Garante per la protezione dei dati personali (Italy) - 9789037

From GDPRhub
Garante per la protezione dei dati personali - 9789037
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(1) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Codice in materia di protezione dei dati personali (Testo coordinato)
Legislative Decree no. 267/2000
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.06.2022
Published: 09.06.2022
Fine: n/a
Parties: XX (data subject)
Il Comune di Brindisi (controller)
National Case Number/Name: 9789037
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (GPDP) (in IT)
Initial Contributor: smtr

The Italian DPA issued a reprimand to the municipality of Brindisi for failing to fully comply with the GDPR rules regarding the concealing of data pertaining to a man and his son's legal proceedings against the aforesaid municipality.

English Summary

Facts

The Italian DPA received a complaint from the data subject concerning the dissemination of personal data concerning him and his son as well as information on his son’s injuries following a fall inside his school. These pieces of information were published in a Council resolution on the municipality of Brindisi’s website.

The data subject had already requested the controller to remove any data from its website which could directly trace back to his minor son’s identity and pathology and republish it in compliance with the rules in force. The controller directly acted upon this request and deleted the resolution from its Municipal Notice Board. However, information on the legal proceedings including names and the circumstance of the existence of these legal proceedings could still be found in the subject of the resolution on the controller’s website. 2 years later there was no contest from the data subject to the controller, however the data subject lodged a complaint with the Italian DPA.

Holding

The Italian DPA considered the fact that the controller had already removed the full text of the contested resolution from the web as requested by the data subject and that it kept the contested personal data included in the subject of the resolution only by mere mistake. Moreover, the controller asked to take into consideration the objective difficulty of sometimes balancing transparency and the protection of personal data. It pointed out the existence of a need, for the purposes of transparency of administrative action, to leave public the subject of the resolution with the names of the parties in clear; as well as the large number of acts to be published online.

The Italian DPA held that the need for transparency could be achieved without disseminating online the personal data of the parties involved in the proceedings and therefore held that the controller breached Article 5(1)(c) in that it was inconsistent with the principle of data minimisation since the data were not limited to what is necessary in relation to the purposes for which they were processed.

The Italian DPA also held that the controller lacked the appropriate regulatory prerequisites for the period exceeding the fifteen days provided for by Article 124(1) of Legislative Decree no. 267/2000 for publication on the public notice board, in breach of Article 2-ter(1) and (3) of the Legislative decree 30/06/2003, n.196 also called “Codice in materia di protezione dei dati personali”; and of Article 6(1)(c), Article 6(1)(e), Article 6(2) and Article 6(3)(b).

The Italian DPA did not impose a fine because it considered the controller's cooperation, because the relevant data did not qualify as sensitive data under Article 9 GDPR and Article 10 GDPR, it only involved two data subjects, and no other breaches were found.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9789037]

Provision of 9 June 2022

Record of measures
n. 212 of 9 June 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27/4/2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. 30/6/2003, n. 196 containing the “Code regarding the protection of personal data” (hereinafter the “Code”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

GIVEN the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Professor Ginevra Cerrina Feroni will be the speaker;

WHEREAS

1. Introduction

This Authority received a complaint, presented by XX (hereinafter "complainant"), with which a violation of the legislation on the protection of personal data was reported.

Specifically, the dissemination of personal data and information contained in the Council's resolution no. XX, published on the institutional website of the Municipality of Brindisi, referring to the complainant and the minor son with indication of the injuries reported by the latter following a fall inside the school.

From the documentation attached by the complainant, it appears that the same had previously addressed the Municipality with a note of the XXth to ask for the «removal of resolution no. XX from the online Praetorian Register [and] its republication in compliance with current regulations, ie by deleting all data that can be traced back to the identity of the minor and his / her pathology ".

The Guarantor's Office carried out a preliminary check on the institutional website of the entity, to verify the fulfillment by the Municipality of the requests made. In this regard, it emerged that in the area called "Transparent Administration of the Praetorian Register", following route XX, it was not possible to download the content of the disputed resolution.

However, the subject of the aforementioned Council resolution no. XX, which reported verbatim: «Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi ». In the aforementioned subject, therefore, the personal data (name and surname) of both the complainant and the minor child were still clearly reported, as well as the circumstance of the existence of a judicial proceeding initiated by the same against the Municipality.

The aforementioned web page was also directly reachable through the following web addresses:

1. https: // ...;

2. https: // ...

2. The legislation on the protection of personal data

Pursuant to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person (" interested ")" and "the natural person who can be identified, directly or indirectly, with particular reference to a identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(art. 4, par. 1 , No. 1, of the GDPR).

In this regard, with particular reference to the case submitted to the attention of the Guarantor, please note that public entities, such as the Municipality, may disclose "personal data" within the limits of the provisions of art. 2-ter, paragraphs 1 and 3, of the Code, in compliance - in any case - with the principles of data protection, including that of "minimization", according to which personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed "(Article 5, paragraph 1, letter c, of the GDPR).

The state legislation of the sector also provides that "All the resolutions of the municipality and of the province are published by publication on the praetorian notice, at the headquarters of the body, for fifteen consecutive days, except for specific provisions of the law" (art. 124, paragraph 1, legislative decree no. 267 of 18/8/2000).

With regard to the publication on the praetorian notice board and the "Archive" sections of the body, since 2014, the Guarantor has provided specific indications to the administrations on the precautions to be taken for the dissemination of personal data online with general provision no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in G.U. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (currently being updated, but still current in the substantial part).

In the Guidelines of the Guarantor cited above, it is expressly stated that once the time period for the publication of the deeds and documents in the praetorian register has elapsed:

- "Local authorities cannot continue to disclose the personal data they contain. Otherwise, for the period exceeding the duration envisaged by the reference legislation, an illegal dissemination of personal data would be determined because it is not supported by suitable regulatory conditions […]. In this regard, for example, the permanence on the web of personal data contained in the resolutions of local authorities beyond the term of fifteen days, provided for by art. 124 of the aforementioned d. lgs. n. 267/2000, can integrate a violation of the aforementioned art. 19, paragraph 3, of the Code [n.d.r. today reproduced in art. 2-ter, paragraphs 1 and 3, of the Code], where there is no different legislative or regulatory parameter that provides for its disclosure […]. [In this case] if the local authorities want to continue to keep the published deeds and documents on their institutional website, for example in the sections dedicated to the archives of the deeds and / or legislation of the body, they must make the appropriate measures for the protection of personal data. In such cases, therefore, it is necessary to obscure in the published documentation the data and information suitable for identifying, even indirectly, the interested parties "(second part, par. 3.a).

3. Preliminary assessments of the Office on the processing of personal data carried out.

From the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent evaluations, the Office with note prot. n. XX of the XX has ascertained that the Municipality of Brindisi - by disseminating the data and personal information contained in the subject of the resolution published online described above - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR. Therefore, with the same note the violations carried out (pursuant to art.166, paragraph 5, of the Code) were notified to the aforementioned Municipality, communicating the start of the procedure for the adoption of the measures referred to in Article 58, par. 2, of the RGPD and inviting the aforementioned administration to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within the term of 30 days (Article 166, paragraphs 6 and 7, of the Code; as well as art.18, paragraph 1, of law no. 689 of 11/24/1981).

4. Defensive memoirs and hearing.

The Municipality of Brindisi, with the note prot. n. XX of the XX, sent to the Guarantor his defense writings in relation to the violations notified.

In this regard, please note that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the tasks or the exercise of the powers of the Guarantor".

Specifically, with regard to the conduct held, the municipal administration highlighted, among other things, that:

- "on the 20th the Council of the Municipality of Brindisi decided to resist the judicial action brought by a citizen by adopting and publishing resolution no. XX concerning: “Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi "";

- "the interested party turns to the Municipality of Brindisi with a note from the twentieth century to ask for the" removal of resolution no. XX from the online Praetorian Register [and] its republication in compliance with current regulations, ie by deleting all data that can be traced back to the identity of the minor and his / her pathology "";

- "the following day, XX, the Municipality not only ensures that the resolution is no longer visible in the Praetorian Register (which regularly occurred already on XX for the expiry of the fifteen days provided for by the computer system - attachment 2), but also to eliminate the visibility of the entire deed from the “Transparent Administration” section, there remaining the indication of the sole object: “Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi "; so that no one from the twentieth century may have ever had knowledge of the content of the deed and especially of any sensitive data contained therein ";

- "More than two years pass and in January of the XX Mr. XX disputes nothing to the Municipality and instead directly lodges a complaint with the Guarantor complaining about “the dissemination of personal data and information contained in the Council's resolution no. XX of the XX, published on the institutional website of this Municipality, referring to the complainant and the minor child with an indication of the injuries reported by the same following a fall inside the school "";

- "As can well be deduced, it has been since November XX that no one has ever been aware of the content of the document and above all of any sensitive data contained therein, such as the state of health or injuries sustained by the minor";

- "The only data that can be deduced from the subject of the provision is that relating to the existence of a civil dispute between Mr. XX, as the parent of the child XX, towards the Municipality of Brindisi ";

- "This Administration does not disclaim the nature of" personal data "to the name and surname expressly indicated in the subject of the resolution, and is well aware that the legitimizing rule, constituted by art. 124, paragraph 1, d. lgs. n. 267 of 18/8/2000, is linked to the period strictly necessary for publication in the praetorian register, for only fifteen consecutive days, and it does not appear that this Guarantor contests the exceeding of this limit ";

- "However, there are further rules on transparency [,] the Municipality of Brindisi is called upon to comply with the provisions of art. 23, c. 1, legislative decree n. 33/2013 and art. 1, co. 16 of the l. n. 190/2012, proceeding with the publication of the provisions of the political bodies within the "XX" section ",

- "The obligation is limited to the publication of the list and not of the deeds, which must remain there for a period of five years, and therefore it is necessary to acknowledge the existence of a legitimizing rule. The same guidelines [of the Guarantor] suggest in these cases to "obscure in the published documentation the data and information suitable for identifying, even indirectly, the interested parties". But in the present case no document has been published, only its meta-data, that is the object ";

- "The need therefore emerges to shift attention to the internal procedural level, on the correct formulation of the subject matter of the documents intended for publication, thus satisfying the protection needs from the moment of publication in the Praetorian Register and not having to look at any changes for subsequent publication in the Transparent Administration section ";

- "The Municipality believes that it has always acted in compliance with the law and the additional operational elements provided by the Guarantor";

- "However, elements that are difficult to connect with other regulations and" guidelines "of other authorities emerge, such as those of June 2016 by Agid (Drafting of guidelines on legal advertising of documents and on the preservation of PA websites) , where art. 11 requires that the unchangeable information described in point 1 of the same article, including the subject of the registered deeds, "cannot be canceled and the modification of even one of them determines the simultaneous cancellation of the entire registration" ";

- "The entire regulatory apparatus aimed at enhancing transparency and social control, precisely in the present case, would be extremely nullified if the names, the conditions for the appearance in court and the conferral of external appointments were systematically concealed. The citizen's interest is precisely that of knowing if the Municipality appears in court to protect its reasons or remains inert before any request, and if it does so with internal or external lawyers, and if external which ones; public interest is to verify that subjects in dispute with the Entity do not become administrators (express cause of incompatibility), as well as identify the major causes of litigation generated by the Entity ".

In any case, the Municipality declared that «with effect from the 20th, in addition to the already ascertained absence of the text of resolution no. XX, the data of the complainant are no longer freely visible even as an object of the same in section "XX", since any reference to this act has been removed ".

On the 20th, the hearing requested by the Municipality of Brindisi was also held pursuant to art. 166, paragraph 6, of the Code on the occasion of which, in addition to what has already been reported in the defense briefs, it was represented that:

- "the Municipality promptly removed the documents published online subject to dispute, finding the complainant's request, even if the disputed personal data was reported in the subject of the resolution by mere error";

- "The Entity acted in perfect good faith and requires that consideration be given to the objective difficulty of sometimes balancing transparency and protection of personal data, also in consideration of the large number of documents to be published online";

- «The contested conduct dates back to the twentieth century and the Municipality has already promptly removed the data at the time. In the twentieth century the Municipality therefore believed that the question had already been resolved, as no further complaint was received from the complainant Mr. XX ";

- "If it was a mistake, it was certainly made due to slight negligence as the institution had already intervened in the twentieth century";

- "From a practical point of view, it is also highlighted, in any case, that the deed subject to publication has some peculiarities, because with it the institution in court was approved, with respect to which it is necessary to indicate some necessary information to identify the cause ";

- "Another element that is believed to be brought to the attention of the Guarantor is the need to fully comply with the regulatory institutions currently in force, such as popular action pursuant to art. 9 of the T.U.E.L. and external verification of incompatibility for pending litigation pursuant to art. 63 of the same T.U.E.L. The mere publication of the objects of administrative measures without any possibility of tracing the question and the parties involved would in fact cancel the operation of these rules. After all, we are talking only about the personal data present in the subject, obviously sweetened by other unnecessary data, and not the entire text which instead would be available only in the period of publication in the register. The relevant public interest of stakeholders spread within administrative proceedings should not be overlooked, which would be irremediably compromised by the absolute non-knowledge of the actions in progress with the relevant main subjects ";

- "It is reiterated that, in the case under dispute, only names and surnames were ostentatious and nothing else".

5. Evaluations of the Guarantor

The subject matter of the case submitted to the attention of the Guarantor concerns the incorrect fulfillment by the Municipality of Brindisi of a request by the complainant made in October XX for the removal from the web of the personal data contained in the council resolution no. XX published in the online praetorian register, which could be traced back to the identity of the younger son and his pathology.

The documents showed that the Municipality, following the request of the complainant, promptly removed the entire text of the aforementioned resolution from the website. The Entity, however, did not proceed to obscure the data of the complainant and of the minor child also contained in the subject of the aforementioned resolution, continuing in the dissemination on the institutional website of the relative names and surnames, including the circumstance of the existence of a proceeding judicial activated by the same against the Municipality.

As part of the investigation opened in this regard by this Authority, the Municipality of Brindisi confirmed in the defense briefs that it had removed the full text of the resolution and only by mistake that it still left online the personal data described above contained in the subject of the resolution. . In any case, in his own defense, he observed that the relative publication would not be in contrast with the reference regulatory framework, but in compliance with the provisions of art. 23, paragraph 1, of the d. lgs. n. 33/2013 and by art. 1, paragraph 16, of the l. n. 190 of 6/11/2012, as well as adhering to the content of art. 11 of the Agid Guidelines "on legal advertising of documents and the preservation of PA websites".

However, it is believed that the interpretation supported by the Municipality to justify the dissemination of the personal data of the complainant and of the child, contained in the subject of the resolution, which remained visible on the web after the removal of the text of the deed, cannot be fully accepted. for the reasons indicated below.

As a preliminary point, it is noted that the reference to the prescription contained in the aforementioned art. 1, paragraph 16, of the l. n. 190/2012 appears inconsistent with respect to the issue involved in this proceeding. As for art. 23, paragraph 1, of the d. lgs. n. 33/2013, it should be noted that the aforementioned provision provides that the pp.aa. must publish "the lists of measures adopted by the political bodies and managers, with particular reference to the final measures of the proceedings [indicated therein]", such as those relating to "the choice of the contractor for the award of works, supplies and services" ; and "the agreements entered into by the administration with private entities or other public administrations".

The provisions contained in the aforementioned article must in any case be interpreted in the light of the principles of personal data protection, according to which the processing of personal data must comply with the principles of necessity and proportionality and personal data must be not only adequate and relevant , but also "limited to what is necessary with respect to the purposes for which they are processed" according to the principle of "minimization" (Article 5, paragraph 1, letter c, of the GDPR).

The Municipality, while admitting that it made a mistake with respect to the complainant's requests by leaving the relevant identification data online, has generally highlighted the existence of a need, for the purpose of transparency of the administrative action, of having to leave the object public. of the resolution of establishment in court of the entity and contextual conferment of the mandate to the legal representative with the name of the parties in clear, arguing - in their defense briefs - that "the entire regulatory apparatus aimed at enhancing transparency and social control, precisely in the present case, it would be extremely nullified if [were] systematically concealed the names, the conditions for the appearance in court and the conferral of external appointments ". This is because it would be "Citizen's interest [...] precisely to know if the Municipality appears in court to protect its own reasons or remains inactive in the face of any request, and if it does so with internal or external lawyers, and if external such as [ ...] ».

However, the realization of the need expressed by the entity must be reconciled, in any case, with the principles and rules on the protection of personal data, considering that "no automatic prevalence of the objective of transparency over the right to protection of personal data "(Constitutional Court ruling n. 20 of 21/02/2019, point n. 3.1. of the cons. dir.). In compliance with the principle of proportionality, "exceptions and limitations to the protection of personal data must [...] operate within the limits of what is strictly necessary, and before resorting to them it is necessary to hypothesize measures that cause the least harm, for individuals, of the aforementioned fundamental right and which, at the same time, contribute effectively to the achievement of the conflicting objectives of transparency, insofar as they are legitimately pursued "(ibidem, see also the European jurisprudence cited therein).

In this context, for the purposes and objectives described by the Municipality, it is completely irrelevant, and therefore disproportionate, to disseminate the names of the parties involved on the Internet and, specifically, the identity of the complainant and of the minor child together with the circumstance to have instituted a judgment against the administration. If, in fact, the need represented in the defense briefs is that of having to give account of the reasons for the appearance of the entity in court and of the elements relating to the offices conferred on the legal representatives represented (in any case public where they have the characteristics referred to in art. 15 of Legislative Decree no. 33/2013), the same purpose can also be achieved without disclosing online the personal data of the interested parties involved in the judgment, which are not "limited to what is necessary with respect to the purposes for which they are processed. »In light of the principle of data" minimization "and therefore also of proportionality (Article 5, paragraph 1, letter c, of the GDPR).

In this regard - while agreeing with what was stated at the hearing by the body regarding the circumstance that, with respect to the resolution of appearance by the Municipality, "it is necessary to indicate some information necessary to identify the cause" - it is noted that, purpose, it is sufficient to indicate in the subject of the resolution even only the general role number of the case, making it of no importance to disseminate, in the case in question, the name of the complainant and of the minor child who could be omitted or obscured without violating what provided by art. 23, paragraph 1, of the d. lgs. n. 33/2013.

It should be remembered that this Authority, on several occasions, has indicated that even the presence of a specific advertising regime cannot entail any automatism with respect to the online dissemination of personal data and information, nor, as already mentioned, an exception to the relevant principles. for the protection of personal data of European origin, provided for by the RGPD.

This is also confirmed by the personal data protection system contained in the RGPD, in the light of which it is envisaged that the data controller must "put in place adequate technical and organizational measures to ensure that only personal data are processed by default. necessary for each specific purpose of the processing "(" data protection by default ") and must be" able to demonstrate "- in light of the principle of" accountability "- that it has done so (art. 5, par. 2; 24 and 25, par. 2, GDPR).

In this respect, also the reference to art. 11 of the Agid Guidelines "on legal advertising of documents and on the preservation of PA websites" carried out in the defense briefs is not acceptable, as the same refers to the mandatory and unchangeable elements of the registration of the acts in the praetorian register including the object, whose modification "determines the simultaneous cancellation of the entire registration". However, the indication provided by Agid refers to the publication in the praetorian register for the 15 days provided for by the sector regulations (Article 124 of Legislative Decree No. 267/2000), but does not oblige the Municipality to enter personal data in the object of the deliberations, nor does it allow the disclosure of the personal data of the complainant and of the child from XX to XX as happened in the present case.

Finally, in order to justify the need to make the names of the parties public, indicating them in the subject of the deliberations of appearance in court of the Municipality, in the defense briefs and at the hearing by the body, Articles 9 and 63 of the d. lgs. n. 267 of 18/8/2000 (concerning, respectively, "Popular action and environmental protection associations" and the incompatibility of administrators for pending litigation), as well as the existence of a "public interest" in "verifying that subjects in litigation with the Entity do not become administrators (express cause of incompatibility) ”and to“ identify the major causes of litigation generated by the Entity ”.

In this regard, however, the observations of the Municipality are not considered acceptable. On this point, it is firstly stated that the rationale of the aforementioned provisions does not provide for and does not justify the general knowledge of anyone who has or may have a dispute against the Municipality. Similarly, it should be remembered that this Authority has already intervened in the past - albeit in a different context - on the question of the publicity of sentences and judicial proceedings, to highlight that the public nature of the sentence and of the process does not imply that they are therefore only knowable by whoever gives the personal details of the interested parties with details of their personal events (see Letter from the President of the Guarantor for the protection of personal data to the First President of the Supreme Court of Cassation, of 6/10/2014, in www.gpdp.it, doc. web no. 3432529. See also provision no. 131 of 7/4/2022, therein, web doc. no. 9774842; Annual report 2014, ivi, web doc. no. 4059165, page 58).

In confirmation of what has been reported, it should be noted that the same Responsible for transparency of the Municipality of Brindisi - in the note attached to the defensive briefs of the Municipality of the XXth - recalled the indications of the Guarantor, correctly inviting the administrative operators to «limit themselves to including in the documents to be published only those personal data that are really necessary and proportionate to the purpose of transparency pursued in the specific case ", suggesting," with regard to the formulation of the object of the deed, for the purposes of protecting any personal data present "," of adopt appropriate measures, where possible, by minimizing the data […] ». On the measures suggested by the aforementioned Manager to minimize the published data, in addition to what is indicated by the same, it is recalled that the Guarantor already in 2014 represented as "the practice followed by some administrations to replace the name and surname of the interested party with only initials is in itself insufficient to anonymize the personal data contained in the deeds and documents published online "and that" To make the data published online effectively "anonymous" it is therefore necessary to completely obscure the name and other information referring to the interested party who they may allow their identification even afterwards "(cf. part one, par. 3, Guidelines on transparency, cit.).

6. Outcome of the investigation relating to the complaint presented

The circumstances highlighted in the defense writings and at the hearing examined as a whole, certainly worthy of consideration for the purpose of evaluating the conduct, are however not sufficient to allow the filing of this proceeding, since none of the hypotheses provided for by art. 11 of the Guarantor Regulation n. 1/2019.

In this context, the preliminary assessments of the Office carried out with the note prot. n. XX of the XX and the non-compliance with the RGPD of the conduct of the Municipality of Brindisi is noted, since - despite the removal from the institutional website, as requested by the complainant, of the full text of the aforementioned Council resolution no. XX - the continuing publication on the same institutional website of the identification data of the complainant and the minor child, still contained in the subject of the aforementioned resolution visible online, resulted in the dissemination of personal data and information:

a) does not comply with the principle of "minimization" of data, as the same were not "limited to what is necessary with respect to the purposes for which they are processed", in violation of art. 5, par. 1, lett. c), of the GDPR;

b) devoid of suitable regulatory requirements for the period exceeding the fifteen days provided for by art. 124, paragraph 1, of the d. lgs. n. 267/2000 for publication in the praetorian register, in violation of art. 2-ter, paragraphs 1 and 3, of the Code; as well as art. 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

However, it is believed that in any case it is necessary to consider the particularity of the case that is the subject of the complaint, which presents a series of circumstances worthy of careful evaluation.

In particular, it is significant that the body had already removed the full text of the contested resolution from the web in the 20th century as requested by the complainant and that - as stated at the hearing - only "for mere error it was reported in the subject of the resolution the disputed personal data ". The Municipality also stated that it "acted in perfect good faith", having considered it had already resolved the issue in the twentieth century, also because since then it had no longer "received [or] any further complaint from the complainant Mr. XX ". During the hearing, it was asked to take into consideration the "objective difficulty of sometimes making the balance between transparency and protection of personal data, also in consideration of the large number of documents to be published online" and the fact that "If there is an error it was, surely it was committed due to a slight negligence since the organization had already intervened in the 20th century ». The conduct was therefore of a negligent nature and concerned data not belonging to particular categories or to criminal convictions or offenses (articles 9 and 10 of the RGPD) referring only to two interested parties. It is also taken into account that the data controller, following the request of the Office, intervened promptly, collaborating with the Authority during the investigation of this proceeding in order to remedy the violation, mitigating its possible effects. negative. In the reply to the Guarantor, various technical and organizational measures implemented pursuant to art. 25-32 of the RGPD and, in any case, there are no relevant previous violations of the RGPD committed by the entity.

The Municipality of Brindisi falls within the demographic dimension just above 83,000 inhabitants.

In light of all the above, instead of imposing a financial penalty, it is considered sufficient to warn the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lett. b), of the GDPR (see also recital no.148 of the GDPR).

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

the unlawfulness of the processing carried out by the Municipality of Brindisi - with registered office in Piazza Matteotti, 1 - 72100 Brindisi (BR) - Tax Code 80000250748 - within the terms indicated in the motivation pursuant to art. 58, par. 2, lett. b), of the GDPR.

ADVISES

the Municipality of Brindisi for having violated Articles 5, par. 1, lett. c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1-3, of the Code.

HAS

the annotation in the internal register of the Authority of violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 9 June 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei

[doc. web n. 9789037]

Provision of 9 June 2022

Record of measures
n. 212 of 9 June 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27/4/2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. 30/6/2003, n. 196 containing the “Code regarding the protection of personal data” (hereinafter the “Code”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

GIVEN the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801;

Professor Ginevra Cerrina Feroni will be the speaker;

WHEREAS

1. Introduction

This Authority received a complaint, presented by XX (hereinafter "complainant"), with which a violation of the legislation on the protection of personal data was reported.

Specifically, the dissemination of personal data and information contained in the Council's resolution no. XX, published on the institutional website of the Municipality of Brindisi, referring to the complainant and the minor son with indication of the injuries reported by the latter following a fall inside the school.

From the documentation attached by the complainant, it appears that the same had previously addressed the Municipality with a note of the XXth to ask for the «removal of resolution no. XX from the online Praetorian Register [and] its republication in compliance with current regulations, ie by deleting all data that can be traced back to the identity of the minor and his / her pathology ".

The Guarantor's Office carried out a preliminary check on the institutional website of the entity, to verify the fulfillment by the Municipality of the requests made. In this regard, it emerged that in the area called "Transparent Administration of the Praetorian Register", following route XX, it was not possible to download the content of the disputed resolution.

However, the subject of the aforementioned Council resolution no. XX, which reported verbatim: «Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi ». In the aforementioned subject, therefore, the personal data (name and surname) of both the complainant and the minor child were still clearly reported, as well as the circumstance of the existence of a judicial proceeding initiated by the same against the Municipality.

The aforementioned web page was also directly reachable through the following web addresses:

1. https: // ...;

2. https: // ...

2. The legislation on the protection of personal data

Pursuant to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person (" interested ")" and "the natural person who can be identified, directly or indirectly, with particular reference to a identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(art. 4, par. 1 , No. 1, of the GDPR).

In this regard, with particular reference to the case submitted to the attention of the Guarantor, please note that public entities, such as the Municipality, may disclose "personal data" within the limits of the provisions of art. 2-ter, paragraphs 1 and 3, of the Code, in compliance - in any case - with the principles of data protection, including that of "minimization", according to which personal data must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed "(Article 5, paragraph 1, letter c, of the GDPR).

The state legislation of the sector also provides that "All the resolutions of the municipality and of the province are published by publication on the praetorian notice, at the headquarters of the body, for fifteen consecutive days, except for specific provisions of the law" (art. 124, paragraph 1, legislative decree no. 267 of 18/8/2000).

With regard to the publication on the praetorian notice board and the "Archive" sections of the body, since 2014, the Guarantor has provided specific indications to the administrations on the precautions to be taken for the dissemination of personal data online with general provision no. 243 of 15/5/2014, containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in G.U. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (currently being updated, but still current in the substantial part).

In the Guidelines of the Guarantor cited above, it is expressly stated that once the time period for the publication of the deeds and documents in the praetorian register has elapsed:

- "Local authorities cannot continue to disclose the personal data they contain. Otherwise, for the period exceeding the duration envisaged by the reference legislation, an illegal dissemination of personal data would be determined because it is not supported by suitable regulatory conditions […]. In this regard, for example, the permanence on the web of personal data contained in the resolutions of local authorities beyond the term of fifteen days, provided for by art. 124 of the aforementioned d. lgs. n. 267/2000, can integrate a violation of the aforementioned art. 19, paragraph 3, of the Code [n.d.r. today reproduced in art. 2-ter, paragraphs 1 and 3, of the Code], where there is no different legislative or regulatory parameter that provides for its disclosure […]. [In this case] if the local authorities want to continue to keep the published deeds and documents on their institutional website, for example in the sections dedicated to the archives of the deeds and / or legislation of the body, they must make the appropriate measures for the protection of personal data. In such cases, therefore, it is necessary to obscure in the published documentation the data and information suitable for identifying, even indirectly, the interested parties "(second part, par. 3.a).

3. Preliminary assessments of the Office on the processing of personal data carried out.

From the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent evaluations, the Office with note prot. n. XX of the XX has ascertained that the Municipality of Brindisi - by disseminating the data and personal information contained in the subject of the resolution published online described above - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR. Therefore, with the same note the violations carried out (pursuant to art.166, paragraph 5, of the Code) were notified to the aforementioned Municipality, communicating the start of the procedure for the adoption of the measures referred to in Article 58, par. 2, of the RGPD and inviting the aforementioned administration to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within the term of 30 days (Article 166, paragraphs 6 and 7, of the Code; as well as art.18, paragraph 1, of law no. 689 of 11/24/1981).

4. Defensive memoirs and hearing.

The Municipality of Brindisi, with the note prot. n. XX of the XX, sent to the Guarantor his defense writings in relation to the violations notified.

In this regard, please note that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the tasks or the exercise of the powers of the Guarantor".

Specifically, with regard to the conduct held, the municipal administration highlighted, among other things, that:

- "on the 20th the Council of the Municipality of Brindisi decided to resist the judicial action brought by a citizen by adopting and publishing resolution no. XX concerning: “Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi "";

- "the interested party turns to the Municipality of Brindisi with a note from the twentieth century to ask for the" removal of resolution no. XX from the online Praetorian Register [and] its republication in compliance with current regulations, ie by deleting all data that can be traced back to the identity of the minor and his / her pathology "";

- "the following day, XX, the Municipality not only ensures that the resolution is no longer visible in the Praetorian Register (which regularly occurred already on XX for the expiry of the fifteen days provided for by the computer system - attachment 2), but also to eliminate the visibility of the entire deed from the “Transparent Administration” section, there remaining the indication of the sole object: “Writ of summons before the Civil Section Court of Brindisi promoted by Mr. XX as a parent exercising parental authority over the minor XX. Establishment in court and assignment of mandate to the internal lawyers of the Municipality of Brindisi "; so that no one from the twentieth century may have ever had knowledge of the content of the deed and especially of any sensitive data contained therein ";

- "More than two years pass and in January of the XX Mr. XX disputes nothing to the Municipality and instead directly lodges a complaint with the Guarantor complaining about “the dissemination of personal data and information contained in the Council's resolution no. XX of the XX, published on the institutional website of this Municipality, referring to the complainant and the minor child with an indication of the injuries reported by the same following a fall inside the school "";

- "As can well be deduced, it has been since November XX that no one has ever been aware of the content of the document and above all of any sensitive data contained therein, such as the state of health or injuries sustained by the minor";

- "The only data that can be deduced from the subject of the provision is that relating to the existence of a civil dispute between Mr. XX, as the parent of the child XX, towards the Municipality of Brindisi ";

- "This Administration does not disclaim the nature of" personal data "to the name and surname expressly indicated in the subject of the resolution, and is well aware that the legitimizing rule, constituted by art. 124, paragraph 1, d. lgs. n. 267 of 18/8/2000, is linked to the period strictly necessary for publication in the praetorian register, for only fifteen consecutive days, and it does not appear that this Guarantor contests the exceeding of this limit ";

- "However, there are further rules on transparency [,] the Municipality of Brindisi is called upon to comply with the provisions of art. 23, c. 1, legislative decree n. 33/2013 and art. 1, co. 16 of the l. n. 190/2012, proceeding with the publication of the provisions of the political bodies within the "XX" section ",

- "The obligation is limited to the publication of the list and not of the deeds, which must remain there for a period of five years, and therefore it is necessary to acknowledge the existence of a legitimizing rule. The same guidelines [of the Guarantor] suggest in these cases to "obscure in the published documentation the data and information suitable for identifying, even indirectly, the interested parties". But in the present case no document has been published, only its meta-data, that is the object ";

- "The need therefore emerges to shift attention to the internal procedural level, on the correct formulation of the subject matter of the documents intended for publication, thus satisfying the protection needs from the moment of publication in the Praetorian Register and not having to look at any changes for subsequent publication in the Transparent Administration section ";

- "The Municipality believes that it has always acted in compliance with the law and the additional operational elements provided by the Guarantor";

- "However, elements that are difficult to connect with other regulations and" guidelines "of other authorities emerge, such as those of June 2016 by Agid (Drafting of guidelines on legal advertising of documents and on the preservation of PA websites) , where art. 11 requires that the unchangeable information described in point 1 of the same article, including the subject of the registered deeds, "cannot be canceled and the modification of even one of them determines the simultaneous cancellation of the entire registration" ";

- "The entire regulatory apparatus aimed at enhancing transparency and social control, precisely in the present case, would be extremely nullified if the names, the conditions for the appearance in court and the conferral of external appointments were systematically concealed. The citizen's interest is precisely that of knowing if the Municipality appears in court to protect its reasons or remains inert before any request, and if it does so with internal or external lawyers, and if external which ones; public interest is to verify that subjects in dispute with the Entity do not become administrators (express cause of incompatibility), as well as identify the major causes of litigation generated by the Entity ".

In any case, the Municipality declared that «with effect from the 20th, in addition to the already ascertained absence of the text of resolution no. XX, the data of the complainant are no longer freely visible even as an object of the same in section "XX", since any reference to this act has been removed ".

On the 20th, the hearing requested by the Municipality of Brindisi was also held pursuant to art. 166, paragraph 6, of the Code on the occasion of which, in addition to what has already been reported in the defense briefs, it was represented that:

- "the Municipality promptly removed the documents published online subject to dispute, finding the complainant's request, even if the disputed personal data was reported in the subject of the resolution by mere error";

- "The Entity acted in perfect good faith and requires that consideration be given to the objective difficulty of sometimes balancing transparency and protection of personal data, also in consideration of the large number of documents to be published online";

- «The contested conduct dates back to the twentieth century and the Municipality has already promptly removed the data at the time. In the twentieth century the Municipality therefore believed that the question had already been resolved, as no further complaint was received from the complainant Mr. XX ";

- "If it was a mistake, it was certainly made due to slight negligence as the institution had already intervened in the twentieth century";

- "From a practical point of view, it is also highlighted, in any case, that the deed subject to publication has some peculiarities, because with it the institution in court was approved, with respect to which it is necessary to indicate some necessary information to identify the cause ";

- "Another element that is believed to be brought to the attention of the Guarantor is the need to fully comply with the regulatory institutions currently in force, such as popular action pursuant to art. 9 of the T.U.E.L. and external verification of incompatibility for pending litigation pursuant to art. 63 of the same T.U.E.L. The mere publication of the objects of administrative measures without any possibility of tracing the question and the parties involved would in fact cancel the operation of these rules. After all, we are talking only about the personal data present in the subject, obviously sweetened by other unnecessary data, and not the entire text which instead would be available only in the period of publication in the register. Furthermore, the relevant public interest of stakeholders spread within administrative proceedings should not be overlooked, which would be irremediably compromised by the absolute non-knowledge of the actions in progress with the relevant main subjects ";

- "It is reiterated that, in the case under dispute, only names and surnames were ostentatious and nothing else".

5. Evaluations of the Guarantor

The subject matter of the case submitted to the attention of the Guarantor concerns the incorrect fulfillment by the Municipality of Brindisi of a request by the complainant made in October XX for the removal from the web of the personal data contained in the council resolution no. XX published in the online praetorian register, which could be traced back to the identity of the younger son and his pathology.

The documents showed that the Municipality, following the request of the complainant, promptly removed the entire text of the aforementioned resolution from the website. The Entity, however, did not proceed to obscure the data of the complainant and of the minor child also contained in the subject of the aforementioned resolution, continuing in the dissemination on the institutional website of the relative names and surnames, including the circumstance of the existence of a proceeding judicial activated by the same against the Municipality.

As part of the investigation opened in this regard by this Authority, the Municipality of Brindisi confirmed in the defense briefs that it had removed the full text of the resolution and only by mistake that it still left online the personal data described above contained in the subject of the resolution. . In any case, in his own defense, he observed that the relative publication would not be in contrast with the reference regulatory framework, but in compliance with the provisions of art. 23, paragraph 1, of the d. lgs. n. 33/2013 and by art. 1, paragraph 16, of the l. n. 190 of 6/11/2012, as well as adhering to the content of art. 11 of the Agid Guidelines "on legal advertising of documents and the preservation of PA websites".

However, it is believed that the interpretation supported by the Municipality to justify the dissemination of the personal data of the complainant and of the child, contained in the subject of the resolution, which remained visible on the web after the removal of the text of the deed, cannot be fully accepted. for the reasons indicated below.

As a preliminary point, it is noted that the reference to the prescription contained in the aforementioned art. 1, paragraph 16, of the l. n. 190/2012 appears inconsistent with respect to the issue involved in this proceeding. As for art. 23, paragraph 1, of the d. lgs. n. 33/2013, it should be noted that the aforementioned provision provides that the pp.aa. must publish "the lists of measures adopted by the political bodies and managers, with particular reference to the final measures of the proceedings [indicated therein]", such as those relating to "the choice of the contractor for the award of works, supplies and services" ; and "the agreements entered into by the administration with private entities or other public administrations".

The provisions contained in the aforementioned article must in any case be interpreted in the light of the principles of personal data protection, according to which the processing of personal data must comply with the principles of necessity and proportionality and personal data must be not only adequate and relevant , but also "limited to what is necessary with respect to the purposes for which they are processed" according to the principle of "minimization" (Article 5, paragraph 1, letter c, of the GDPR).

The Municipality, while admitting that it made a mistake with respect to the complainant's requests by leaving the relevant identification data online, has generally highlighted the existence of a need, for the purpose of transparency of the administrative action, of having to leave the object public. of the resolution of establishment in court of the entity and contextual conferment of the mandate to the legal representative with the name of the parties in clear, arguing - in their defense briefs - that "the entire regulatory apparatus aimed at enhancing transparency and social control, precisely in the present case, it would be extremely nullified if [were] systematically concealed the names, the conditions for the appearance in court and the conferral of external appointments ". This is because it would be "Citizen's interest [...] precisely to know if the Municipality appears in court to protect its own reasons or remains inactive in the face of any request, and if it does so with internal or external lawyers, and if external such as [ ...] ».

However, the realization of the need expressed by the entity must be reconciled, in any case, with the principles and rules on the protection of personal data, considering that "no automatic prevalence of the objective of transparency over the right to protection of personal data "(Constitutional Court ruling n. 20 of 21/02/2019, point n. 3.1. of the cons. dir.). In compliance with the principle of proportionality, "exceptions and limitations to the protection of personal data must [...] operate within the limits of what is strictly necessary, and before resorting to them it is necessary to hypothesize measures that cause the least harm, for individuals, of the aforementioned fundamental right and which, at the same time, contribute effectively to the achievement of the conflicting objectives of transparency, insofar as they are legitimately pursued "(ibidem, see also the European jurisprudence cited therein).

In this context, for the purposes and objectives described by the Municipality, it is completely irrelevant, and therefore disproportionate, to disseminate the names of the parties involved on the Internet and, specifically, the identity of the complainant and of the minor child together with the circumstance to have instituted a judgment against the administration. If, in fact, the need represented in the defense briefs is that of having to give account of the reasons for the appearance of the entity in court and of the elements relating to the offices conferred on the legal representatives represented (in any case public where they have the characteristics referred to in art. 15 of Legislative Decree no. 33/2013), the same purpose can also be achieved without disclosing online the personal data of the interested parties involved in the judgment, which are not "limited to what is necessary with respect to the purposes for which they are processed. »In light of the principle of data" minimization "and therefore also of proportionality (Article 5, paragraph 1, letter c, of the GDPR).

In this regard - while agreeing with what was stated at the hearing by the body regarding the circumstance that, with respect to the resolution of appearance by the Municipality, "it is necessary to indicate some information necessary to identify the cause" - it is noted that, purpose, it is sufficient to indicate in the subject of the resolution even only the general role number of the case, making it of no importance to disseminate, in the case in question, the name of the complainant and of the minor child who could be omitted or obscured without violating what provided by art. 23, paragraph 1, of the d. lgs. n. 33/2013.

It should be remembered that this Authority, on several occasions, has indicated that even the presence of a specific advertising regime cannot entail any automatism with respect to the online dissemination of personal data and information, nor, as already mentioned, an exception to the relevant principles. for the protection of personal data of European origin, provided for by the RGPD.

This is also confirmed by the personal data protection system contained in the RGPD, in the light of which it is envisaged that the data controller must "put in place adequate technical and organizational measures to ensure that only personal data are processed by default. necessary for each specific purpose of the processing "(" data protection by default ") and must be" able to demonstrate "- in light of the principle of" accountability "- that it has done so (art. 5, par. 2; 24 and 25, par. 2, GDPR).

In this respect, also the reference to art. 11 of the Agid Guidelines "on legal advertising of documents and on the preservation of PA websites" carried out in the defense briefs is not acceptable, as the same refers to the mandatory and unchangeable elements of the registration of the acts in the praetorian register including the object, whose modification "determines the simultaneous cancellation of the entire registration". However, the indication provided by Agid refers to the publication in the praetorian register for the 15 days provided for by the sector regulations (Article 124 of Legislative Decree No. 267/2000), but does not oblige the Municipality to enter personal data in the object of the deliberations, nor does it allow the disclosure of the personal data of the complainant and of the child from XX to XX as happened in the present case.

Finally, in order to justify the need to make the names of the parties public, indicating them in the subject of the deliberations of appearance in court of the Municipality, in the defense briefs and at the hearing by the body, Articles 9 and 63 of the d. lgs. n. 267 of 18/8/2000 (concerning, respectively, "Popular action and environmental protection associations" and the incompatibility of administrators for pending litigation), as well as the existence of a "public interest" in "verifying that subjects in litigation with the Entity do not become administrators (express cause of incompatibility) ”and to“ identify the major causes of litigation generated by the Entity ”.

In this regard, however, the observations of the Municipality are not considered acceptable. On this point, it is firstly stated that the rationale of the aforementioned provisions does not provide for and does not justify the general knowledge of anyone who has or may have a dispute against the Municipality. Similarly, it should be remembered that this Authority has already intervened in the past - albeit in a different context - on the question of the publicity of sentences and judicial proceedings, to highlight that the public nature of the sentence and of the process does not imply that they are therefore only knowable by whoever gives the personal details of the interested parties with details of their personal events (see Letter from the President of the Guarantor for the protection of personal data to the First President of the Supreme Court of Cassation, of 6/10/2014, in www.gpdp.it, doc. web no. 3432529. See also provision no. 131 of 7/4/2022, therein, web doc. no. 9774842; Annual report 2014, ivi, web doc. no. 4059165, page 58).

In confirmation of what has been reported, it should be noted that the same Responsible for transparency of the Municipality of Brindisi - in the note attached to the defensive briefs of the Municipality of the XXth - recalled the indications of the Guarantor, correctly inviting the administrative operators to «limit themselves to including in the documents to be published only those personal data that are really necessary and proportionate to the purpose of transparency pursued in the specific case ", suggesting," with regard to the formulation of the object of the deed, for the purposes of protecting any personal data present "," of adopt appropriate measures, where possible, by minimizing the data […] ». On the measures suggested by the aforementioned Manager to minimize the published data, in addition to what is indicated by the same, it is recalled that the Guarantor already in 2014 represented as "the practice followed by some administrations to replace the name and surname of the interested party with only initials is in itself insufficient to anonymize the personal data contained in the deeds and documents published online "and that" To make the data published online effectively "anonymous" it is therefore necessary to completely obscure the name and other information referring to the interested party who they may allow their identification even afterwards "(cf. part one, par. 3, Guidelines on transparency, cit.).

6. Outcome of the investigation relating to the complaint presented

The circumstances highlighted in the defense writings and at the hearing examined as a whole, certainly worthy of consideration for the purpose of evaluating the conduct, are however not sufficient to allow the filing of this proceeding, since none of the hypotheses provided for by art. 11 of the Guarantor Regulation n. 1/2019.

In this context, the preliminary assessments of the Office carried out with the note prot. n. XX of the XX and the non-compliance with the RGPD of the conduct of the Municipality of Brindisi is noted, since - despite the removal from the institutional website, as requested by the complainant, of the full text of the aforementioned Council resolution no. XX - the continuing publication on the same institutional website of the identification data of the complainant and the minor child, still contained in the subject of the aforementioned resolution visible online, resulted in the dissemination of personal data and information:

a) does not comply with the principle of "minimization" of data, as the same were not "limited to what is necessary with respect to the purposes for which they are processed", in violation of art. 5, par. 1, lett. c), of the GDPR;

b) devoid of suitable regulatory requirements for the period exceeding the fifteen days provided for by art. 124, paragraph 1, of the d. lgs. n. 267/2000 for publication in the praetorian register, in violation of art. 2-ter, paragraphs 1 and 3, of the Code; as well as art. 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR;

However, it is believed that in any case it is necessary to consider the particularity of the case that is the subject of the complaint, which presents a series of circumstances worthy of careful evaluation.

In particular, it is significant that the body had already removed the full text of the contested resolution from the web in the 20th century as requested by the complainant and that - as stated at the hearing - only "for mere error it was reported in the subject of the resolution the disputed personal data ". The Municipality also stated that it "acted in perfect good faith", having considered it had already resolved the issue in the twentieth century, also because since then it had no longer "received [or] any further complaint from the complainant Mr. XX ". During the hearing, it was asked to take into consideration the "objective difficulty of sometimes making the balance between transparency and protection of personal data, also in consideration of the large number of documents to be published online" and the fact that "If there is an error it was, surely it was committed due to a slight negligence since the organization had already intervened in the 20th century ». The conduct was therefore of a negligent nature and concerned data not belonging to particular categories or to criminal convictions or offenses (articles 9 and 10 of the RGPD) referring only to two interested parties. It is also taken into account that the data controller, following the request of the Office, intervened promptly, collaborating with the Authority during the investigation of this proceeding in order to remedy the violation, mitigating its possible effects. negative. In the reply to the Guarantor, various technical and organizational measures implemented pursuant to art. 25-32 of the RGPD and, in any case, there are no relevant previous violations of the RGPD committed by the entity.

The Municipality of Brindisi falls within the demographic dimension just above 83,000 inhabitants.

In light of all the above, instead of imposing a financial penalty, it is considered sufficient to admonish the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lett. b), of the GDPR (see also recital no.148 of the GDPR).

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

WHEREAS, THE GUARANTOR

the unlawfulness of the processing carried out by the Municipality of Brindisi - with registered office in Piazza Matteotti, 1 - 72100 Brindisi (BR) - Tax Code 80000250748 - within the terms indicated in the motivation pursuant to art. 58, par. 2, lett. b), of the GDPR.

ADVISES

the Municipality of Brindisi for having violated Articles 5, par. 1, lett. c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1-3, of the Code.

HAS

the annotation in the internal register of the Authority of violations and measures adopted pursuant to art. 58, par. 2, of the RGPD with this provision, as required by art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 9 June 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei