Garante per la protezione dei dati personali (Italy) - 9761383

From GDPRhub
Revision as of 16:11, 20 April 2022 by Cms (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali (Italy) - 9761383
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6 GDPR
Article 10 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.03.2022
Published: 13.04.2022
Fine: 8000 EUR
Parties: n/a
National Case Number/Name: 9761383
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Cesar Manso-Sayao

The Italian DPA issued a €8000 against a regional environmental agency for publishing a document which included a former employee's personal data related to criminal offenses on its website without a valid legal basis, in violation of Articles 5(1), 6 and 10 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Italian DPA (Garante per la Protezione dei Dati Personali - Garante) against the Regional Agency for the Protection of the Environment of Abruzzo (hereinafter “the Agency”). The data subject stated that he had previously been an employee at the Agency, and that a resolution by its Director which contained his personal data had been published on its website. The resolution was related to the approval of a trade union conciliation report, and it contained references to events connected with a criminal proceeding involving the data subject, for which he had been eventually acquitted. The data subject claimed that the document had been made public without any anonymisation and with indexing on search engines.

In its defense, the Agency claimed that the resolution should be considered as part of a contractual obligation between the Agency and the data subject, and that therefore, the processing was carried out on the basis of Article 6(1)(b) GDPR, as well as to fulfill a legal obligation pursuant to Article 6(1)(c) GDPR related to public entities’ transparency requirements. Moreover, the Agency claimed the data subject himself had already made information related to the criminal proceedings public himself, and that this information had been disclosed by the press and still traceable on the internet. Additionally, the Agency argued that since no reference was made within the resolution to the specific crimes which the data subject had been charged with, nor was any conviction mentioned therein because the data subject had been acquitted, the Agency was not subject to a challenge under Article 10 GDPR since no personal data related to criminal offenses or convictions had been disclosed. Lastly, the Agency also stated that, at the data subject’s request, it had taken the resolution off its website for external access, and had taken all precautions to make sure it was no longer indexed on search engines.

Holding[edit | edit source]

The Garante held that public entities can only disclose personal data when it is permitted by law, and that therefore the legal basis invoked by the Agency under Article 6(1)(b) GDPR regarding the necessity of the processing for the performance of a contract was not applicable in this case. As to the legal basis under Article 6(1)(c) GDPR regarding the Agency’s legal transparency obligations, the Garante noted that the resolution in question was of a different nature than the type of public acts and documents which national law require public entities to publish, and that therefore this was not a valid legal basis either.

Additoinally, the Garante rebutted the Agency’s claims that it had not disclosed any personal data related to criminal offenses only because neither the specific criminal offenses with which the data subject had been charged, nor any conviction, had been mentioned. The Garante cited Court of Justice of the European Union case law which states that any information relating to judicial proceedings against a person, including the opening of an investigation or the initiation of a trial, themselves constitute personal data relating to criminal convictions and offenses pursuant to Article 10 GDPR (see here). Therefore, the Garante reiterated that the disclosure of this data by the Agency required a specific legal basis under national law, and also to be compliant with the principles of data protection under Article 5(1) GDPR, in particular the principle of lawfulness, fairness and transparency, as well as the principle of data minimisation. The Garante also held that the fact the data subject might have made this information public himself was irrelevant regarding the disclosure carried out by the Agency without an applicable legal basis to justify it.

Based on these considerations, the Garante issued a fine of €8000 for the violation of Articles 5(1), 6 and 10 GDPR, and proposed no corrective measures in light of the fact that the document had already been taken off the website and de-indexed on search engines.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9761383]
Order injunction against the Regional Agency for the Protection of the Environment of Abruzzo - 10 March 2022
Record of measures
n. 82 of 10 March 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation");
GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");
GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette n. 106 of 8 May 2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");
Having seen the documentation in the deeds;
Given the observations made by the secretary general pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;
Speaker prof. Pasquale Stanzione;
WHEREAS
1. Introduction.
With complaint of the XX, presented pursuant to art. 77 of the Regulations, the complainant, a former employee of the Regional Agency for the Protection of the Environment of Abruzzo (hereinafter, the "Agency"), complained that the resolution of the Director General of the Agency no. XX (with the subject “Mr. [name and surname of the complainant]: approval of the draft conciliation report in the trade unions pursuant to art. 2113 co. 4 of the civil code in the text modified by art. 6 of the law 11/8/1973 n. 533 ") has been published on the institutional website of the Agency in full form, without any prior anonymization of personal data, moreover with indexing on search engines.
The resolution in question contained information relating to a legal matter relating to the employment relationship at the time between the complainant and the Agency. In particular, the resolution had as its object the approval of a draft conciliation report in the trade union and contained references to events connected with a criminal proceeding, which had involved the complainant, at the outcome of which the same had been acquitted for not having committed the deed with a final judgment.
At the request of the interested party, the resolution object of the complaint, although still traceable on the institutional website of the Agency, would no longer be downloadable from the 20th.
2. The preliminary activity.
With a note of the XX (prot. No. XX), the Agency, in response to a request for information from the Guarantor (note prot. No. XX of the XX), stated, in particular, that:
"Resolution no. XX was published in the Agency's Praetorian Register, as it contains the elements in fact and in law necessary for the motivation that led [the] Body to approve only the outline of the conciliation agreement in the trade union, to title for compensation, with the [complainant] ";
"The complete and definitive agreement was then initialed by the parties subsequently and entered in the documents [of the Agency] in a confidential manner";
"This draft agreement can be considered a contract between the Agency and the [complainant] and, therefore, the processing was carried out on the basis of art. 6 paragraph 1 letter b of the Regulation [...], as well as to fulfill a legal obligation pursuant to art. 6 paragraph 1 letter c of the Regulation [...] ";
"The resolution was published in the Praetorian Register on the 20th and remained published for 15 days";
"For administrative transparency reasons, the resolution in question, like the others, was kept in the Transparent Administration Section until the twentieth century following the reporting of the complainant";
"Currently it is not possible to consult any old resolution of the" Transparent Administration "Section as the" Archivio Albo Pretorio "section is under maintenance";
"The ability to view the old resolutions was retained, even after removal from the Praetorian Register, only to employees of the Agency through the website www.artaabruzzo.local (company intranet) and therefore not accessible from the outside. In this archive, Resolution XX is displayed with the following title “Mr. --- omissis ---: approval of the draft conciliation report in the trade union office pursuant to art. 2113 co. 4 of the Italian Civil Code in the text modified by art. 6 of the l. 11/8/1973 n. 533. For reasons of privacy, access to the document is possible only through a formal request for access to the documents ";
"All precautions have been taken to ensure that the contents of the" Albo Pretorio "section are not indexed by search engines";
"Currently, the resolution in question cannot be found on the Agency's website, not even with the sole reference to the object, nor is it possible to find references to it through search engines".
With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, the verifications carried out and the facts that emerged as a result of the investigation, notified the Agency, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lett. a) and c), 6 and 10 of the Regulations, as well as 2-ter (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint) and 2-octies of the Code, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art.166, paragraphs 6 and 7, of the Code, as well as art.18, paragraph 1, from l. 24 November 1981, n. 689) .
With a note of the twentieth, the Agency, through its lawyer, presented a defense statement, declaring, in particular, that:
the information relating to the criminal proceedings that involved the person concerned "had already been disclosed by some press, still traceable [on] the web";
"Therefore, the information contained in resolution no. XX object of the complaint would have been, in any case, traceable and easily usable by web users [...] [, such data having] been made public by the interested party himself (art. (Art. 9 letters e) and 10, of the [Regulation]) ";
"In the published agreement no reference is made to the crimes [which had been at the time] charged to the [complainant], nor is any conviction mentioned, due to the acquittal of the same. Therefore, both objective elements of the crime would be missing in order to challenge the Agency for the conduct contained in art. 10 [of the Regulations] ";
"The dissemination of the scheme of the [trade union] agreement is fully part of the phase of the execution of pre-contractual measures preparatory to the definitive drafting of the agreement actually reached between the parties";
"The conduct of the [Agency] was, therefore, marked by the protection of the highest public interest of safeguarding and balancing the balances to guarantee the transparency of the pre-contractual agreement";
"The publication actually carried out by the Agency in the dedicated section of the Praetorian Register responds [goes] to specific obligations of publicity, transparency and dissemination of the work of the public administration";
"The fulfillment, in fact, took place in compliance with the specific legislation identified in art. 23 lett. d) containing “agreements entered into by the administration with private subjects or with other public administrations, pursuant to articles 11 and 15 of the law of 7 August 1990, n. 241 ".
With a note of the twentieth, the Agency, represented by its lawyer, having renounced the hearing referred to in art. 166, paragraph 6, of the Code, has deposited certain documents aimed at proving the measures adopted to ensure compliance with the legislation on data protection in the context of the publication of deeds and documents on its institutional website for transparency purposes (see , in particular, the circular protocol n.8500 of 20 February 2019).
3. Outcome of the preliminary investigation.
The personal data protection discipline provides that public subjects, in the context of the work context, may process the personal data of the interested parties, also relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship. and to fulfill specific obligations or tasks provided for by the law or the law of the Union or of the Member States (art. 6, par. 1, lett. c), 9, par. 2, lett. b) and 4 and 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task of public interest or connected to the exercise of public authority vested in the data controller" (Article 6, paragraph 1, letter e ), 2 and 3, and art. 9, par. 2, lett. g), of the Regulations; art. 2-ter of the Code, in the text prior to the changes made by Legislative Decree 8 October 2021, n. 139).
European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of the [...] regulation with regard to processing, in accordance with paragraph 1, letters c) and e), determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] ”(Article 6, par. 2, of the Regulation). In this regard, it should be noted that the dissemination of personal data (such as publication on the Internet) by public entities is permitted only when provided for by a law or, in the cases provided for by law, by regulation (cf. . art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the changes made by the legislative decree 8 October 2021, n. 139).
With specific regard to the processing of data relating to criminal convictions and offenses or related security measures, it should be noted that this can only take place under the control of the public authority or if the processing is authorized by the law of the Union or of the Member States which provides appropriate guarantees for the rights and freedoms of the data subjects (Article 10 of the Regulation), or only if the processing is authorized by a law or, in the cases provided for by law, by regulation (Article 2-octies, paragraphs 1 and 5 of the Code).
The data controller is required, in any case, to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", on the basis of which personal data must be "processed in a lawful, correct and transparent manner towards the data subject" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).
In this context, it is noted, first of all, that the online disclosure of the complainant's personal data cannot be justified in the circumstance that it was deemed "necessary [a] for the execution of a contract of which the interested party is a party or 'execution of pre-contractual measures adopted at the request of the same ”(Article 6, paragraph 1, letter b), of the Regulation). As highlighted above, public entities may, in fact, disclose personal data only where permitted by a law or, in the cases provided for by law, by regulation (Article 2-ter, paragraphs 1 and 3, of the Code, in the previous text the amendments made by Legislative Decree 8 October 2021, n.139), therefore, the legal basis invoked by the Agency cannot be applied in this case.
The Agency also argued that the publication of the resolution in question was carried out "in compliance with the specific legislation identified in art. 23 lett. d) containing “agreements entered into by the administration with private entities or with other public administrations, pursuant to articles 11 and 15 of the law of 7 August 1990, n. 241 ". Given that it was reasonably intended to refer to art. 23, lett. d), of the legislative decree 14 March 2013, n. 33 (pursuant to which "the public administrations publish and update every six months, in distinct partitions of the" Transparent Administration "section, the lists of measures adopted by the political bodies and managers, with particular reference to the final provisions of the : […] D) agreements entered into by the administration with private entities or with other public administrations, pursuant to articles 11 and 15 of the law of 7 August 1990, n. 241 "), it must be noted that the publication obligations in question specifically concern" supplementary or replacement agreements to the provision "(art. 11 of law 241/1990) and" agreements between public administrations "(art. 15 of law no. 241/1990), or acts of a different nature than the one published by the Agency (draft form of conciliation report in the trade union to settle a dispute between the employer and one of its employees).
Again with regard to the lawfulness of the processing, with specific regard to the dissemination of information relating to a criminal proceeding involving the interested party, mentioned in the deed to be published, the Agency advanced the thesis that such information, as relative to a criminal proceeding which ended with the acquittal of the interested party, cannot be considered "personal data relating to criminal convictions and crimes or related security measures" pursuant to art. 10 of the Regulation ". This defense cannot be shared, as, as stated by the Court of Justice of the European Union, "information relating to a judicial proceeding against a natural person, such as that relating to the opening of an investigation or trial, and possibly the resulting conviction, constitute data relating to "offenses" and "criminal convictions" pursuant to article 8, paragraph 5, first subparagraph, of directive 95/46 and article 10 of regulation 2016/679 , and this regardless of whether, in the course of this judicial procedure, the commission of the crime for which the person was prosecuted was actually demonstrated "(judgment C ‑ 136/17," GC and Others v Commission nationale de l'formatique et des libertés (CNIL) ", Grand Section, 24 September 2019). On the other hand, with regard to the working context, numerous provisions of the Guarantor have made it clear that the information obtained from the criminal record of the criminal record or from statements issued by workers regarding the absence of criminal convictions still constitute data relating to criminal convictions and offenses. for the purposes of data protection legislation (on this point, with regard to the absence of criminal convictions with respect to specific crimes, as a requirement for carrying out certain work activities in the public sector, see the Guarantor's 2018 Annual Report, doc. web n. 9109211, pp. 131 ss., as well as provision 19 January 2017, n. 10, web doc. n. 5953097; see "Hearing of the President of the Guarantor for the protection of personal data, Prof. Pasquale Stanzione in as part of the examination of the proposed laws C. 1779 Paolo Russo and C. 1782 Molinari, containing provisions on the subject of controls on personnel assigned to transport services ", of 16 December 2 021, doc. web n. 9736014; in the private sphere, v. prov. 11 February 2021, n. 47, doc. web n. 9562814; prov. 22 May 2018, n. 314, doc. web n. 9005845).
With regard, however, to the fact that the complainant's personal data had already been made publicly public by the same as a result of press articles prior to the resolution in question, it must be reiterated that public subjects may disclose personal data only in the cases provided for by a law. of the law or, in the cases provided for by law, of regulation (Article 2-ter, paragraphs 1 and 3, of the Code), to nothing noting that the same data have already been disclosed by the interested point, see, among many others, provision July 2, 2020, no. 118, web doc. no. 9440025).
4. Conclusions.
In light of the aforementioned assessments, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to respond pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiating the procedure and are insufficient to allow the filing of this proceeding, however, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019.
It is also represented that for the determination of the applicable law, in terms of time, the principle of legality referred to in art. 1, paragraph 2, of the l. n. 689/1981 which states that "the laws that provide for administrative sanctions are applied only in the cases and times considered in them". This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the alleged offense - must be identified at the time of cessation of the unlawful conduct, which occurred after the date of 25 May 2018 in which the Regulation became applicable and the Legislative Decree 10 August 2018, n. 101 came into effect. Indeed, from the preliminary investigation it emerged that the disclosure of the complainant's personal data ceased on XX.
Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Agency for having disclosed the personal data of the complainant, also relating to criminal convictions and offenses, in violation of Articles 5, 6 and 10 of the Regulations, as well as 2-ter (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint) and 2-octies of the Code.
The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation, as also referred to by art. 166, paragraph 2, of the Code.
In this context, considering, in any case, that the conduct has exhausted its effects, given that the disclosure of the complainant's personal data has ceased, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).
The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).
In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.
The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.
In relation to the aforementioned elements, it was considered that the detected conduct had as its object the dissemination of personal data, although since 2014 the Guarantor has provided all public subjects in the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purposes of advertising and transparency on the web by public entities and other obliged entities ", referred to above. Account was also taken of the considerable period of time in which the complainant's personal data were disseminated (i.e. from XX to XX), as well as the particular sensitivity of the personal data published, including some attributable to the category of personal data relating to criminal convictions and offenses.
On the other hand, it was taken into consideration that the violation involved only one interested party. The owner then promptly took action to put an end to the disclosure of the complainant's personal data as soon as he received the request made for this purpose by the same. The owner also fully collaborated with the Guarantor during the investigation. Finally, there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.
Based on the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of € 8,000 (eight thousand) for the violation of Articles 5, par. 1, 6 and 10 of the Regulations, as well as 2-ter (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint) and 2-octies of the Code, as a withholding administrative fine, pursuant to art. 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.
Taking into account the extended period of time during which the aforementioned data were available on the network, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.
Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.
WHEREAS, THE GUARANTOR
declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing carried out by the Regional Agency for the Protection of the Environment of Abruzzo for violation of Articles 5, par. 1, lett. a) and c), 6 and 10 of the Regulations, as well as 2-ter (in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts subject of the complaint) and 2-octies of the Code, within the terms of which in motivation;
ORDER
to the Regional Agency for the Protection of the Environment of Abruzzo, in the person of the pro-tempore legal representative, with registered office in Viale Marconi, 49 - 65127 Pescara (PE), Tax Code 91059790682, to pay the sum of € 8,000 (eight thousand) as a pecuniary administrative sanction for the violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;
INJUNCES
to the aforementioned Agency, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000 (eight thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.
HAS
- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code;
- the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation.
Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.
Rome, March 10, 2022
PRESIDENT
Stanzione
THE RAPPORTEUR
Stanzione
THE SECRETARY GENERAL
Mattei