Garante per la protezione dei dati personali (Italy) - 9803345

From GDPRhub
Garante per la protezione dei dati personali - 9803345
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 05.05.2021
Decided: 30.06.2022
Published:
Fine: 5,000 EUR
Parties: FISAR
National Case Number/Name: 9803345
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Carloc

The Italian DPA fined the Federation of Sommeliers, Hoteliers and Restaurateurs €5,000 for violating the principles of lawfulness and data minimisation by publishing a contested disciplinary measure in breach of its own internal rules of procedure.

English Summary

Facts

In January 2021, the Italian Federation of Sommeliers, Hoteliers and Restaurateurs (the controller) expelled a member of the association (the data subject). The decision was documented in the minutes for the meeting of the controller's National Council. The minutes were published on a cloud, accessible to all members. The decision to expel the data subject was still contestable at that time.

The data subject did decide to contest the decision and appealed it before the controller's Arbitration Committee. In May 2021, he also filed a complaint with the Italian DPA because he felt that the decision was published unlawfully.

The appeal before the Arbitration Committee was successful. It reversed the decision and reinstated the data subject as a member of the controller. However, the information on the cloud was only rectified six months later.

Holding

The DPA noted that it followed from the controller’s privacy policy that the personal data of its members would be processed as prescribed by the internal rules of procedure. For this reason, the DPA held the controller’s internal regulation relevant to the case.

The DPA found that the controller’s rules of procedure only prescribed the publication of final decisions. As the decision as still contestable at the time it was published, the DPA held that the decision was published unlawfully.

Therefore, the DPA held that the controller violated Article 5(1)(a), 5(1)(c) and 6(1)(a)(f) GDPR and imposed a fine of €5,000.

Comment

The motivation stated that Articles 5(1)(a), 5(1)(c) and 6(1)(a)(f) were violated. In this context, the DPA explicitly mentions the principles of lawfulness and data minimisation. However, the dispositive part of the decision stated that Articles 5(1)(a)(f) and 6(1) were violated instead. This might be a typo, since Article 5(1)(f) (the principle of integrity and confidentiality) does not seem relevant to the case.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9803345]

Injunction order against the Italian Federation of Sommeliers, Hoteliers and Restaurateurs - 30 June 2022

Record of measures
n. 239 of 30 June 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX on 05/05/2021 - and regularized on 08/31/2021 - pursuant to art. 77 of the Regulations, which alleged an alleged violation of the rules on the protection of personal data by the Italian Federation of Sommeliers, Hoteliers and Restaurateurs (hereinafter "FISAR" or "Association" or "Federation");

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on 05/05/2021 - regularized on 31/08/2021 - against the Italian Federation of Sommeliers, Hoteliers and Restaurateurs, Mr. XX, a member of the aforementioned Federation, complained about the unlawfulness of the processing of personal data concerning him, with particular reference to the undue communication to all associates of the data concerning the exclusion measure, adopted against him by the National Council in the meeting of 16 January 2021; these data, in particular, were contained in the minutes of the aforementioned meeting which would be sent to all shareholders in full. In the complaint, the interested party also highlighted how the Federation, in response to the note of 14 March 2021 in which the same expressed its disappointment at what happened, limited itself to stating that "it did not engage in any conduct in violation of the rules for the protection of privacy ".

Following the invitation made by this Office on 09/15/2021 to provide comments on the facts of the complaint, with a note dated 11/11/2021, FISAR, represented and defended by the lawyer Andrea Duretti, in stating that the report object of the complaint "does not bear any sensitive data of the complainant except the name and surname and name of the company of which he is the legal representative, given these public and not covered by any prohibition of dissemination" , he also specified that:

the same "has not been sent to all the members but rather inserted, like all the minutes of the NC, in the fisarcloud of the FISAR members, who enter this section with their access credentials";

"With regard to the procedures adopted by FISAR to protect the privacy of its members", the Federation, at the time of their accession (as can be seen from the attached application form in copy), provides "the information on the processing of personal data which is countersigned for acknowledgment and acceptance by all members at the time of registration; the information also refers to the Statute of FISAR which in turn refers to the Internal Regulations ".
With a subsequent note dated 03/12/2021, the Federation, in response to the request for further clarifications made by the Office, on 18/11/2021, regarding the possible identification - in the Statute or in another deliberative act adopted by FISAR - of the scope and methods of circulation of information relating to members within the associative structure, stated that:

"The Articles of Association and the Internal Regulations are the two main documents on which the structural frame of our association rests"; while, "through the Statute, FISAR formally and solemnly expresses the fundamental principles concerning the organization and organization of the Federation", the General Internal Regulations provide for "particular rules for the operation and implementation of the Statute"; to these are added a series of further "internal regulations through which the Federation intends to regulate all aspects not dealt with in detail in the Statute but no less important in the functioning of relations with members: the use of regulations was deemed necessary and useful for regulating the corporate relationship by orienting itself to principles of correctness, transparency and completeness of information (...) ";

"Useful for this discussion is undoubtedly the art. 19 of the Regulation entitled "Disciplinary measures", with particular regard to paragraph 5 where it is provided that "The disciplinary measures referred to in letters c) and d) [respectively temporary or definitive inhibition to hold offices or offices in the association and termination] of the paragraph 1 of this article, once they have become definitive, due to failure to appeal to the Board of Arbitrators or following a decision by the latter, must be published in the official organ of the association (website and magazine) ".

In this regard, FISAR stated that "The drafting of this last point involved, in the drafting of the regulation, not a few reflections, especially regarding the methods of processing personal data of the member removed from the association. The choices, considering the interest of the associates to be informed about the subjects who will no longer be able to represent the association, have turned towards the "publication" of the names of the disqualified subjects in order to avoid that the associates can rely on them, unaware that the associate he can no longer represent the Federation in any way "; he then added that "The choice of the means of dissemination of the exclusion measures has taken into account the fact that not all members are users of the telematic services and may not have direct and uninterrupted access to the website (which contains the FISARCLOUD), for their choice or impossibility; here is the choice of the magazine as an auxiliary and complementary tool to achieve the purposes described in art. 19 of the regulation that all members and associates declare to know and accept, together with the statutory rules, the payment methods and the total membership amounts, at the time of signing the "Membership application form" that we provide in the attachment ".

With communication dated 04/01/2022, the complainant sent this Authority further documentation certifying the developments of the affair that occurred; in particular, in representing that on 26/07/2021 the National Board of Arbitrators (to which the same had made a formal appeal according to the procedures provided for by the association regulations) recognized the validity of its opposition (with consequent annulment of the resolution of the Council that had ordered his exclusion from the association), highlighted how this provision, unlike the previous one, was not subject to any dissemination; at the same time he stressed that "within the FISAR Cloud accessible to all associates, but not to the undersigned to whom access is still prohibited, the documents relating to the exclusion (but not to the victory of the appeal) are still present"; the interested party then pointed out that he had addressed the National Council on 20/12/2021, asking it to ensure that all members can become aware of the aforementioned decision of the Board of Arbitrators.

The Federation, with a note received by this Authority on 01/28/2022, has sent a copy of a document certifying the correction on the FISAR media of the provision for annulment of the exclusion of Mr. XX.

The Office, therefore, on the basis of the documentation in the deeds and the elements acquired during the investigation, with communication dated 02/23/2022, notified FISAR of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 6, par. 1, lett. a) and f) of the Regulations as well as the general principles of lawfulness and data minimization with respect to the purposes pursued, as per art. 5, par. 1, lett. a) and c) of the Regulations.

The Federation, on 03/24/2022, sent its defense papers pursuant to art. 18 of the law n. 689/1981, with which, in formulating a request for a hearing (hearing that was not carried out due to failure to respond to the invitation made by the office on 14/04/2022), he highlighted that:

"Art. 19, paragraph 5 of the disciplinary proceedings regulation cannot be read without taking into account the provisions of art. 5, paragraph 6 of the Articles of Association which literally states: "The exclusion is resolved by the National Council, at the request of the National Executive Council in the following cases (...)";

art. 5, paragraph 7 of the Articles of Association indicates that "The exclusion measure is communicated by registered letter or equivalent systems and is immediately enforceable" and therefore "is not subject to further ratification by the Board of Arbiters", which is "a body of guarantee for associates and third parties (…) which, however, intervenes only after an appeal by the interested party and within the established terms; only at this point the Board of Arbitrators will be able to decide, within 60 days, deciding, in this case yes, definitively, taking nothing away from the effectiveness and enforceability of the decision taken by the National Council "; in particular, "in point 7 of art. 14 of the Articles of Association, it is reiterated that "The Board of Arbitrators also definitively decides on the appeal of the members in the event of exclusion"; decides on the appeal and not on a decision of the National Council which, in the event of exclusion, becomes immediately enforceable (...) ":

"To seal what has been argued so far, if absurdly the Council had not proceeded to publish the provision, it would not have correctly complied with the duties of fairness and transparency towards the associates, violating the provisions of the aforementioned paragraph 7 of art. 5 of the Articles of Association ".

With a subsequent note of 6 April 2022, the complainant represented to this Authority that, on 24/03/2022, following the new membership requested and accepted by the Federation on 09/02/2022, received notice of a new provision of exclusion, approved by the National Council "during the meeting of February 19, 2022 at the end of an investigation that revealed behavior in contrast with the interests of FISAR". In the same note, the interested party also underlined that, as of April 3, 2022, "all the documents relating to the affair (but not to the victory of the appeal) are still present in the Cloud, as well as information relating to the undersigned and my company WineTrade ”(profile, this one, of which no evidence has been provided).

2. The outcome of the investigation.

Upon examination of the declarations made by the data controller during the procedure (whose veracity the author is responsible for pursuant to and for the purposes of art.168 of the Code), as well as the documentation acquired in the proceedings, this Authority formulates the following considerations.

FISAR is a trade association which, as reported in art. 3 of the Statute approved on January 20, 2018, has as its purpose "the promotion and protection of the figure of the sommelier" and that, to achieve these purposes, can carry out all the activities indicated, "by way of example and not exhaustive ", In art. 4 of the Statute itself, as well as "all those activities that do not conflict with its associative nature and its purpose (...)".

In this context, the processing of personal data of members, with reference to common data, is lawful where they have given their consent (Article 6, paragraph 1, letter a) and Cons. 40 of the Regulation) or the processing is necessary for the pursuit of the legitimate interest of the association or of third parties provided, however, that the interests or fundamental rights and freedoms of the interested party do not prevail (Article 6, paragraph 1, letter f ) of the Regulations), "taking into account the reasonable expectations of the interested party on the basis of his relationship with the owner" and the circumstances in which the interested party cannot "reasonably expect further processing of his data" (see Cons. 47 of the Regulation).

Having considered this, it is to the internal regulations of the association that reference must necessarily be made to identify the conditions of the so-called "Legitimate interest" in the processing of the associate's data, with the consequence that the processing is lawful - pursuant to art. 6, paragraph 1, lett. f) of the Regulations - in cases where the same is put in place in the performance of the association's purposes, as identified in the Statute, and to the extent that the interested party, at the time of collecting his data, could reasonably expect the same treatment.

Outside this area, the assumption of lawfulness of the associate's data processing can be found in the consent expressed by the associate, adequately informed, at the time of joining the association.

Given the above, in the case in question, it emerged that FISAR has communicated to all associates information relating to the interested party, concerning the exclusion measure adopted against him by the National Council at the meeting of 16 January 2021.

It also emerged that, at the time of registration, the Federation provides each member with the information pursuant to art. 13 of the Regulation which specifies that the processing of members' data is carried out for the pursuit of the association's purposes, as identified in the Statute and within the limits and according to the procedures established in the General Internal Regulations (which provides for "particular rules of operation and execution of the Statute ") as well as in the various" internal regulations through which the Federation has regulated all aspects not dealt with in detail in the Statute ".
In particular, the regulation bearing the title "Disciplinary measures", in art. 19, paragraph 5, expressly provides - in the part relating to the interest of the members to "be informed about the subjects who can no longer represent the association" - the publication "on the official organ of the association (website and magazine)" of the provisions disciplinary measures of the temporary or definitive inhibition to hold offices or positions in the association and of the expulsion "once they become definitive, due to failure to appeal to the Board of Arbitrators or following a decision of the latter".

In the present case, however, the publication in question, although provided for in the aforementioned art. 19, paragraph 5 of the regulation on disciplinary proceedings, concerned a provision, adopted by the National Council pursuant to art. 5, paragraph 6 of the Statute, still not definitive, however subsequently canceled by the Board of Arbitrators who considered the appeal lodged by the complainant founded pursuant to the following paragraph 7 of art. 5 of the Statute.

This has therefore led to the fact that, in the face of specific internal regulations that punctually regulate the methods and limits of the disclosure of disciplinary measures within the associative structure - providing that each provision is subject to publication on the official organ of the association only "one once it became definitive "- the provision relating to the complainant was instead communicated to all the members without verifying that the same had these characteristics. Moreover, even after the cancellation of the provision by the Board of Arbiters and until January 28, 2022, the disciplinary provision continued to be published on the cloud platform accessed by the Fisar associates, thus contributing to giving a representation that is no longer relevant. of the interested party.

Therefore, the processing in question is illegal for violation of art. 6, par. 1 of the Regulation having been carried out in breach of the conditions of lawfulness required by the standard (paragraph 1, letters a) and f)) as well as the general principles of lawfulness and data minimization, with respect to the purposes pursued, pursuant to art. 5, par. 1, lett. a) and c) of the Regulations.

3. Conclusions: illegality of the treatments carried out.

In light of the foregoing assessments, it is noted that the statements made by the data controller in the defense briefs, although worthy of consideration and whose truthfulness may be called upon to respond pursuant to the aforementioned art. 168 of the Code, do not allow the findings notified by the Office to be overcome with the act of initiation of the procedure and are therefore insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.

For the above reasons, therefore, the complaint submitted pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

In fact, considering that, during the procedure, the data controller declared that he had corrected, on the FISAR media, the information concerning the provision for the exclusion of the complainant, giving evidence that the same was canceled "by Arbitration ", It is believed that the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Order of injunction.

The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.

With reference to the elements listed in art. 83, par. 2, of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), that, in the present case, the following circumstances were taken into consideration:

with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of lawfulness in the processing of personal data and the gravity of the same, with reference to the fact that all the associates were recipients of the unlawful communication;

the fact that the Federation has rectified the information subject to unlawful communication was positively considered, giving evidence of the cancellation of the exclusion measure, after the initiation of the procedure;

the fact that the association has actively cooperated with the Authority during the procedure;

the fact that there are no previous violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation;

the circumstance that the personal data affected by the violation, while concerning aspects inherent in a certain delicacy as they relate to the adoption of a disciplinary procedure, do not however fall within the category of particular data referred to in art. 9 of the Regulations.

It is also believed that it assumes relevance, in the present case, in consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the fact that the offender is a non-profit association.

On the basis of the aforementioned elements, evaluated as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of 5,000 (five thousand) euros for the violation of Articles 5, par. 1, lett. a) and f) and 6, par. 1 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulation, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 5, par. 1, lett. a) and f) and 6, par. 1 of the Regulations;

ORDER

he Italian Federation of Sommeliers, Hoteliers and Restaurateurs, in the person of the pro-tempore President, based in Asciano (PI), Via dei Condotti n. 16, P.I. 01111200505, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of 5,000 (five thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

to the same Federation to pay the sum of € 5,000 (five thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of d. lgs. n. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, June 30, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei

[doc. web n. 9803345]

Injunction order against the Italian Federation of Sommeliers, Hoteliers and Restaurateurs - 30 June 2022

Record of measures
n. 239 of 30 June 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

GIVEN the complaint presented by Mr. XX on 05/05/2021 - and regularized on 08/31/2021 - pursuant to art. 77 of the Regulations, which alleged an alleged violation of the rules on the protection of personal data by the Italian Federation of Sommeliers, Hoteliers and Restaurateurs (hereinafter "FISAR" or "Association" or "Federation");

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint and the preliminary investigation.

With the complaint presented to this Authority on 05/05/2021 - regularized on 31/08/2021 - against the Italian Federation of Sommeliers, Hoteliers and Restaurateurs, Mr. XX, a member of the aforementioned Federation, complained about the unlawfulness of the processing of personal data concerning him, with particular reference to the undue communication to all associates of the data concerning the exclusion measure, adopted against him by the National Council in the meeting of 16 January 2021; these data, in particular, were contained in the minutes of the aforementioned meeting which would be sent to all shareholders in full. In the complaint, the interested party also highlighted how the Federation, in response to the note of 14 March 2021 in which the same expressed its disappointment at what happened, limited itself to stating that "it did not engage in any conduct in violation of the rules for the protection of privacy ".

Following the invitation made by this Office on 09/15/2021 to provide comments on the facts of the complaint, with a note dated 11/11/2021, FISAR, represented and defended by the lawyer Andrea Duretti, in stating that the report object of the complaint "does not bear any sensitive data of the complainant except the name and surname and name of the company of which he is the legal representative, given these public and not covered by any prohibition of dissemination" , he also specified that:

the same "has not been sent to all the members but rather inserted, like all the minutes of the NC, in the fisarcloud of the FISAR members, who enter this section with their access credentials";

"With regard to the procedures adopted by FISAR to protect the privacy of its members", the Federation, at the time of their accession (as can be seen from the attached application form in copy), provides "the information on the processing of personal data which is countersigned for acknowledgment and acceptance by all members at the time of registration; the information also refers to the Statute of FISAR which in turn refers to the Internal Regulations ".
With a subsequent note dated 03/12/2021, the Federation, in response to the request for further clarifications made by the Office, on 18/11/2021, regarding the possible identification - in the Statute or in another deliberative act adopted by FISAR - of the scope and methods of circulation of information relating to members within the associative structure, stated that:

"The Articles of Association and the Internal Regulations are the two main documents on which the structural frame of our association rests"; while, "through the Statute, FISAR formally and solemnly expresses the fundamental principles concerning the organization and organization of the Federation", the General Internal Regulations provide for "particular rules for the operation and implementation of the Statute"; to these are added a series of further "internal regulations through which the Federation intends to regulate all aspects not dealt with in detail in the Statute but no less important in the functioning of relations with members: the use of regulations was deemed necessary and useful for regulating the corporate relationship by orienting itself to principles of correctness, transparency and completeness of information (...) ";

"Useful for this discussion is undoubtedly the art. 19 of the Regulation entitled "Disciplinary measures", with particular regard to paragraph 5 where it is provided that "The disciplinary measures referred to in letters c) and d) [respectively temporary or definitive inhibition to hold offices or offices in the association and termination] of the paragraph 1 of this article, once they have become definitive, due to failure to appeal to the Board of Arbitrators or following a decision by the latter, must be published in the official organ of the association (website and magazine) ".

In this regard, FISAR stated that "The drafting of this last point involved, in the drafting of the regulation, not a few reflections, especially regarding the methods of processing personal data of the member removed from the association. The choices, considering the interest of the associates to be informed about the subjects who will no longer be able to represent the association, have turned towards the "publication" of the names of the disqualified subjects in order to avoid that the associates can rely on them, unaware that the associate he can no longer represent the Federation in any way "; he then added that "The choice of the means of dissemination of the exclusion measures has taken into account the fact that not all members are users of the telematic services and may not have direct and uninterrupted access to the website (which contains the FISARCLOUD), for their choice or impossibility; here is the choice of the magazine as an auxiliary and complementary tool to achieve the purposes described in art. 19 of the regulation that all members and associates declare to know and accept, together with the statutory rules, the payment methods and the total membership amounts, at the time of signing the "Membership application form" that we provide in the attachment ".

With communication dated 04/01/2022, the complainant sent this Authority further documentation certifying the developments of the affair that occurred; in particular, in representing that on 26/07/2021 the National Board of Arbitrators (to which the same had made a formal appeal according to the procedures provided for by the association regulations) recognized the validity of its opposition (with consequent annulment of the resolution of the Council that had ordered his exclusion from the association), highlighted how this provision, unlike the previous one, was not subject to any dissemination; at the same time he stressed that "within the FISAR Cloud accessible to all associates, but not to the undersigned to whom access is still prohibited, the documents relating to the exclusion (but not to the victory of the appeal) are still present"; the interested party then pointed out that he had addressed the National Council on 20/12/2021, asking it to ensure that all members can become aware of the aforementioned decision of the Board of Arbitrators.

The Federation, with a note received by this Authority on 01/28/2022, has sent a copy of a document certifying the correction on the FISAR media of the provision for annulment of the exclusion of Mr. XX.

The Office, therefore, on the basis of the documentation in the deeds and the elements acquired during the investigation, with communication dated 02/23/2022, notified FISAR of the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 6, par. 1, lett. a) and f) of the Regulations as well as the general principles of lawfulness and data minimization with respect to the purposes pursued, as per art. 5, par. 1, lett. a) and c) of the Regulations.

The Federation, on 03/24/2022, sent its defense papers pursuant to art. 18 of the law n. 689/1981, with which, in formulating a request for a hearing (hearing that was not carried out due to failure to respond to the invitation made by the office on 14/04/2022), he highlighted that:

"Art. 19, paragraph 5 of the disciplinary proceedings regulation cannot be read without taking into account the provisions of art. 5, paragraph 6 of the Articles of Association which literally states: "The exclusion is resolved by the National Council, at the request of the National Executive Council in the following cases (...)";

art. 5, paragraph 7 of the Articles of Association indicates that "The exclusion measure is communicated by registered letter or equivalent systems and is immediately enforceable" and therefore "is not subject to further ratification by the Board of Arbiters", which is "a body of guarantee for associates and third parties (…) which, however, intervenes only after an appeal by the interested party and within the established terms; only at this point the Board of Arbitrators will be able to decide, within 60 days, deciding, in this case yes, definitively, taking nothing away from the effectiveness and enforceability of the decision taken by the National Council "; in particular, "in point 7 of art. 14 of the Articles of Association, it is reiterated that "The Board of Arbitrators also definitively decides on the appeal of the members in the event of exclusion"; decides on the appeal and not on a decision of the National Council which, in the event of exclusion, becomes immediately enforceable (...) ":

"To seal what has been argued so far, if absurdly the Council had not proceeded to publish the provision, it would not have correctly complied with the duties of fairness and transparency towards the associates, violating the provisions of the aforementioned paragraph 7 of art. 5 of the Articles of Association ".

With a subsequent note of 6 April 2022, the complainant represented to this Authority that, on 24/03/2022, following the new membership requested and accepted by the Federation on 09/02/2022, received notice of a new provision of exclusion, approved by the National Council "during the meeting of February 19, 2022 at the end of an investigation that revealed behavior in contrast with the interests of FISAR". In the same note, the interested party also underlined that, as of April 3, 2022, "all the documents relating to the affair (but not to the victory of the appeal) are still present in the Cloud, as well as information relating to the undersigned and my company WineTrade ”(profile, this one, of which no evidence has been provided).

2. The outcome of the investigation.

Upon examination of the declarations made by the data controller during the procedure (whose veracity the author is responsible for pursuant to and for the purposes of art.168 of the Code), as well as the documentation acquired in the proceedings, this Authority formulates the following considerations.

FISAR is a trade association which, as reported in art. 3 of the Statute approved on January 20, 2018, has as its purpose "the promotion and protection of the figure of the sommelier" and that, to achieve these purposes, can carry out all the activities indicated, "by way of example and not exhaustive ", In art. 4 of the Statute itself, as well as "all those activities that do not conflict with its associative nature and its purpose (...)".

In this context, the processing of personal data of members, with reference to common data, is lawful where they have given their consent (Article 6, paragraph 1, letter a) and Cons. 40 of the Regulation) or the processing is necessary for the pursuit of the legitimate interest of the association or of third parties provided, however, that the interests or fundamental rights and freedoms of the interested party do not prevail (Article 6, paragraph 1, letter f ) of the Regulations), "taking into account the reasonable expectations of the interested party on the basis of his relationship with the owner" and the circumstances in which the interested party cannot "reasonably expect further processing of his data" (see Cons. 47 of the Regulation).

Having considered this, it is to the internal regulations of the association that reference must necessarily be made to identify the conditions of the so-called "Legitimate interest" in the processing of the associate's data, with the consequence that the processing is lawful - pursuant to art. 6, paragraph 1, lett. f) of the Regulations - in cases where the same is put in place in the performance of the association's purposes, as identified in the Statute, and to the extent that the interested party, at the time of collecting his data, could reasonably expect the same treatment.

Outside this area, the assumption of lawfulness of the associate's data processing can be found in the consent expressed by the associate, adequately informed, at the time of joining the association.

Given the above, in the case in question, it emerged that FISAR has communicated to all associates information relating to the interested party, concerning the exclusion measure adopted against him by the National Council at the meeting of 16 January 2021.

It also emerged that, at the time of registration, the Federation provides each member with the information pursuant to art. 13 of the Regulation which specifies that the processing of members' data is carried out for the pursuit of the association's purposes, as identified in the Statute and within the limits and according to the procedures established in the General Internal Regulations (which provides for "particular rules of operation and execution of the Statute ") as well as in the various" internal regulations through which the Federation has regulated all aspects not dealt with in detail in the Statute ".
In particular, the regulation bearing the title "Disciplinary measures", in art. 19, paragraph 5, expressly provides - in the part relating to the interest of the members to "be informed about the subjects who can no longer represent the association" - the publication "on the official organ of the association (website and magazine)" of the provisions disciplinary measures of the temporary or definitive inhibition to hold offices or positions in the association and of the expulsion "once they become definitive, due to failure to appeal to the Board of Arbitrators or following a decision of the latter".

In the present case, however, the publication in question, although provided for in the aforementioned art. 19, paragraph 5 of the regulation on disciplinary proceedings, concerned a provision, adopted by the National Council pursuant to art. 5, paragraph 6 of the Statute, still not definitive, however subsequently canceled by the Board of Arbitrators who considered the appeal lodged by the complainant founded pursuant to the following paragraph 7 of art. 5 of the Statute.

This has therefore led to the fact that, in the face of specific internal regulations that punctually regulate the methods and limits of the disclosure of disciplinary measures within the associative structure - providing that each provision is subject to publication on the official organ of the association only "one once it became definitive "- the provision relating to the complainant was instead communicated to all the members without verifying that the same had these characteristics. Moreover, even after the cancellation of the provision by the Board of Arbiters and until January 28, 2022, the disciplinary provision continued to be published on the cloud platform accessed by the Fisar associates, thus contributing to giving a representation that is no longer relevant. of the interested party.

Therefore, the processing in question is illegal for violation of art. 6, par. 1 of the Regulation having been carried out in breach of the conditions of lawfulness required by the standard (paragraph 1, letters a) and f)) as well as the general principles of lawfulness and data minimization, with respect to the purposes pursued, pursuant to art. 5, par. 1, lett. a) and c) of the Regulations.

3. Conclusions: illegality of the treatments carried out.

In light of the foregoing assessments, it is noted that the statements made by the data controller in the defense briefs, although worthy of consideration and whose truthfulness may be called upon to respond pursuant to the aforementioned art. 168 of the Code, do not allow the findings notified by the Office to be overcome with the act of initiation of the procedure and are therefore insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance.

For the above reasons, therefore, the complaint submitted pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

In fact, considering that, during the procedure, the data controller declared that he had corrected, on the FISAR media, the information concerning the provision for the exclusion of the complainant, giving evidence that the same was canceled "by Arbitration ", It is believed that the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Order of injunction.

The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above.

With reference to the elements listed in art. 83, par. 2, of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), that, in the present case, the following circumstances were taken into consideration:

with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the general principles of lawfulness in the processing of personal data and the gravity of the same, with reference to the fact that all the associates were recipients of the unlawful communication;

the fact that the Federation has rectified the information subject to unlawful communication was positively considered, giving evidence of the cancellation of the exclusion measure, after the initiation of the procedure;

the fact that the association has actively cooperated with the Authority during the procedure;

the fact that there are no previous violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation;

the circumstance that the personal data affected by the violation, while concerning aspects inherent in a certain delicacy as they relate to the adoption of a disciplinary procedure, do not however fall within the category of particular data referred to in art. 9 of the Regulations.

It is also believed that it assumes relevance, in the present case, in consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the fact that the offender is a non-profit association.

On the basis of the aforementioned elements, evaluated as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of 5,000 (five thousand) euros for the violation of Articles 5, par. 1, lett. a) and f) and 6, par. 1 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulation, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 5, par. 1, lett. a) and f) and 6, par. 1 of the Regulations;

ORDER

he Italian Federation of Sommeliers, Hoteliers and Restaurateurs, in the person of the pro-tempore President, based in Asciano (PI), Via dei Condotti n. 16, P.I. 01111200505, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of 5,000 (five thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

INJUNCES

to the same Federation to pay the sum of € 5,000 (five thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of d. lgs. n. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, June 30, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei