Garante per la protezione dei dati personali (Italy) - 9828059

From GDPRhub
Garante per la protezione dei dati personali - 9828059
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 24 GDPR
Article 25 GDPR
Type: Other
Outcome: n/a
Started: 20.10.2022
Decided: 20.10.2022
Published: 20.10.2022
Fine: 900 EUR
Parties: Istituto di Istruzione Superiore “G. Renda” di Polistena, Reggio Calabria
National Case Number/Name: 9828059
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: N.A.

On 20 October 2022, the Italian Data Protection Authority issued an injunction against a Higher Education Institute, imposing an administrative penalty of €900, for publishing the personal data of one of its employees on its institutional website.

English Summary[edit | edit source]

Facts[edit | edit source]

A teacher lodged a complaint against his employing institute for publishing on its institutional website the termination of the complainant's permanent employment contract, with measures adopted by the Ministry of Education attached.

During a preliminary investigation, the Institute defended itself by explaining that it had acted in accordance with the requests of the Ministry of Education and Article 23 of Legislative Decree no. 33/2013 by publishing summary information containing data strictly necessary to identify the teacher without referring to the reasons for the dismissal.

The Institute considered that the disputed publication was in the legitimate interest of third parties and students. It would make it possible to avoid recruiting the same unfit teacher as a temporary replacement, thereby enabling third parties to conclude a new fixed-term employment contract and guaranteeing continuity of teaching for pupils, which is why the publication was not anonymized.

He also pointed to the troubled context of the Covid pandemic to justify the treatment.

Although the Institute withdrew the publication at the DPA’s request, it did not appear at the hearing scheduled.

Holding[edit | edit source]

The DPA considered that the controller has not verified the existence of a specific provision requiring the mandatory publication of a measure containing information on the termination of an employment contract. The Personal Data Protection Code specified that the publication of personal data by public bodies is only authorised where it is provided for by a legislative provision or, in the cases provided for by law, by a regulatory provision, in compliance with the principles of data protection (article 5 (1) a) and c) GDPR).

In addition, the DPA considered that the controller did not check the data and information that it was entitled to publish under the principles of relevance and non-excess. The GDPR reiterates the obligation to implement appropriate measures to ensure that, by default, only the personal data necessary for each specific purpose of processing are processed (articles 5(2), 24 and 25(2) GDPR). By publishing the decision in a non-anonymous manner, the Institute disseminated personal data that was unnecessary, irrelevant or excessive, and not justified by its purpose insofar as the decision would have remained accessible in the archives by qualified persons.

In so doing, this public entity has violated the principles of data protection and breached the GDPR (article 5(1)(a) and (c) and 6 GDPR) as well as the Legislative Decree no. 196 of 30 June 2003 on the "Personal Data Protection Code" (article 2 ter of the Code in the text prior to Legislative Decree no. 139 of 2021).

Comment[edit | edit source]

An interesting point of this decision is that the authority considered that publication was not justified by its purpose, despite a possible "publication of data for purposes of transparency and accountability" provided by the Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.

Admittedly, the non-anonymous version of the decision remains accessible to those legally empowered by law, but not to all those who would have an interest in it, given the principle of transparency.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9828059]

Injunction against Istituto di educazione Superiore “G. Renda” of Polistena, Reggio Calabria - 20 October 2022

Register of measures
no. 335 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. Introduction.

With a complaint presented to this Authority, the publication in the Praetorian Register section of the institutional website of the “G. Renda” of Polistena, Reggio Calabria (hereinafter, the “Institute”) of the note prot. n XX of the XX with which the termination of the permanent contract of the interested party was communicated - placed in the role of teacher at the Institute - with the related measures adopted against the same by the Ministry of Education, Regional School Office of Calabria , Reggio Calabria area.

2. The preliminary investigation.

With note dated XX, prot.n.XX, the Institute, in response to a request for information formulated by the Office, stated, in particular, that:

- "it should be noted first of all that this institute has operated in compliance with the requirements of the Ministry of Education - Regional School Office for Calabria - Territorial area of Reggio Calabria, with provisions n.XX of the XX and n. XX of the XX, publishing in its note prot. XX of the XX, only the summary elements indicated in the art. 23 of Legislative Decree lgs. no. 33/2013, paragraph 2 (content, object and details of the main documents of the proceeding)";

- "as regards the legal basis of the processing concerning the publication of the dismissal provision, it should be noted that this institution has published only the data strictly necessary for the identification of the teacher (name, surname and date of birth) indispensable for achieving the institutional purposes underlying the publication of the provisions”;

- “this Management has proceeded to publish its note prot. XX of XX on the institutional website, without using sensitive data (i.e. suitable for revealing racial and ethnic origin, religious beliefs, political opinions, membership of parties or trade unions, state of health and sex life) or relating to legal proceedings and without using redundant data. Again, the art. 23 of Legislative Decree lgs. no. 33/2013 provides for the mandatory publication of the provisions adopted by the political guidance bodies and managers”;

- “as also reported in the request for information, prot. XX, the dismissal provision [in question] was available on the institutional website of this institution from XX to XX".

With a note of the XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Data Controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lit. a) and c) and 6 of the Regulation as well as of the art. 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), inviting the aforementioned owner to produce defense writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note of the XX (prot. n. XX), integrated with a note of the XX (prot. n.XX), the Institute presented a defense brief, declaring, in particular, that:

- "it should be noted that the provision published and the subject of a complaint [...] contains only the common data [of the complainant] (name, surname and year of birth) without any reference to the reasons that led to the dismissal. The publication of the "mother" provision by the Regional School Office - Provincial Area (the body that ordered his dismissal, formerly the Education Superintendency) has led us to consider it an act to be published in the legitimate interest of both third parties who would have been able to stipulate a new fixed-term employment contract [...], both to guarantee didactic continuity which is an integral part of the students' right to study";

- "registration in the rankings until exhaustion has in fact given the right to teachers to also enroll in the Institute's first level rankings. The educational institutions of the whole province draw from these rankings for temporary substitutes without consulting the Provincial School Office and for this reason it would theoretically be possible to hire a teacher who has been removed from the Provincial Ranking for lack of requirements for a temporary substitute, and then having to do so. substitute for the emergence of unsuitability. The replacement of a teacher during the year is always a "traumatic" event that compromises teaching continuity and conditions the learning path. Anonymizing the document would have eliminated its publication purpose”;

- it was also represented that "any excess and/or illegitimacy of the processing is certainly not attributable to a malicious behavior of the writer but is, if anything, related to a dramatic phase [the pandemic underway at the time of the events] that the organizations in general, but above all the Scholastic Institutions are experiencing and which has not allowed a further study with respect to the behavior of the Regional Scholastic Office - Provincial Area”;

- "the publication remained visible on the institutional website in the online Register section for 30 consecutive days by virtue of a system default setting called "forgetfulness" which archives the document among the expired documents of the Praetorian Register section. From that moment on, the document is visible only after a search by its details. In any case, the document was removed from the section following receipt of your first note without waiting for the outcome of your determinations. No opposition to the treatment and no report had ever reached us from [the complainant] ".

It is also represented that, although the Institute has expressed "the willingness to be heard [o] for any further clarification", it has not followed up on the invitation of this Authority, sent with a note of the XX, prot.n. XX, to participate in the hearing set for day XX.

3. Outcome of the preliminary investigation.

3.1 The regulatory framework.

The personal data protection regulation provides that public subjects, within the working context, can process the personal data of the interested parties, also relating to particular categories, if the treatment is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by law or by the law of the Union or of the Member States (Articles 6, paragraph 1, letter c), 9, par. 2, lit. b) and 4 and 88 of the Regulation). Furthermore, the treatment is lawful when it is "necessary for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letter e ), 2 and 3, and art. 9, par. 2, lit. g), of the Regulation; art. 2-ter of the Code, in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139).

European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of the [...] regulation with regard to treatment, in accordance with paragraph 1, letters c) and e), determining with greater precision specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing [...]" (Article 6, paragraph 2, of the Regulation). In this regard, it should be noted that the operation of dissemination of personal data (such as publication on the Internet), by public entities, is permitted only when provided for by a law or, in the cases provided for by law, a regulation (cf. . art. 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).
In any case, the data controller is required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).

3.2 The dissemination of personal data.

As can be seen from the deeds and declarations made by the data controller, as well as from the assessment carried out on the basis of the elements acquired following the preliminary investigation and subsequent evaluations of this Department, the Institute has published in the Praetorian Register section of its website institutional, from the XX to the XX, the determination prot. n XX, with which the termination of the permanent contract was communicated towards the interested party, with the annexed the relative provision adopted by the Ministry of Education, Regional School Office of Calabria, Territorial area of Reggio Calabria. The aforementioned determination was definitively removed from the Institute's website, "following the receipt of your first note" (see request for information from the Guarantor of the XX).

Preliminarily, with reference to the circumstance that the Institute was required, pursuant to art. 23 of Legislative Decree lgs. 14 March 2013, no. 33, upon publication of the determination in question, it is stated that decree no. 33 of 2013 does not contain any specific provision prescribing the mandatory publication of a provision containing information on the termination of an employment contract following exclusion from a procedure due to lack of the requirements. In particular, it should be noted that the provision contained in art. 23, paragraph 2 of the aforementioned decree, referred to by the Institute, also relating to the publication of summary elements of the final provisions of the proceedings, was repealed by art. 22, of Legislative Decree lgs. 25 May 2016, no. 97. In any case, the art. 19 of Legislative Decree 14 March 2013, n. 33 (effective from 1 January 2020) provides for the publication of the final rankings only, also with reference to the eligible non-winners, but not with regard to the excluded subjects, nor with regard to the publication of the complete exclusion provision (see provision .ti January 27, 2021, no. 28, web doc. no. 9576756; provision. February 11, 2021, no. 51, web doc. no. 9572226; February 11, 2021, no. 60, web doc. 9574101).

In particular, it should be noted that the administration that intends to publish an act containing personal data on the online praetorian register is required to verify, preliminarily, also for common data, the existence of a law or regulation that prescribes the posting of that deed on the praetorian register.

In any case, before disseminating any information relating to the interested party, the Institute should have verified, on the basis of a responsible and careful evaluation, which data and information to publish, taking into account the limits set by the principles of pertinence and non-excess. In this regard, it should be remembered that this Authority, on several occasions, has clarified that even the presence of a specific advertising regime cannot lead to any automatism with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see provision of 25 February 2021, n. 68, web doc. 9567429). On the other hand, this is also confirmed by the personal data protection system contained in the Regulation, in the light of which it is envisaged that the data controller must "implement adequate technical and organizational measures to ensure that they are processed, by default, only the personal data necessary for each specific purpose of the processing" and must be "able to demonstrate" - in the light of the principle of "accountability" - that he has done so (articles 5, paragraph 2; 24 and 25, paragraph 2, regulation).

In the present case, on the other hand, the determination in question was published, together with the attached provisions, without the Institute having previously proceeded with the anonymisation of the personal data contained therein. In fact, it is represented that all the limits established by the legislation apply to publications in the online praetorian register in order not to disseminate unnecessary, irrelevant or excessive personal data (see "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of publicity and transparency on the web by public subjects and other obliged bodies" of 15 May 2014, no. 243, web doc. no. 3134436 and "Guidelines on the processing of personal data of workers for the purpose of managing the employment relationship in the public sector" no. 23 of 14 June 2007, web doc. no. 1417809; see also provision no. 69 of 25 February 2021, web doc. no. 9565258; provision 24 June 2021, no. 256, web doc. no. 9689607; provision 16 September 2021, no. 319, web doc. no. 9704048).

Furthermore, the circumstance, referred to by the Institute, according to which the anonymous publication of the determination in question would have eliminated the purpose of publication, since the integral version of the determination would have remained, in any case, in the acts of the Institute is not relevant and would have been accessible, by qualified subjects, in the ways and within the limits established by law.
The dissemination of the complainant's personal data, contained in determination no. XX of the XX and in the related annexes, has therefore occurred in a manner that does not comply with the principles of data protection and in the absence of an appropriate legal basis, in violation of articles 5, par. 1, lit. a) and c), and 6 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

4. Conclusions.

In the light of the assessments referred to above, it should be noted that the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow the findings notified by the Office to be overcome with the act of initiation of the proceeding and are insufficient to allow the dismissal of the present proceeding, since none of the cases envisaged by the art. 11 of the Regulation of the Guarantor n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Institute is noted, for having disseminated, through online publication, the determination n. XX of the XX (and related annexes), containing the information regarding the termination of the permanent contract with the interested party, in the absence of a legal basis, in violation of articles 5, par. 1, lit. a) and c), 6 of the Regulation as well as article 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5, of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation, as also referred to by art. 166, paragraph 2, of the Code.
In this context, considering, in any case, that the conduct has exhausted its effects - given that the dissemination of data ceased on the XX date - the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).
In this regard, taking into account the art. 83, par. 3 of the Regulation, in the specific case the violation of the aforementioned provisions is subject to the application of the administrative fine provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforesaid elements, it was considered that the identified conduct concerned the dissemination of personal data relating to events connected with the termination of the employment relationship by the employee, despite the numerous indications given by the Guarantor to all public entities since 2014 with the guidelines referred to above (see also "Guidelines on the processing of personal data of workers for the purpose of managing the employment relationship in the public sector" of 14 June 2007, web doc. n. 1417809).

On the other hand, it was favorably taken into consideration that the violation did not concern particular categories of personal data and that it involved only one interested party. Furthermore, the publication in the Praetorian Register of the determination in question took place for a short period of time. It was also taken into consideration that the violation occurred during a particularly delicate phase (May-November 2020) in which the educational institutions were committed to dealing with the specific needs deriving from the state of health emergency. Furthermore, there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.
Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine the amount of the pecuniary sanction in the amount of 900.00 (nine hundred) euros for the violation of articles 5, par. 1, lit. a) and c), 6, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account that the deed being circulated online contained references to a delicate personal story of the interested party, concerning the termination of the employment contract, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, envisaged by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the illegality of the processing carried out by the Data Controller for violation of the articles 5, par. 1, lit. a) and c), 6 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), in the terms referred to in the justification;

ORDER

pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Institute of Higher Education “G. Renda” of Polistena, Reggio Calabria, in the person of its pro-tempore legal representative, with registered office in Via Vescovo Morabito, 19 - 89024 Polistena (Reggio Calabria), Tax Code 91000410802, to pay the sum of 900.00 (nine hundred) euros as an administrative fine for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the aforementioned Institute, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 900.00 (nine hundred) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law no. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of the Guarantor Regulation n. 1/2019).

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
Station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi