Garante per la protezione dei dati personali (Italy) - 9828987

From GDPRhub
Garante per la protezione dei dati personali - 9828987
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 9(4) GDPR
Article 2-septies §8 of the Codice in Materia di Protezione dei Dati Personali
Type: Complaint
Outcome: Upheld
Started: 20.10.2022
Decided: 20.10.2022
Published:
Fine: 5,000 EUR
Parties: XX (the data subject)
Fondazione Teatro Regio di Torino (the controller)
National Case Number/Name: 9828987
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA imposed a €5,000 fine on Fondazione Teatro Regio of Torino for having published on its website health data relating to one of their ex-employees.

English Summary

Facts

Fondazione Teatro Regio di Torino (the controller) is a non-profit opera organisation which was also involved in public procurement procedures. A former employee (the data subject), was in charge of two tender procedures. However, due to illness she could no longer be part of these biddings. In relation to this, the controller published on its website several decisions containing personal data of the data subject. These decisions addressed the replacement of the data subject from the responsibilities assigned to her in the tender procedures due to sickness. They also contained the data subject's illness certificate as well as information relating to the transfer of powers and functions following her suspension.

On 15 November 2021, the data subject filed a complaint with the Italian DPA, which started an investigation on the case.

In its defence, the controller argued that it had to fulfill its transparency obligations and thus had to publish infromation about the replacement of the person in charge of the tender procedure. Moreover, as soon as it received the notification from the DPA, the controller took care to remove the data that were the subject of the complaint, which were no longer visible on the website as of 21 February 2022. Additionally, no employee had ever raised an issue of a personal data breach against the controller prior to this case. Allegedly, the incident was caused by a material error of an employee who carried out the publication in full, not realising that among the various documents in his hands, some contained health data, which should not be published. Finally, the controller argued that the damage suffered by the data subject was minor because documents containing her personal data were published in a section of the controller's website that was not immediately accessible to the "average" user.

Holding

The Italian DPA held that the controller, although subject to transparency obligations, published on its website data relating to health, the disclosure of which is expressly prohibited by law (Article 2-septies (8) of the Italian Data Protection Code). Moreover, the DPA held that this information was not indispensable with respect to the purposes of processing and could reveal the pending disciplinary proceedings against the data subject.

The DPA found that the processing of personal data carried out by the controller did not comply with the principles of lawfulness, fairness, transparency and data minimisation, thus violating Article 5(1)(a) and Article 5(1)(c) GDPR. The controller processed health data without a valid legal basis (Article 6(1) GDPR) and in breach of the prohibition to process sensitive data (Article 2-septies (8) of the Code and Article 9(4) GDPR).

Pursuant to Article 83(3) GDPR, the DPA considered several aggravating and mitigating circumstances, when deciding on sanctions against the controller. Notably, the DPA took into account the incorrect assessment as to the type of data to be published in compliance with the transparency obligations; the data breach constituting an isolated event; the absence of previous data protection law infringements by the controller; the fact that the controller deleted data relating to the data subject from its website and organised training courses for all its staff as soon as it received notification of the commencement of proceedings from the DPA; and the controller’s cooperation with the DPA during the investigation.

Based on the afore-mentioned elements, the Italian DPA imposed a €5,000 fine on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9828987]

Injunction against the Fondazione Teatro Regio of Turin - 20 October 2022

Register of measures
no. 346 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented on 15 November 2021 with which Ms XX complained of an alleged violation of the Regulations by the Fondazione Teatro Regio di Torino;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. Premise.

With the complaint sent to this Authority on 15 November 2021, Ms XX complained of the publication, in the "transparent administration" section - general documents - of the website of the Fondazione Teatro Regio di Torino, a non-profit opera body, (hereinafter "the Foundation") of three commissioner decisions containing personal data of the complainant.

Specifically, resolutions no. 1 and no. 2, adopted on 8 January 2021, concerned the replacement of the complainant from the tasks that had been conferred on her in two tender procedures "given the impossibility of Lawyer XX, due to illness, to participate in the tender session...", and reported the complainant's electronic certificate of illness is also attached. Decision no. 4, adopted on 18 January 2021, concerned the transfer of powers and functions "in view of the precautionary suspension adopted today with immediate effect against the lawyer. XX".

2. The initiation of the sanctioning procedure

With the communication dated 16 February 2022, the Office notified the Foundation of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 5, par. 1, lit. a) and c) and 6 of the Regulation as well as of the art. 2-septies, paragraph 8, of the Code.

The regulation on the protection of personal data provides that personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are treaties" (Article 5, paragraph 1, letters a) and c) of the Regulation).

The data controllers, even if they operate in the performance of their duties as employers, can process the personal data of workers, also relating to particular categories of data - which also include "data relating to health" (cf. article 9, paragraph 1, of the Regulation) - if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by the national sector regulations (articles 6, paragraph 1 , letters b) and c); 9, par. 2, lit. b) and par. 4; 88 of the Regulation).

In any case, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, paragraph 1, no. 15, of the Regulation), due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (Article 2-septies, paragraph 8 of the Code and Article 9, paragraph 4 of the Regulation).

On 18 March 2022, the Foundation sent its defense brief, pursuant to article 18 of law no. 689/1981 with which he simultaneously requested a hearing and, in providing information and clarifications on the facts involved in the matter, represented that: "

- among the various obligations to which the Foundation is subject, there is that of publishing on its website all the "Determinations" (i.e. internal documents) that have an external impact: in the present case, it was a question of making known the replacement of the person in charge of the Procedure and member of the commission in charge of analyzing the offers and formulating the assignment proposal, in relation to two negotiated procedures concerning "Fire-fighting systems adaptation works - Lot 4 - Excerpt 4" and "Adjustment works building fire prevention and structures - Lot 4 - Excerpt 4". Therefore, since it is a decision, that of substitution, with obvious effects on the assignment procedure, the undersigned Foundation in full good faith wanted to be as transparent as possible in explaining the reasons for such a position, not taking into consideration the possibility of omit any information;

- even before going into the merits of the dispute brought against it by Lawyer XX, as soon as it received the notification from this Authority, the Foundation took care to black out the data object of the complaint, which therefore are no longer visible from the last February 21, in such a way as to mitigate any prejudicial effects of the violation;

- previously no employee had ever raised a problem of violation of their personal data with the Foundation. “It was an isolated episode that probably took place also taking into account the climate of tension and embarrassment that existed at that time within the Foundation, an unwanted oversight that was not immediately discovered by mistake. In fact, it should be noted that that publication was not carried out by the person who usually dealt with this task, as the office in charge was engaged in dealing with the complicated work situation with the complainant, which then resulted in her dismissal and in a proceeding judicial. Therefore, this management of the publication revealed a lightness due essentially to a material error of an employee who, having received the complete documentation relating to those Determinations, carried out the publication in an integral way, not realizing that among the various documents in his hands some did not formally constitute annexes to the individual Resolutions in question (in fact, from reading the Resolutions no. 1 and no. 2 of 2021, the subject of a complaint, it can be inferred that no annexes were envisaged) and which therefore should not be published (yes refers to sickness certificates).';

- "as for the words used in the three disputed Determinations, the same (illness, precautionary suspension) were inserted in accordance with the principle of transparency that embodies all communications from the Foundation and not to harm the interested party in any way";

- the subject who concretely dealt with the publication, due to lightness, did not consider the problem of a possible partial obscuring of the data present in the documents, since the employee is not usually responsible for this activity;

- although deeds containing the complainant's personal data were disseminated, they were published in a section of the Foundation's website (Transparent Administration - General Deeds - Determine) which was not immediately accessible by the "average" user interested in other contents, therefore deeming that the percentage of the public that "actually could have accessed those contents in recent months" was rather low, and that consequently the injury suffered by the claimant was less.

In any case, the Foundation acknowledged "that it had not adequately monitored this situation, particularly in the context of the necessary balancing of interests (transparency obligations on the one hand and protection of the rights and freedoms of the data subject on the other) but for reasons completely involuntary, since the incident occurred at a time when frictions of a labor law nature were in progress with the appellant".

During the hearing held on 31 May 2022, the Foundation, in reiterating what was already represented in the note dated 18 March 2022, also highlighted that:

- “The Teatro Regio di Torino Foundation is a private law foundation pursuant to Legislative Decree no. 367 of 1996 but, according to what is regulated in the statute, subject to the obligations of publicity and transparency, and is required to comply with the obligations established by Legislative Decree no. 50 of 2016 and subsequent amendments and additions.";

- during the period to which the complaint refers, the Foundation was in a receivership regime and "this new organizational structure which has led to the replacement of all the roles in the Theater includes the publication of the data (details) of the complainant, which took place for mere material error as the documents sent for publication were not supervised and, consequently, the sickness certificates of the complainant were also published together with the determinations”;

- as soon as the Guarantor's notification was received, the Foundation promptly took steps to cancel the (particular) data referring to the complainant from the decisions published on the site, not indispensable for the fulfillment of the aforementioned obligation of transparency, and proceeded to organize training courses for all staff;

- the publication of the complainant's data took place at a time when the interested party was still formally employed by the Foundation with the duties indicated in the service order of 1 December 2020 and therefore "without prejudice to the Foundation's responsibility for not having adequately supervised the situation, the lawyer XX had the opportunity to view the documents having a relevant content in terms of data processing."

3. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it has been ascertained that the Foundation has processed personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR.

The Foundation, although subject to the provisions on transparency, has published on its website information relating to the state of health of the interested party, the dissemination of which is expressly prohibited by law by art. 2-septies, paragraph 8, of the Code and information that is not essential with respect to the purpose of the processing and, among other things, suitable for revealing the pending disciplinary procedure against the complainant.

The processing of personal data put in place by the Foundation in the present case is therefore unlawful since it was carried out in a manner that does not comply with the principles of "lawfulness, correctness and transparency", as well as "minimization" of data, in violation of articles 5, par. 1, lit. a) and c), in the absence of a suitable regulatory basis (6 par. 1 of the Regulation) and in violation of the prohibition of dissemination of health data as well as (art. 2-septies, paragraph 8, of the Code, see also art. 9, paragraph 4, of the GDPR).

4. Adoption of the injunction order (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The circumstances represented in the defensive writings of the Foundation, highlighted again during the hearing, examined as a whole, even if worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the dismissal of the present proceeding. This is because, in the case in question, none of the hypotheses envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

Considering, however, that the conduct has exhausted its effects, as the data controller has declared that he has taken steps to black out the data subject of the complaint which are no longer visible since 21 February 2022, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR without prejudice to the application of the administrative fine.

In this regard, the art. 83, par. 3, of the RGPD, provides that "if, in relation to the same processing or related processing, a data controller or a data processor violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction will not exceeds the amount specified for the most serious violation”.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in the art. 166, paragraph 2, of the Code – is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5 of the GDPR, which therefore applies to the present case.

With reference to the elements listed by art. 83, par. 2, of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the sanctions must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), we represent that, in the present case, the following circumstances were considered:

a) the culpable nature of the violation attributable to an incorrect assessment of the type of data to be published in the fulfillment of the transparency obligations as well as to a material error (limited to the publication of electronic sickness certificates) concerning an isolated case;

b) the absence of specific precedents, against the party, relating to violations of the regulations on the protection of personal data;

c) the correction put in place by the Foundation which, in order to remedy the violation, as soon as it received the notification of the initiation of the procedure by the Office, carried out the obscuring of the data object of the complaint also arranging training courses training for all staff;

d) collaboration with the Authority during the investigation of this proceeding.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. a) and c), 6 par. 1 of the Regulation and 2-septies, paragraph 8, of the Code (see also art. 9, paragraph 4, of the GDPR), as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same GDPR.

In consideration of the nature and seriousness of the violation ascertained, it is also believed to have, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

having detected the unlawfulness of the processing carried out by the Fondazione Teatro Regio di Torino in the terms indicated in the justification, pursuant to articles 58, par. 2, lit. i), and 83 of the GDPR

ORDER

to the Foundation, in the person of the Director General dott. Guido Mulè, based in Turin, Piazza Castello 215, Tax Code and P.I. 00505900019, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations referred to in the justification;

ENJOYS

to the same Foundation to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981.

It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 09/01/2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- annotation in the Authority's internal register of the violations and measures adopted pursuant to art. 58, par. 2 of the GDPR with this provision, as required by art. 17 of the Regulation of the Guarantor n. 1/2019.

Pursuant to art. 78 of the GDPR, of the articles 152 of the Code and 10 of Legislative Decree lgs. no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9828987]

Injunction against the Fondazione Teatro Regio of Turin - 20 October 2022

Register of measures
no. 346 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented on 15 November 2021 with which Ms XX complained of an alleged violation of the Regulations by the Fondazione Teatro Regio di Torino;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. Premise.

With the complaint sent to this Authority on 15 November 2021, Ms XX complained of the publication, in the "transparent administration" section - general documents - of the website of the Fondazione Teatro Regio di Torino, a non-profit opera body, (hereinafter "the Foundation") of three commissioner decisions containing personal data of the complainant.

Specifically, resolutions no. 1 and no. 2, adopted on 8 January 2021, concerned the replacement of the complainant from the tasks that had been conferred on her in two tender procedures "given the impossibility of Lawyer XX, due to illness, to participate in the tender session...", and reported the complainant's electronic certificate of illness is also attached. Decision no. 4, adopted on 18 January 2021, concerned the transfer of powers and functions "in view of the precautionary suspension adopted today with immediate effect against the lawyer. XX".

2. The initiation of the sanctioning procedure

With the communication dated 16 February 2022, the Office notified the Foundation of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 5, par. 1, lit. a) and c) and 6 of the Regulation as well as of the art. 2-septies, paragraph 8, of the Code.

The regulation on the protection of personal data provides that personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are treaties" (Article 5, paragraph 1, letters a) and c) of the Regulation).

The data controllers, even if they operate in the performance of their duties as employers, can process the personal data of workers, also relating to particular categories of data - which also include "data relating to health" (cf. article 9, paragraph 1, of the Regulation) - if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by the national sector regulations (articles 6, paragraph 1 , letters b) and c); 9, par. 2, lit. b) and par. 4; 88 of the Regulation).

In any case, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, paragraph 1, no. 15, of the Regulation), due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (Article 2-septies, paragraph 8 of the Code and Article 9, paragraph 4 of the Regulation).

On 18 March 2022, the Foundation sent its defense brief, pursuant to article 18 of law no. 689/1981 with which he simultaneously requested a hearing and, in providing information and clarifications on the facts involved in the matter, represented that: "

- among the various obligations to which the Foundation is subject, there is that of publishing on its website all the "Determinations" (i.e. internal documents) that have an external impact: in the present case, it was a question of making known the replacement of the person in charge of the Procedure and member of the commission in charge of analyzing the offers and formulating the assignment proposal, in relation to two negotiated procedures concerning "Fire-fighting systems adaptation works - Lot 4 - Excerpt 4" and "Adjustment works building fire prevention and structures - Lot 4 - Excerpt 4". Therefore, since it is a decision, that of substitution, with obvious effects on the assignment procedure, the undersigned Foundation in full good faith wanted to be as transparent as possible in explaining the reasons for such a position, not taking into consideration the possibility of omit any information;

- even before going into the merits of the dispute brought against it by Lawyer XX, as soon as it received the notification from this Authority, the Foundation took care to black out the data object of the complaint, which therefore are no longer visible from the last February 21, in such a way as to mitigate any prejudicial effects of the violation;

- previously no employee had ever raised a problem of violation of their personal data with the Foundation. “It was an isolated episode that probably took place also taking into account the climate of tension and embarrassment that existed at that time within the Foundation, an unwanted oversight that was not immediately discovered by mistake. In fact, it should be noted that that publication was not carried out by the person who usually dealt with this task, as the office in charge was engaged in dealing with the complicated work situation with the complainant, which then resulted in her dismissal and in a proceeding judicial. Therefore, this management of the publication revealed a lightness due essentially to a material error of an employee who, having received the complete documentation relating to those Determinations, carried out the publication in an integral way, not realizing that among the various documents in his hands some did not formally constitute annexes to the individual Resolutions in question (in fact, from reading the Resolutions no. 1 and no. 2 of 2021, the subject of a complaint, it can be inferred that no annexes were envisaged) and which therefore should not be published (yes refers to sickness certificates).';

- "as for the words used in the three disputed Determinations, the same (illness, precautionary suspension) were inserted in accordance with the principle of transparency that embodies all communications from the Foundation and not to harm the interested party in any way";

- the subject who concretely dealt with the publication, due to lightness, did not consider the problem of a possible partial obscuring of the data present in the documents, since the employee is not usually responsible for this activity;

- although deeds containing the complainant's personal data were disseminated, they were published in a section of the Foundation's website (Transparent Administration - General Deeds - Determine) which was not immediately accessible by the "average" user interested in other contents, therefore deeming that the percentage of the public that "actually could have accessed those contents in recent months" was rather low, and that consequently the injury suffered by the claimant was less.

In any case, the Foundation acknowledged "that it had not adequately monitored this situation, particularly in the context of the necessary balancing of interests (transparency obligations on the one hand and protection of the rights and freedoms of the data subject on the other) but for reasons completely involuntary, since the incident occurred at a time when frictions of a labor law nature were in progress with the appellant".

During the hearing held on 31 May 2022, the Foundation, in reiterating what was already represented in the note dated 18 March 2022, also highlighted that:

- “The Teatro Regio di Torino Foundation is a private law foundation pursuant to Legislative Decree no. 367 of 1996 but, according to what is regulated in the statute, subject to the obligations of publicity and transparency, and is required to comply with the obligations established by Legislative Decree no. 50 of 2016 and subsequent amendments and additions.";

- during the period to which the complaint refers, the Foundation was in a receivership regime and "this new organizational structure which has led to the replacement of all the roles in the Theater includes the publication of the data (details) of the complainant, which took place for mere material error as the documents sent for publication were not supervised and, consequently, the sickness certificates of the complainant were also published together with the determinations";

- as soon as the Guarantor's notification was received, the Foundation promptly took steps to cancel the (particular) data referring to the complainant from the decisions published on the site, not indispensable for the fulfillment of the aforementioned obligation of transparency, and proceeded to organize training courses for all staff;

- the publication of the complainant's data took place at a time when the interested party was still formally employed by the Foundation with the duties indicated in the service order of 1 December 2020 and therefore "without prejudice to the Foundation's responsibility for not having adequately supervised the situation, the lawyer XX had the opportunity to view the documents having a relevant content in terms of data processing."

3. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it has been ascertained that the Foundation has processed personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR.

The Foundation, although subject to the provisions on transparency, has published on its website information relating to the state of health of the interested party, the dissemination of which is expressly prohibited by law by art. 2-septies, paragraph 8, of the Code and information that is not essential with respect to the purpose of the processing and, among other things, suitable for revealing the pending disciplinary procedure against the complainant.

The processing of personal data put in place by the Foundation in the present case is therefore unlawful since it was carried out in a manner that does not comply with the principles of "lawfulness, correctness and transparency", as well as "minimization" of data, in violation of articles 5, par. 1, lit. a) and c), in the absence of a suitable regulatory basis (6 par. 1 of the Regulation) and in violation of the prohibition of dissemination of health data as well as (art. 2-septies, paragraph 8, of the Code, see also art. 9, paragraph 4, of the GDPR).

4. Adoption of the injunction order (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The circumstances represented in the defensive writings of the Foundation, highlighted again during the hearing, examined as a whole, even if worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the dismissal of the present proceedings. This is because, in the case in question, none of the hypotheses envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

Considering, however, that the conduct has exhausted its effects, as the data controller declared that he had taken steps to black out the data subject of the complaint which are no longer visible since 21 February 2022, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2 of the GDPR without prejudice to the application of the administrative fine.

In this regard, the art. 83, par. 3, of the RGPD, provides that "if, in relation to the same processing or related processing, a data controller or a data processor violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction will not exceeds the amount specified for the most serious violation”.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in the art. 166, paragraph 2, of the Code – is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5 of the GDPR, which therefore applies to the present case.

With reference to the elements listed by art. 83, par. 2, of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the sanctions must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), we represent that, in the present case, the following circumstances were considered:

a) the culpable nature of the violation attributable to an incorrect assessment of the type of data to be published in the fulfillment of the transparency obligations as well as to a material error (limited to the publication of electronic sickness certificates) concerning an isolated case;

b) the absence of specific precedents, against the party, relating to violations of the regulations on the protection of personal data;

c) the correction put in place by the Foundation which, in order to remedy the violation, as soon as it received the notification of the initiation of the procedure by the Office, carried out the obscuring of the data object of the complaint also arranging training courses training for all staff;

d) collaboration with the Authority during the investigation of this proceeding.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. a) and c), 6 par. 1 of the Regulation and 2-septies, paragraph 8, of the Code (see also art. 9, paragraph 4, of the GDPR), as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same GDPR.

In consideration of the nature and seriousness of the violation ascertained, it is also believed to have, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

having detected the unlawfulness of the processing carried out by the Fondazione Teatro Regio di Torino in the terms indicated in the justification, pursuant to articles 58, par. 2, lit. i), and 83 of the GDPR

ORDER

to the Foundation, in the person of the Director General dott. Guido Mulè, based in Turin, Piazza Castello 215, Tax Code and P.I. 00505900019, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations referred to in the justification;

ENJOYS

to the same Foundation to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981.

It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 09/01/2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- annotation in the Authority's internal register of the violations and measures adopted pursuant to art. 58, par. 2 of the GDPR with this provision, as required by art. 17 of the Regulation of the Guarantor n. 1/2019.

Pursuant to art. 78 of the GDPR, of the articles 152 of the Code and 10 of Legislative Decree lgs. no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi