Garante per la protezione dei dati personali (Italy) - 9828987

Garante per la protezione dei dati personali - 9828987
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 9(4) GDPR Article 2-septies §8 of the Codice in Materia di Protezione dei Dati Personali
Type:	Complaint
Outcome:	Upheld
Started:	20.10.2022
Decided:	20.10.2022
Published:
Fine:	5,000 EUR
Parties:	XX (the data subject) Fondazione Teatro Regio di Torino (the controller)
National Case Number/Name:	9828987
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor:	n/a

The Italian DPA imposed a €5,000 fine on Fondazione Teatro Regio of Torino for having published on its website health data relating to one of their ex-employees.

English Summary

Facts

On 15 November 2021, the Italian DPA received a complaint from a data subject about the publication of three commissioners' decisions containing her personal data on the website of Fondazione Teatro Regio di Torino, a non-profit operatic organization (the controller). These decisions addressed the replacement of the data subject from the responsibilities assigned to her in two tender procedures due to sickness, where her telematic certificate of illness was published on the controller's website. It also dealt with the transfer of powers and functions following her suspension. In its defence, the controller argued that it had to fulfil its obligation of transparency and thus had to publish the replacement of the person in charge of the procedure and member of the commission in charge of analysing the bids and formulating the award proposal. Moreover, as soon as it received the notification from the DPA, the controller took care to remove the data that were the subject of the complaint, which were therefore no longer visible as of 21 February. Additionally, no employee ever raised an issue of a personal data breach against the controller prior to this case. Furthermore, it argued that "this was an isolated incident that probably also took place in view of the climate of tension and embarrassment that existed within the Foundation at that time” and “the publication was not carried out by the person usually in charge of that task, as the office in charge was busy dealing with the complicated work situation with the data subject, which later resulted in her dismissal and legal proceedings. Therefore, this handling of the publication manifested a carelessness due essentially to a material error by an employee who, having received the complete documentation relating to those Determinations, carried out the publication in full, not realising that among the various documents in his hands, some did not formally constitute annexes to the individual Determinations in question and therefore should not be published (reference is made to the sickness certificates)”. Finally, the documents containing the complainant's personal data were published in a section of the controller's website that was not immediately accessible to the 'average' user interested in other contents, and therefore the percentage of the public that 'actually could have accessed those contents in these months' was rather low, and consequently the damage suffered by the complainant was minor.

Holding

The Italian DPA held that the controller, although subject to transparency obligations, published on its website information relating to the health status of the data subject, the disclosure of which is expressly prohibited by law in Article 2-septies (8) of the Code and information that is not indispensable with respect to the purpose of the processing and capable of revealing the pending disciplinary proceedings against the complainant.

The processing of personal data carried out by the controller was therefore held unlawful since it was carried out in a manner that did not comply with the principles of lawfulness, fairness and transparency and of minimisation of the data, in breach of Article 5(1)(a) and Article 5(1)(c) GDPR, in the absence of an appropriate legal basis (Article 6(1) GDPR) and in breach of the prohibition to disseminate data on health and (Article 2-septies (8) and Article 9(4) GDPR).

Article 83(3) GDPR provides that 'where, in relation to the same or related processing operations, a controller or processor intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious breach’. Thus the DPA considered several elements notably the incorrect assessment as to the type of data to be published in compliance with the transparency obligations as well as the material error (limited to the publication of telematic sickness certificates) concerning an isolated case; the absence of specific precedents against the party relating to infringements of the rules on the protection of personal data; the fact that the controller obscured the data relating to the subject and organised training courses for all its staff as soon as it received the notification of the commencement of proceedings from the DPA; the controller’s cooperation with the DPA during the investigation of these proceedings. And based on the aforementioned elements, the Italian DPA impose a €5,000 to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9828987]

Injunction against the Fondazione Teatro Regio of Turin - 20 October 2022

Register of measures
no. 346 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented on 15 November 2021 with which Ms XX complained of an alleged violation of the Regulations by the Fondazione Teatro Regio di Torino;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. Premise.

With the complaint sent to this Authority on 15 November 2021, Ms XX complained of the publication, in the "transparent administration" section - general documents - of the website of the Fondazione Teatro Regio di Torino, a non-profit opera body, (hereinafter "the Foundation") of three commissioner decisions containing personal data of the complainant.

Specifically, resolutions no. 1 and no. 2, adopted on 8 January 2021, concerned the replacement of the complainant from the tasks that had been conferred on her in two tender procedures "given the impossibility of Lawyer XX, due to illness, to participate in the tender session...", and reported the complainant's electronic certificate of illness is also attached. Decision no. 4, adopted on 18 January 2021, concerned the transfer of powers and functions "in view of the precautionary suspension adopted today with immediate effect against the lawyer. XX".

2. The initiation of the sanctioning procedure

With the communication dated 16 February 2022, the Office notified the Foundation of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 5, par. 1, lit. a) and c) and 6 of the Regulation as well as of the art. 2-septies, paragraph 8, of the Code.

The regulation on the protection of personal data provides that personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are treaties" (Article 5, paragraph 1, letters a) and c) of the Regulation).

The data controllers, even if they operate in the performance of their duties as employers, can process the personal data of workers, also relating to particular categories of data - which also include "data relating to health" (cf. article 9, paragraph 1, of the Regulation) - if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by the national sector regulations (articles 6, paragraph 1 , letters b) and c); 9, par. 2, lit. b) and par. 4; 88 of the Regulation).

In any case, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, paragraph 1, no. 15, of the Regulation), due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (Article 2-septies, paragraph 8 of the Code and Article 9, paragraph 4 of the Regulation).

On 18 March 2022, the Foundation sent its defense brief, pursuant to article 18 of law no. 689/1981 with which he simultaneously requested a hearing and, in providing information and clarifications on the facts involved in the matter, represented that: "

- among the various obligations to which the Foundation is subject, there is that of publishing on its website all the "Determinations" (i.e. internal documents) that have an external impact: in the present case, it was a question of making known the replacement of the person in charge of the Procedure and member of the commission in charge of analyzing the offers and formulating the assignment proposal, in relation to two negotiated procedures concerning "Fire-fighting systems adaptation works - Lot 4 - Excerpt 4" and "Adjustment works building fire prevention and structures - Lot 4 - Excerpt 4". Therefore, since it is a decision, that of substitution, with obvious effects on the assignment procedure, the undersigned Foundation in full good faith wanted to be as transparent as possible in explaining the reasons for such a position, not taking into consideration the possibility of omit any information;

- even before going into the merits of the dispute brought against it by Lawyer XX, as soon as it received the notification from this Authority, the Foundation took care to black out the data object of the complaint, which therefore are no longer visible from the last February 21, in such a way as to mitigate any prejudicial effects of the violation;

- previously no employee had ever raised a problem of violation of their personal data with the Foundation. “It was an isolated episode that probably took place also taking into account the climate of tension and embarrassment that existed at that time within the Foundation, an unwanted oversight that was not immediately discovered by mistake. In fact, it should be noted that that publication was not carried out by the person who usually dealt with this task, as the office in charge was engaged in dealing with the complicated work situation with the complainant, which then resulted in her dismissal and in a proceeding judicial. Therefore, this management of the publication revealed a lightness due essentially to a material error of an employee who, having received the complete documentation relating to those Determinations, carried out the publication in an integral way, not realizing that among the various documents in his hands some did not formally constitute annexes to the individual Resolutions in question (in fact, from reading the Resolutions no. 1 and no. 2 of 2021, the subject of a complaint, it can be inferred that no annexes were envisaged) and which therefore should not be published (yes refers to sickness certificates).';

- "as for the words used in the three disputed Determinations, the same (illness, precautionary suspension) were inserted in accordance with the principle of transparency that embodies all communications from the Foundation and not to harm the interested party in any way";

- the subject who concretely dealt with the publication, due to lightness, did not consider the problem of a possible partial obscuring of the data present in the documents, since the employee is not usually responsible for this activity;

- although deeds containing the complainant's personal data were disseminated, they were published in a section of the Foundation's website (Transparent Administration - General Deeds - Determine) which was not immediately accessible by the "average" user interested in other contents, therefore deeming that the percentage of the public that "actually could have accessed those contents in recent months" was rather low, and that consequently the injury suffered by the claimant was less.

In any case, the Foundation acknowledged "that it had not adequately monitored this situation, particularly in the context of the necessary balancing of interests (transparency obligations on the one hand and protection of the rights and freedoms of the data subject on the other) but for reasons completely involuntary, since the incident occurred at a time when frictions of a labor law nature were in progress with the appellant".

During the hearing held on 31 May 2022, the Foundation, in reiterating what was already represented in the note dated 18 March 2022, also highlighted that:

- “The Teatro Regio di Torino Foundation is a private law foundation pursuant to Legislative Decree no. 367 of 1996 but, according to what is regulated in the statute, subject to the obligations of publicity and transparency, and is required to comply with the obligations established by Legislative Decree no. 50 of 2016 and subsequent amendments and additions.";

- during the period to which the complaint refers, the Foundation was in a receivership regime and "this new organizational structure which has led to the replacement of all the roles in the Theater includes the publication of the data (details) of the complainant, which took place for mere material error as the documents sent for publication were not supervised and, consequently, the sickness certificates of the complainant were also published together with the determinations”;

- as soon as the Guarantor's notification was received, the Foundation promptly took steps to cancel the (particular) data referring to the complainant from the decisions published on the site, not indispensable for the fulfillment of the aforementioned obligation of transparency, and proceeded to organize training courses for all staff;

- the publication of the complainant's data took place at a time when the interested party was still formally employed by the Foundation with the duties indicated in the service order of 1 December 2020 and therefore "without prejudice to the Foundation's responsibility for not having adequately supervised the situation, the lawyer XX had the opportunity to view the documents having a relevant content in terms of data processing."

3. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it has been ascertained that the Foundation has processed personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR.

The Foundation, although subject to the provisions on transparency, has published on its website information relating to the state of health of the interested party, the dissemination of which is expressly prohibited by law by art. 2-septies, paragraph 8, of the Code and information that is not essential with respect to the purpose of the processing and, among other things, suitable for revealing the pending disciplinary procedure against the complainant.

The processing of personal data put in place by the Foundation in the present case is therefore unlawful since it was carried out in a manner that does not comply with the principles of "lawfulness, correctness and transparency", as well as "minimization" of data, in violation of articles 5, par. 1, lit. a) and c), in the absence of a suitable regulatory basis (6 par. 1 of the Regulation) and in violation of the prohibition of dissemination of health data as well as (art. 2-septies, paragraph 8, of the Code, see also art. 9, paragraph 4, of the GDPR).

4. Adoption of the injunction order (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The circumstances represented in the defensive writings of the Foundation, highlighted again during the hearing, examined as a whole, even if worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the dismissal of the present proceeding. This is because, in the case in question, none of the hypotheses envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

Considering, however, that the conduct has exhausted its effects, as the data controller has declared that he has taken steps to black out the data subject of the complaint which are no longer visible since 21 February 2022, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the GDPR without prejudice to the application of the administrative fine.

In this regard, the art. 83, par. 3, of the RGPD, provides that "if, in relation to the same processing or related processing, a data controller or a data processor violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction will not exceeds the amount specified for the most serious violation”.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in the art. 166, paragraph 2, of the Code – is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5 of the GDPR, which therefore applies to the present case.

With reference to the elements listed by art. 83, par. 2, of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the sanctions must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), we represent that, in the present case, the following circumstances were considered:

a) the culpable nature of the violation attributable to an incorrect assessment of the type of data to be published in the fulfillment of the transparency obligations as well as to a material error (limited to the publication of electronic sickness certificates) concerning an isolated case;

b) the absence of specific precedents, against the party, relating to violations of the regulations on the protection of personal data;

c) the correction put in place by the Foundation which, in order to remedy the violation, as soon as it received the notification of the initiation of the procedure by the Office, carried out the obscuring of the data object of the complaint also arranging training courses training for all staff;

d) collaboration with the Authority during the investigation of this proceeding.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. a) and c), 6 par. 1 of the Regulation and 2-septies, paragraph 8, of the Code (see also art. 9, paragraph 4, of the GDPR), as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same GDPR.

In consideration of the nature and seriousness of the violation ascertained, it is also believed to have, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

having detected the unlawfulness of the processing carried out by the Fondazione Teatro Regio di Torino in the terms indicated in the justification, pursuant to articles 58, par. 2, lit. i), and 83 of the GDPR

ORDER

to the Foundation, in the person of the Director General dott. Guido Mulè, based in Turin, Piazza Castello 215, Tax Code and P.I. 00505900019, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations referred to in the justification;

ENJOYS

to the same Foundation to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981.

It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 09/01/2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- annotation in the Authority's internal register of the violations and measures adopted pursuant to art. 58, par. 2 of the GDPR with this provision, as required by art. 17 of the Regulation of the Guarantor n. 1/2019.

Pursuant to art. 78 of the GDPR, of the articles 152 of the Code and 10 of Legislative Decree lgs. no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
Station

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9828987]

Injunction against the Fondazione Teatro Regio of Turin - 20 October 2022

Register of measures
no. 346 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and Dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented on 15 November 2021 with which Ms XX complained of an alleged violation of the Regulations by the Fondazione Teatro Regio di Torino;

HAVING EXAMINED the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Prof. Pasquale Stanzione;

WHEREAS

1. Premise.

With the complaint sent to this Authority on 15 November 2021, Ms XX complained of the publication, in the "transparent administration" section - general documents - of the website of the Fondazione Teatro Regio di Torino, a non-profit opera body, (hereinafter "the Foundation") of three commissioner decisions containing personal data of the complainant.

Specifically, resolutions no. 1 and no. 2, adopted on 8 January 2021, concerned the replacement of the complainant from the tasks that had been conferred on her in two tender procedures "given the impossibility of Lawyer XX, due to illness, to participate in the tender session...", and reported the complainant's electronic certificate of illness is also attached. Decision no. 4, adopted on 18 January 2021, concerned the transfer of powers and functions "in view of the precautionary suspension adopted today with immediate effect against the lawyer. XX".

2. The initiation of the sanctioning procedure

With the communication dated 16 February 2022, the Office notified the Foundation of the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of articles 5, par. 1, lit. a) and c) and 6 of the Regulation as well as of the art. 2-septies, paragraph 8, of the Code.

The regulation on the protection of personal data provides that personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are treaties" (Article 5, paragraph 1, letters a) and c) of the Regulation).

The data controllers, even if they operate in the performance of their duties as employers, can process the personal data of workers, also relating to particular categories of data - which also include "data relating to health" (cf. article 9, paragraph 1, of the Regulation) - if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks established by the national sector regulations (articles 6, paragraph 1 , letters b) and c); 9, par. 2, lit. b) and par. 4; 88 of the Regulation).

In any case, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, paragraph 1, no. 15, of the Regulation), due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (Article 2-septies, paragraph 8 of the Code and Article 9, paragraph 4 of the Regulation).

On 18 March 2022, the Foundation sent its defense brief, pursuant to article 18 of law no. 689/1981 with which he simultaneously requested a hearing and, in providing information and clarifications on the facts involved in the matter, represented that: "

- among the various obligations to which the Foundation is subject, there is that of publishing on its website all the "Determinations" (i.e. internal documents) that have an external impact: in the present case, it was a question of making known the replacement of the person in charge of the Procedure and member of the commission in charge of analyzing the offers and formulating the assignment proposal, in relation to two negotiated procedures concerning "Fire-fighting systems adaptation works - Lot 4 - Excerpt 4" and "Adjustment works building fire prevention and structures - Lot 4 - Excerpt 4". Therefore, since it is a decision, that of substitution, with obvious effects on the assignment procedure, the undersigned Foundation in full good faith wanted to be as transparent as possible in explaining the reasons for such a position, not taking into consideration the possibility of omit any information;

- even before going into the merits of the dispute brought against it by Lawyer XX, as soon as it received the notification from this Authority, the Foundation took care to black out the data object of the complaint, which therefore are no longer visible from the last February 21, in such a way as to mitigate any prejudicial effects of the violation;

- previously no employee had ever raised a problem of violation of their personal data with the Foundation. “It was an isolated episode that probably took place also taking into account the climate of tension and embarrassment that existed at that time within the Foundation, an unwanted oversight that was not immediately discovered by mistake. In fact, it should be noted that that publication was not carried out by the person who usually dealt with this task, as the office in charge was engaged in dealing with the complicated work situation with the complainant, which then resulted in her dismissal and in a proceeding judicial. Therefore, this management of the publication revealed a lightness due essentially to a material error of an employee who, having received the complete documentation relating to those Determinations, carried out the publication in an integral way, not realizing that among the various documents in his hands some did not formally constitute annexes to the individual Resolutions in question (in fact, from reading the Resolutions no. 1 and no. 2 of 2021, the subject of a complaint, it can be inferred that no annexes were envisaged) and which therefore should not be published (yes refers to sickness certificates).';

- "as for the words used in the three disputed Determinations, the same (illness, precautionary suspension) were inserted in accordance with the principle of transparency that embodies all communications from the Foundation and not to harm the interested party in any way";

- the subject who concretely dealt with the publication, due to lightness, did not consider the problem of a possible partial obscuring of the data present in the documents, since the employee is not usually responsible for this activity;

- although deeds containing the complainant's personal data were disseminated, they were published in a section of the Foundation's website (Transparent Administration - General Deeds - Determine) which was not immediately accessible by the "average" user interested in other contents, therefore deeming that the percentage of the public that "actually could have accessed those contents in recent months" was rather low, and that consequently the injury suffered by the claimant was less.

In any case, the Foundation acknowledged "that it had not adequately monitored this situation, particularly in the context of the necessary balancing of interests (transparency obligations on the one hand and protection of the rights and freedoms of the data subject on the other) but for reasons completely involuntary, since the incident occurred at a time when frictions of a labor law nature were in progress with the appellant".

During the hearing held on 31 May 2022, the Foundation, in reiterating what was already represented in the note dated 18 March 2022, also highlighted that:

- “The Teatro Regio di Torino Foundation is a private law foundation pursuant to Legislative Decree no. 367 of 1996 but, according to what is regulated in the statute, subject to the obligations of publicity and transparency, and is required to comply with the obligations established by Legislative Decree no. 50 of 2016 and subsequent amendments and additions.";

- during the period to which the complaint refers, the Foundation was in a receivership regime and "this new organizational structure which has led to the replacement of all the roles in the Theater includes the publication of the data (details) of the complainant, which took place for mere material error as the documents sent for publication were not supervised and, consequently, the sickness certificates of the complainant were also published together with the determinations";

- as soon as the Guarantor's notification was received, the Foundation promptly took steps to cancel the (particular) data referring to the complainant from the decisions published on the site, not indispensable for the fulfillment of the aforementioned obligation of transparency, and proceeded to organize training courses for all staff;

- the publication of the complainant's data took place at a time when the interested party was still formally employed by the Foundation with the duties indicated in the service order of 1 December 2020 and therefore "without prejudice to the Foundation's responsibility for not having adequately supervised the situation, the lawyer XX had the opportunity to view the documents having a relevant content in terms of data processing."

3. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it has been ascertained that the Foundation has processed personal data that does not comply with the relevant regulations on the protection of personal data contained in the GDPR.

The Foundation, although subject to the provisions on transparency, has published on its website information relating to the state of health of the interested party, the dissemination of which is expressly prohibited by law by art. 2-septies, paragraph 8, of the Code and information that is not essential with respect to the purpose of the processing and, among other things, suitable for revealing the pending disciplinary procedure against the complainant.

The processing of personal data put in place by the Foundation in the present case is therefore unlawful since it was carried out in a manner that does not comply with the principles of "lawfulness, correctness and transparency", as well as "minimization" of data, in violation of articles 5, par. 1, lit. a) and c), in the absence of a suitable regulatory basis (6 par. 1 of the Regulation) and in violation of the prohibition of dissemination of health data as well as (art. 2-septies, paragraph 8, of the Code, see also art. 9, paragraph 4, of the GDPR).

4. Adoption of the injunction order (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The circumstances represented in the defensive writings of the Foundation, highlighted again during the hearing, examined as a whole, even if worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the dismissal of the present proceedings. This is because, in the case in question, none of the hypotheses envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

Considering, however, that the conduct has exhausted its effects, as the data controller declared that he had taken steps to black out the data subject of the complaint which are no longer visible since 21 February 2022, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2 of the GDPR without prejudice to the application of the administrative fine.

In this regard, the art. 83, par. 3, of the RGPD, provides that "if, in relation to the same processing or related processing, a data controller or a data processor violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction will not exceeds the amount specified for the most serious violation”.

In the present case, the violation of the aforementioned provisions - also considering the reference contained in the art. 166, paragraph 2, of the Code – is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5 of the GDPR, which therefore applies to the present case.

With reference to the elements listed by art. 83, par. 2, of the Regulation for the purposes of applying the administrative fine and the relative quantification, taking into account that the sanctions must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), we represent that, in the present case, the following circumstances were considered:

a) the culpable nature of the violation attributable to an incorrect assessment of the type of data to be published in the fulfillment of the transparency obligations as well as to a material error (limited to the publication of electronic sickness certificates) concerning an isolated case;

b) the absence of specific precedents, against the party, relating to violations of the regulations on the protection of personal data;

c) the correction put in place by the Foundation which, in order to remedy the violation, as soon as it received the notification of the initiation of the procedure by the Office, carried out the obscuring of the data object of the complaint also arranging training courses training for all staff;

d) collaboration with the Authority during the investigation of this proceeding.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. a) and c), 6 par. 1 of the Regulation and 2-septies, paragraph 8, of the Code (see also art. 9, paragraph 4, of the GDPR), as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same GDPR.

In consideration of the nature and seriousness of the violation ascertained, it is also believed to have, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, the publication of this provision on the Guarantor's website.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

having detected the unlawfulness of the processing carried out by the Fondazione Teatro Regio di Torino in the terms indicated in the justification, pursuant to articles 58, par. 2, lit. i), and 83 of the GDPR

ORDER

to the Foundation, in the person of the Director General dott. Guido Mulè, based in Turin, Piazza Castello 215, Tax Code and P.I. 00505900019, to pay the sum of 5,000.00 (five thousand) euros as an administrative fine for the violations referred to in the justification;

ENJOYS

to the same Foundation to pay the sum of 5,000.00 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981.

It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 09/01/2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code).

HAS

- the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019;

- annotation in the Authority's internal register of the violations and measures adopted pursuant to art. 58, par. 2 of the GDPR with this provision, as required by art. 17 of the Regulation of the Guarantor n. 1/2019.

Pursuant to art. 78 of the GDPR, of the articles 152 of the Code and 10 of Legislative Decree lgs. no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
station

THE DEPUTY SECRETARY GENERAL
Philippi