circumstance that the violation lasted for a long period and that, only following the intervention of this Authority, the Company provided feedback to the complainant's request;

the absence of previous relevant violations committed by the data controller;

the degree of cooperation provided by the Company, which participated in the procedure, indicating the measures adopted to comply with the provisions on the protection of personal data.

4.3. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referred to the financial statements for the year 2020.

4.4. Based on the aforementioned elements, assessed as a whole, it is believed to determine the amount of the financial penalty in the amount of 4,000.00 (four thousand) euros for the violation of Articles 12 and 15 of the Regulation.

4.5. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulation, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 12, par. 3. and 15 of the Regulations;

ORDER

to Medicina & Lavoro s.r.l., in the person of the pro-tempore legal representative, with registered office in Cologno Monzese (MI), via M. Buonarroti n. 50, P.I. 03524410960, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of 4,000.00 (four thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

to the same Company to pay the sum of 4,000.00 (four thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1 September 2011 foreseen for the proposition of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.

Rome, January 13, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei