Garante per la protezione dei dati personali (Italy) - 9830178

From GDPRhub
Garante per la protezione dei dati personali - 9830178
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 6(2) GDPR
Article 2-sexies of the Codice in Materia di Protezione dei Dati Personali
Article 2-ter of the Codice in Materia di Protezione dei Dati Personali
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.10.2022
Published: 06.10.2022
Fine: 100,000 EUR
Parties: Regione di Veneto (the Controller)
National Case Number/Name: 9830178
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA fined the Veneto Region €100,000 for disclosing the data of 12,580 non-vaccinated health workers outside the regulatory framework provided for by national law, in breach of Articles 5(1)(a) and 6 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Following the entry into force of the Legislative Decree No. 44/2021, the Veneto Region (the controller) transmitted the lists of health care workers who were not vaccinated on the date of 15 April 2021 (data subjects), to the competent doctor of each employer through a password-protected list, to persuade them, in good faith, to adhere to the vaccination as set out in the legislative decree No. 44/2021. The competent doctor would receive personal details of the data subjects, such as their tax code, surname, first name, date of birth and gender. Moreover, the employers were asked to provide the contact details of each competent doctor, then a vaccination invitation model was sent, with a request for rapid transmission to the data subjects concerned.

Based on dozens of complaints and reports from data subjects (mostly medical and nursing staff employed in healthcare facilities in the Veneto Region) and on the basis of questions raised by competent doctors working at regional healthcare facilities, the Italian DPA launched a preliminary investigation into the processing operations carried out by the controller during the implementation of the Legislative Decree No. 44/2021.

The controller ascertained that the verifications that it carried out were transmitted to the figure expressly appointed to deal with the health aspects of the workers, (i.e., the competent doctor). The competent doctor would then transmit this information to the local health authority pursuant to Legislative Decree 44/2021. Moreover, the controller allegedly ensured that the transmission of the lists of data subjects to the competent doctors was carried out to perform a task in the public interest and for the exercise of public powers vested in the controller. The controller reaffirmed the difficult period during which it had to act and the fact that Article 4 of the Legislative Decree No. 44/2021 was subject to subsequent amendments which led to uncertainty in the regulatory framework (such as extension of the vaccination obligation to all workers employed in residential, social welfare and social health facilities, and extension of the effectiveness of the vaccination to a longer time-period).

Holding[edit | edit source]

The Italian DPA noted that the systematic and generalised transmission to the competent doctors working at the regional health authorities of lists of all data subjects who were not vaccinated at the time of the events, gave rise to a communication of personal data not provided by sectoral law relating to the verification of vaccination as a professional requirement (Article 4 of the Legislative Decree no. 44/2021) nor by the law on safety in the workplace (Legislative Decree no. 81/2008). Therefore, the data processing occurred in the absence of a valid legal basis, in breach of Article 5(1)(a) and Article 6 GDPR, as well as Articles 2-ter and 2-sexies of the Italian Data Protection Code. According to the DPA, there was no disclosure of data relating to health under Article 9 GDPR.

Additionally, the Italian DPA reminded that the disclosure of data to third parties by public entities is only permissible when provided for by a provision of law, or in cases falling under Article 6(2) GDPR. Moreover, the Italian DPA noted that the controller did not follow ordinary channels of communication when transmitting the lists of data subjects, therefore confirming that it acted outside the regulatory framework.

Pursuant to Article 58 GDPR and Article 83 GDPR, the DPA took into account the nature, object and purpose of the processing as well as the particularly large number of data subjects concerned (as the transmitted lists contained the names and other personal data of approximately 12,580 public health workers) and their vulnerability in their work environment, as well as the consequences on a relational and professional level of the circulation of personal information in such context. The DPA also considered the emergency context in which the events in question occurred. The uncertainty of the legal framework of reference allegedly led the controller to take the initiative at regional level, misinterpreting the role of the competent doctors for the purposes of data protection and mistakenly relying on the legitimacy of the data transmission. For the DPA, the controller acted in good faith, with the aim of supporting its health authorities at a particularly complicated time and to raise awareness of vaccination in an area already heavily affected by deaths among health personnel. The controller also cooperated during the investigation to reduce the consequences of the disclosure of data.

In consideration of all these points, the Italian DPA imposed a €100,000 fine to the controller.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9830178]

Injunction order against the Veneto Region - 6 October 2022

Register of measures
no. 320 of 6 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. Premise.

On the basis of dozens of complaints and reports from interested parties (mostly medical and nursing personnel employed in health facilities in the Veneto Region) and on the basis of questions formulated by competent doctors working at the regional health authorities - a investigation in order to verify compliance with the regulations on the protection of personal data of certain treatments carried out by the Veneto Region during the procedures aimed at ascertaining the professional requirement of anti SARS-CoV-2 vaccination for healthcare workers (art. 4 of Legislative Decree No. 44 of 1 April 2021 in the text prior to the amendments made by Legislative Decree No. 172 of 26 November 2021).

In particular, with a regional note dated 21.04.2021 (prot.reg. n. 182866), addressed to the regional health authorities, the Region stated that it had promptly initiated "the procedure governed by the d.l. n 44/2021 by transmitting to the territorially competent companies the lists of healthcare professionals/healthcare operators residing there who have not been vaccinated as of 04/05/2021" specifying that "similarly to the procedures already followed, these lists will be made available to the Competent Doctor of each Company by accessing a password-protected list”. The same note also asked the Companies to provide the contact details of each Service of the Company Doctor/Preventive Medicine Service and a model invitation to vaccination was sent, with the request for a speedy transmission to the personnel concerned.

2. The preliminary investigation.

In response to the Office's requests for information, the Veneto Region with a note dated 17 August 21 and with a supplementary note dated 3 November 2021 stated that:

"Limited to the workers of the Regional Health Service Companies, in absolute good faith and trying to pursue at the same time the objective of protecting public health, maintaining safety conditions in the provision of treatment and assistance services and protecting the right to the confidentiality of the personal data of the subjects concerned, a parallel initiative has been launched, and in no way a substitute for the ordinary one (governed by Legislative Decree No. 44/2021), aimed exclusively at reinforcing the invitation to vaccinate subjects employed in each Company of the Regional Health Service" (note 17 August 2021, cit.);

“the lists of subjects found not vaccinated following the verification carried out pursuant to the aforementioned art. 4, paragraph 4, have been transmitted to the individual companies to which they belong, not to the Employer, but to the figure expressly responsible for dealing with the health aspects of the workers, to be identified in the Competent Doctor" (note 17 August 2021, cit.) ;

"the indications disseminated at the regional level, with the aim of promoting the homogeneity of the decisions taken by the individual companies of the Regional Health Service, envisaged that the Company Doctor should possibly transmit information about the vaccination status of the workers contained in the health and risk records established for each worker not to the respective Employer, but to the reference Local Health Authority, i.e. to the subject already entitled to receive such information, also pursuant to Legislative Decree 44/2021” (note 17 August 2021, cit.);

“The D.L. no. 44 [...] was published in the Official Gazette and entered into force on the same date. This rule and, in particular, the provisions of art. 4 of the same, have led to the involvement of numerous actors (region, public healthcare companies, private healthcare facilities, professional orders) dutifully called to interact in a very pressing and innovative procedural sequence. This in full emergency context, close to the Easter holidays, in the absence of unambiguous application provisions and in a very difficult and intense historical moment for all institutions ";

in this framework "the Region [...] has acted with every possible promptness in the awareness of the priority of health care. This at a time when the same was already subject, by other control bodies, to heavy investigations into the actual timeliness and effectiveness of the action to guarantee the protection of the population and health workers from the spread of the infection; the region was also exposed on several fronts to social alarm deriving, on the one hand, from the attention of the media on the daily data referring to the number of infections and deaths caused by Covid 19 also among health workers and, on the other hand, from multiple sources of dispute on the mandatory nature of vaccines”;

“article 4 of the D.L. 44/2021 was the subject of subsequent additions [...which led to] uncertainty of the reference regulatory framework, [such as] the circular of the Ministry of Health (of 08.04.2021, prot. 10035309), concerning the "Certifications of exemption from anti-COVID-19 vaccination", the effectiveness of which was then extended to 11.30.2021 by the subsequent circular dated 09/25/2021 (prot. n.43366) and the modification introduced by art. 2 of the Legislative Decree 10 September 2021 no. 122 which extended the vaccination obligation also to all workers employed in residential, social welfare and social-health facilities”;

"the purpose of the regional indications in the matter in question was to immediately implement [these rules] and to promote uniformity in the procedures to be followed [...] in the wake of the broader role of this administration required to guarantee the homogeneity of the levels assistance essentials (LEA) throughout the regional territory”;

"the regional indications contained general guidelines with a collaborative contribution aimed at standardizing as far as possible the planning of the requested activities and proved to be a useful tool for facilitating the AULSS in the fulfillments to which they were required, even if they were not cogent or binding [...]"; "in fact, the Aulss have autonomously examined and interpreted the regional indications regarding their feasibility and concrete adaptability to the organization of the individual company realities, each according to its own orientation";

“The active role of the competent doctor in the vaccination of subjects at risk for occupational exposure is described not only in Legislative Decree 81/2008 (art. 279), but also in the "National Vaccination Prevention Plan 2017-2019 (PNPV) ", approved in the State-Regions Conference on 01.19.2017 and extended to 12.31.2021 in consideration of the exceptional conditions caused by the COVID-19 pandemic; With particular reference to the anti-COVID 19 vaccination campaign, the active role of the competent doctor is expressly provided for in the "Interim recommendations on the target groups of anti-SARS-CoV-2/COVID-19 vaccination" referred to in the decree of the Minister of Health of 03.12.2021 and the subsequent document containing "Interim indications for antiSARS-CoV-2/COVID-19 vaccination in the workplace", approved by the Ministry of Health, Ministry of Labor and Social Policies, Support Structure for activities of the Extraordinary Commissioner for the COVID-19 emergency and for the execution of the national vaccination campaign, INAIL and the Conference of Regions and Autonomous Provinces";

for these reasons it was "therefore considered to identify in the figure of the competent doctor the subject already in charge of managing the health aspects of the workers, precisely as the main element of guarantee and protection of the security of the personal data of the health workers employed by the Aulss within one's working environment”;

"this role was deemed compliant with the skills and responsibilities that the law for the protection of workers' health and safety (Legislative Decree no. 81/2008) assigns to the company doctor in the field of prevention of occupational risks, including contagion from biological agents (including SARS-CoV-2), also in compliance with the Document of 13 May 2021 "Data protection - the role of the competent doctor in matters of safety in the workplace, also with reference to the emergency context [ 9585300] "of the GPDP”;

with the note in question, the Region "also gave indications regarding the involvement of the figure of the competent doctor exclusively for the companies of the Veneto Regional Health Service, in the dual role deriving from the provisions of Legislative Decree 44/21 of competent ascertaining companies for the residence of health workers and of companies required to suspend unvaccinated health workers sine titulo as employers "communicating "that the lists of unvaccinated health workers employed by each Health Company would be made available to the respective competent doctors through access to a password-protected list for the sole purpose of accelerating the obligations already under their responsibility in the light of current legislation (in fact, it should not be forgotten that these data were already known to the competent doctor, by virtue of the article 279 of Legislative Decree 81/2008)”;

"the link for access to the list of employees of each Healthcare Company was sent to the institutional e-mail address of each company doctor (not to generic service addresses, but to the named address of each company doctor as provided by each Health Authority). The password for access to this list was not transmitted at the same time as the link provided for access but was communicated through a separate channel. This in order to avoid any possible risk of data breach, starting from the abstract definition of the processing procedure [...] In this regard, it should in fact be specified that only the following data have been made available: tax code - surname - name - date of birth - gender and not data relating to health, as can be seen from the facsimile sent to the competent doctors”;

"Vaccination is a health care service, however having or not been subjected to it without any other additional contextual information does not seem to be considered in itself a datum relating to the health of the person concerned";

in any case "in the light of these results and the reflections suggested by the requests [of the Guarantor], the region has sent a communication to all the AULSSs of the Veneto (prot. n. 360812 of 08.12.21, attached sub 2) in order to prudently relieve the competent doctor - in the case he has actually adhered to the indication - from supervising this activity given that the regional indication was to be interpreted as a garrison aimed at propitiating adherence to vaccination";

“The intent of the regional initiatives mentioned was, therefore, to promote the activity of "good-natured conviction" of health workers (not yet vaccinated) to adhere to the obligation referred to in Legislative Decree no. 44/2021 (fulfillments related to vaccination hesitancy), thus reinforcing the invitation to vaccinate only workers in service at the Health Trusts of the Veneto Regional Health Service [...and] to avert the risk that the "non-compliance" with the aforementioned obligation and the consequent suspension of "non-adhering" healthcare personnel, would lead to a serious shortage of personnel for some hospital departments or services, with disservices to the detriment of the levels of assistance for users/citizens and an aggravation of workloads for healthcare personnel "adherent"”;

"the transmission by the Veneto region of the lists of health workers in service at the Health Trusts of the Regional Health Service to the competent doctors only took place to fulfill a task specific to the region, carried out in the public interest and for the exercise of public powers attributed to it, as described above, with the technical guarantees deemed necessary and adequate to protect the security of personal data and avoid data breaches".

With a note dated 13 January 2022, the Office, based on the elements acquired, notified the Region, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforementioned data controller to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24 November 1981).

With the note mentioned above, the Office noted that the systematic and generalized making available to the competent doctors operating at the regional health agencies of the lists of all health personnel who at the material time were not vaccinated, gave rise to a "communication" of personal data not required by law - neither by the sector law relating to vaccination checks as a professional requirement (Article 4 of Legislative Decree No. 44/2021), nor by that relating to safety in the workplace (Legislative Decree s n. 81/2008) -  and therefore in the absence of a suitable legal basis, in violation of articles 5, par. 1, lit. a), 6 and 9 of the Regulation and of the articles 2-ter and 2 sexies of the Code, in the text prior to the amendments referred to in Legislative Decree n.139/2021.

With a note dated 18 February 2022, the Region sent its defense briefs, specifying, among other things, that:

"the conduct was consummated in a single communication never repeated [...and] was sent to the competent doctors of the public companies of the Regional Health System (SSR) for the mere information of data, knowable to them if not already known, referring only to professionals and health workers who collaborate with the same public health authorities in which the competent doctor worked";

"the sending was carried out in such a way as to make the transmission "secure": the list of employees of the public health company pertaining to each competent doctor was sent to the individual e-mail box of each doctor as provided by the companies -not to that of the protocol or the structure of the competent doctor- and the access password was transmitted with a separate channel”;

“the potential usability of the transmitted data was immediately interrupted after the Authority's request for clarification, as confirmed by the note dated 27 July 2021 signed by the Director of the Health and Social Area prot. 334644 and with communication dated 12 August 2021 prot. 360812”;

"the assumption of the involvement of the competent doctor of the Companies and Entities of the Regional Health Service was not, in the intentions pursued by the Region, referred to the procedure for ascertaining the violation of the obligation pursuant to art. 4 paragraph 5 DL 44/2021, but wanted for the participation of the competent doctor in the vaccination procedure. In particular, aimed at promoting vaccination among all professionals and health workers for whom art. 4, paragraph I, of Legislative Decree 44/2021 had introduced the vaccination obligation”;

"the initiative [...was] implemented in a period of maximum excitement due to the need to give immediate responses to the pressing requests of the authorities and users, to safeguard the health and life of people above all in places of care and assistance ; this at a time when there were not yet clear indications from the government and central state authorities regarding the methods of processing and communicating data between subjects operating in the health sector during the emergency caused by the spread of COVID-19”;

"the situation also in the Veneto Region, in April 2021, was very complex and highly problematic: the total number of health workers who were not vaccinated (both in the public and private sector) in the Region (after crossing the data based on paragraph 4 of Article 4 of Legislative Decree 44/2021 and whose names were sent to the competent ULSS) was 61,443 units (doc.2 and 2bis). In particular, among these, the number of health workers operating only in the companies and bodies of the Regional Health Service who were not vaccinated as of 1.4.2021 was 12,580 (doc.2)";

"And, therefore, it immediately appeared necessary for the Region to work to fully implement, also from the point of view of the vaccination of the health professionals of interest here, the National Strategic Plan of vaccines for the prevention of SARS-CoV-2 infections (at the time in the version of 12.12.2020) adopted with Ordinance of 2 January 2021 of the Ministry of Health (doc. 3), subsequently integrated with the "Interim recommendations on target groups of anti SARS-CoV-2 / COVID-19 vaccination, adopted with Decree of 12 March 2021 of the Minister of Health”;

"This is highlighted to underline how the Veneto Region has always operated in good faith, in a situation of very serious health emergency for the full performance of the tasks assigned to it and always with the utmost attention to data protection as provided for in the Regulation (EU) 2016/679 and in the Code as amended by Legislative Decree 101/2018";

"The first concern of the Veneto Region was to significantly promote vaccination (paragraph 1 art. 4 DL 44/2021) among the health professionals of its structures [... to] ensure the presence of health workers in public structures already in trouble due to the numbers of infections and hospitalizations [...and] limit the number of checks that the local health authorities should have started with the procedure of paragraphs 5 and 6 of art. 4 [...the] Local Health Authorities of residence of the healthcare professionals, understood as Healthcare Authorities, should have sent over 60,000 communications to the operators, carried out 60,000 checks on the relevance of the data that the interested parties would have sent to request exemption or to justify lack of vaccination. Such a workload could not be tolerated by the regional system which has, it should be said, suffered greatly, despite all the support actions put in place by the Region”;

"in this context of dramatic complexity that the communication that the Guarantor censures must be placed (note prot. Reg. n. 182866 of 4.21.2021, taken up by the subsequent note prot. Reg. 238822 of 5.25.2021): these notes, certainly not entirely clear in their wording, they had, in the Region's intentions, the sole purpose of stimulating, also through competent doctors, healthcare operators to vaccinate, seen at that time as the only way out not only for the healthcare system, but also for the protection of the individual, of patients and of all users in contact with the health system”;

“the competent doctor, therefore, in the intentions of the Veneto Region should not have been involved in the procedure relating to the verification of the violation of the vaccination obligations envisaged by art. 4 co 5 and 6 d.l. no. 44/2021, as, however, in the vaccination procedure whose organization was, by law, in the hands of the Region";

"the Region carries out functions of planning, guidance, control, as well as coordination towards the Health Authorities and, for this specific purpose of which it is responsible, has taken initiatives in the planning of actions aimed at combating the pandemic and, more specifically, in the management of the general vaccination plan and in the process of implementing the mandatory vaccination plan for professionals and health and social health workers of the Regional Health Service";

“Precisely in the ownership of this treatment and, with the tasks of coordination, programming, direction of its competence, the Veneto Region, taking as reference the "National strategic plan of vaccines for the prevention of SARS-CoV-2 infections" of 12.12 .2020 (see doc. 3), had approved the "Lines of action for the preparation of the Regional Anti-Covid Vaccine Plan" (decree 140 of 17.12.2020, doc. 11). And, on 12.22.2020, with DGR 1801, it had approved the "Guidelines for the organization of the anti COVID-19 Vaccination Plan" (doc. 12); all provisions that immediately involved the competent doctor in the processes of implementation of the vaccination plans [...] also in the "Interim indications for anti-SARS-C0V-2 / COVID-19 vaccination in the workplace (April 8, 2021 , Doc. 13), that the "vaccination" (even if entrusted to the competent doctor where present/available or to other health professionals affiliated with the Employer) represents a public health initiative, aimed at protecting the health of the community and not strictly pertains to prevention in the workplace" whose coordination was in the hands of the Region (and the "single system" coordinated by it)".

“In the regional decree approving the "Action lines for the preparation of the Regional Anti-Covid Vaccine Plan" on page 1 of the annex, in point 3, the competent doctor is included in the coordination for vaccination (doc. I l). With the subsequent resolution (doc. 12), the Region, in specifying that the 'coordination of activities at the territorial level (programming, distribution, administration and tracking, staff training, active call) relating to the vaccination campaign against SARS-CoV-2 are entrusted to the Hygiene and Public Health Services of the Prevention Departments" (doc. 12, p.3) underlines the need for the "involvement of various professional figures, including those not normally involved in vaccination activity" including competent doctors (doc. 12 p. 6) and therefore involved the competent doctor fully in the anti-COVID19 vaccination plan of employees of healthcare companies";

"To carry out the vaccination campaign against COVID-19 in the shortest possible time, the Region has therefore also involved (and not only) the Competent Physicians of Essential Public Services in the vaccination process "in synergy with the Hygiene and Health Services Public of the Prevention Departments in the role of coordination"";

"the competent doctor could fully enter the vaccination process: this figure, in fact, by training and structure could guarantee the correct performance of health operations and also the confidentiality of information known within the workplace, as also subsequently indicated by the Authority in the document of 13 May 2021 "Data protection the role of the competent doctor in matters of safety in the workplace" (web doc 9585300)”;

"For carrying out the anti SARS-CoV-2 vaccination, in fact, the competent doctor has received specific indications from the mandatory training course to participate in the anti-COVID-19 vaccination process" and from this we can deduce "an organizational functionality of the competent doctor for the vaccination process (understood as a public health initiative, aimed at protecting the health of the community) [...in this case ] as an "authorized" subject (because in almost all companies the competent doctor is also an employee) or "designated" by the Region, as recipient of specific functions for the vaccination process determined by the Veneto Region”[…] also pursuant to art. 2 quaterdecies of Legislative Decree 101/2018 by the Region […] designation [which…] (in the emergency period) [could be] conferred orally as indicated in paragraph 4 of art. 17 bis of Legislative Decree 18/2020 (art. 17 bis paragraph 4 of Legislative Decree 18/2020"; therefore this provision to authorized/designated subjects does not constitute a communication and is therefore not illegal, given that the data have been made available disposition to the competent vaccinating doctors of the health authorities, within the SSR in which the Veneto Region exercises a planning and governance function”;

in fact "the Region, for the transmission of data of the unvaccinated to its designated for the purpose of treating the vaccination, has not followed the ordinary channels of communication with the competent doctor for the purposes of Legislative Decree 81/08, but has expressly asked (see note 21.4.2021, doc. 4) to the directors of the public companies where the vaccinations were carried out, to indicate the specific e-mail address of each competent doctor for making these lists available for this specific purpose (thus avoiding the email of the protocol or the one assigned to the competent doctor's office";

“the public interest is identified by the combined provisions of art. 9 paragraph 1, letter g) of the Regulation, and of Article 2 sexies paragraph 2, letter u) of the Code ("duties of the national health service and of subjects operating in the health sector, as well as 'duties of hygiene and safety in the workplace and safety and health of the population, civil protection, protection of life and physical safety”);

“therefore it was not a question of a systematic and generalized making available of the lists of all healthcare personnel but of a single making available to authorized subjects. because they are involved in the vaccination process of the health workers working in the health company to which they belong";
During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on 29 April 2022, the Region declared, in particular, that:

"the communication of the personal data subject to the complaint was also made to the competent doctors of the health authorities in the context of the well-known emergency context linked to the SARS-CoV-2 pandemic, as the Region had to make very delicate assessments and choices, in a very short time restricted, trying to reconcile the different interests at stake and safeguard public health”;

"In this difficult context, characterized moreover by a high regulatory complexity and the absence of a uniform implementation framework, the institutional subjects involved were exposed to the risk of committing errors";

“The local health authorities had to follow around 60,000 procedures to ascertain the fulfillment of the vaccination obligations by the health personnel. Therefore, the Directorate General has tried to urge professionals to get vaccinated, in order to reduce the amount of work incumbent on the offices of the local health authorities in relation to cases of failure to fulfill the obligation, allowing them to be able to devote themselves to the care of patients”;

“In particular, the Region has decided to involve, among others, also competent doctors, as vaccinators in the Veneto Region, as the most suitable professionals, by professionalism and habit to process health data, to achieve the goal of increasing the vaccination rate among doctors and all health professionals involved”;

“It was, therefore, a preventive action aimed at encouraging doctors and health workers to get vaccinated, which falls within the competence of the Region. It was therefore not the intention of the Region to involve the competent doctors in the procedures referred to in Legislative Decree 44/2021 for the purposes of ascertaining the vaccination obligation. Instead, the Region has involved the competent doctors, as subjects of crucial importance for the success of the vaccination campaign, only to have their support in an attempt to convince doctors and health professionals who are reluctant to carry out the SARS-CoV vaccination -2, leaving intact all the responsibilities of the local health authorities regarding the obligations and procedures governed by the aforementioned Legislative Decree 44/2021. These companies have, in fact, independently initiated the proceedings for which they are responsible, as required by law”;

“The Region considered that the competent doctors constituted an important resource for the success of the vaccination campaign and that they were in an ideal position to approach the interested parties and explain to them the reasons why vaccination was necessary and appropriate for safeguard individual and public health”;

"The communication to the competent doctors has in any case taken place by adopting suitable security guarantees to protect personal data (password communicated with a separate channel) and no other person has become aware of the data";

"Based on the awareness acquired with respect to the facts in question and having taken note of the disputes object of the procedure initiated by the Guarantor, the Region has taken initiatives to try, in the future, to ensure compliance with data protection legislation as far as possible even in emergencies (preliminary and training activities by the Data Protection Officer of the Region)".

With a subsequent explanatory note dated 13 May 2022, the Region provided further elements of clarification, stating that:

- "The communication of the personal data subject to the complaint was also made to the competent doctors of the healthcare companies involved in the national and regional vaccination plan, in the context of the well-known emergency context linked to the SRAS-Cov-2 pandemic, since the Region had to make very delicate assessments and choices, in a very short time, trying to reconcile the various interests at stake and safeguard public health. In this difficult context, characterized moreover by a high regulatory complexity and by the absence of a uniform regulatory framework, the institutional subjects involved were exposed to the risk of committing errors”;

- "In particular, the Region has decided to involve, among others, also the competent doctors, as vaccinators in the ULSS companies of the Veneto Region, as the most suitable professionals, for professionalism and habit to process health data, to achieve the goal of increasing the vaccination rate among doctors and all health professionals involved".

3. Outcome of the preliminary investigation. The applicable legislation.

For the purposes of compliance with the legislation on the protection of personal data, it is, first of all, important to precisely identify the subjects who, for various reasons, can process personal data and clearly define their respective attributions, in particular that of owner and manager of the treatment and of the subjects who operate under the direct responsibility of these as authorized (Article 4, paragraph 1, point 7 of the Regulation and Articles 28 and 29 of the Code).

In the system of the Regulations, the owner is the subject responsible for the decisions regarding the purposes and methods of processing the personal data of the interested parties as well as a "general responsibility" (accountability; art. 5, paragraph 2 and 24 of the Regulation) on treatments put in place, even when these are carried out by other subjects "on their behalf", on the basis of a contract or other legal act stipulated in writing which constitutes the documented instruction by the owner also for the purpose of determining the scope of the respective responsibilities (cons. 81, articles 4, point 8) and 28 of the Regulation).

In this context, the owner is therefore the subject who, in the light of the concrete context in which data processing takes place, takes the basic decisions relating to the purposes and methods of processing on the basis of one or more conditions of lawfulness (articles 6 and 9 of the Regulation) and in compliance with data protection principles (art. 5 of the Regulation) making use of "authorised" and "instructed" personnel regarding access and data processing (articles 4, point 10 ), 29, and 32, par. 4, of the Regulation).

Public subjects may process personal data, also relating to particular categories of data (see Article 9, paragraph 1 of the Regulation), if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" or " for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, paragraph 1, letters c) and e), as well as art. 9, par.2, lett. g) of the Regulation and 2-ter and 2-sexies of Legislative Decree no. 196 of 30 June 2003 - Code regarding the protection of personal data, hereinafter, the "Code").

The operation of communication of personal data to third parties, by public entities, is permitted only when required by a law or, in the cases provided for by law, by regulation (see art. 6, paragraph 2, of the Regulation and Article 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, applicable to the present case).

3.1. The communication of personal data of unvaccinated health workers

As a preliminary point, it is necessary to take into account the particular context that forms the backdrop to the facts in question following the provision of the anti-SARS-CoV-2 vaccination as an "essential requirement for the exercise of the profession and for the performance of work" for operators the health professions and operators of health interest pursuant to art. 4 of the legislative decree 1 April 2021, no. 44 (converted into law n. 76 of 28 May 2021 - Urgent measures for the containment of the COVID-19 epidemic, regarding anti SARS-CoV-2 vaccinations, justice and public tenders) in order to protect health public and maintain adequate safety conditions in the workplace and in the provision of care and assistance services (requirement later extended until 31 December 2022, see art. 4 of Legislative Decree 44/2021, as amended by art. 8 paragraph 2 of Legislative Decree March 24, 2022, n. 24).

With regard to the possibility of introducing the anti SARS-CoV-2 vaccination, as a requirement for the performance of particular professions or tasks, with particular regard to exposure to a greater risk of contagion in the healthcare context, the Guarantor himself had deemed it necessary, in perspective of legal certainty and the principle of non-discrimination, that the matter should be subject to uniform regulation with national law, in compliance with the principle of proportionality (Article 6, paragraph 3, letter b), of the Regulation) and of the principle of reasonableness (Article 3 of the Constitution), taking into account the specific health and epidemiological situation in progress and scientific evidence (see FAQ No. 3 on the subject of "Processing of data relating to anti-Covid-19 vaccination in the workplace " www.gpdp.it - web doc. n. 9543615).

The legislator has therefore introduced a complex system for verifying the professional requirement for these categories of workers - subsequently reformed by art. 1, paragraph 1, lett. b), of Legislative Decree 26 November 2021, no. 172 -, which involves various institutional subjects, and provides for data flows between them (employers, regions, healthcare companies, professional orders), as well as the consequences, also in terms of suspension from the exercise of the profession and from any relationship of work, for the worker without the aforementioned requirement.

The processing of personal data necessary for the verification of the aforementioned professional requirement, therefore, must be carried out in strict compliance with the limits and conditions set by this reference legislative framework which constitutes its legal basis and perimeters, uniformly at national level, the scope of processing permitted to each of the aforementioned subjects (articles 5 and 6, paragraph 2, letter b) and g), of the Regulation and art. 2-sexies of the Code; as highlighted in numerous provisions of the Guarantor in the emergency period and, in particular in the opinions given on the subsequent implementing provisions of the aforementioned framework see, among many, provision 13 December 2021, no. 430, doc. web no. 9727220).

In particular, the aforementioned art. 4, in the text prior to the amendments of the d. L. 26 November 2021, no. 172, applicable to the present case, provided for the transmission by each professional Order of the list of members - with the indication of the respective place of residence - to the region or autonomous province of their respective competence, for the purpose of verification "for through the vaccination information services” of the vaccination status of each subject included in the list. Likewise the art. 4 established that each employer should send the list of its employees with the qualification of healthcare operator, with the indication of the place of residence, to the region and the autonomous province of their respective competence. Subsequently, the region or province, in compliance with the provisions on the protection of personal data, immediately reported to the local health authority of residence the names of the subjects who were not vaccinated. At this point, the local health authority of residence, following punctual checks and only with regard to the interested parties in respect of whom the absence of the aforementioned professional requirement had been concretely ascertained, immediately notified the interested party, the employer and to the professional order to which he belongs, determining, with the adoption of the assessment deed, the suspension from the work activity of the interested party. Finally, the professional association to which he belongs immediately communicated the suspension also to the employer (see art. 4, paragraphs 5 and 6).

Therefore, it was established that each autonomous region or province, through the vaccination information services, should verify the vaccination status of each of the interested parties (on the basis of names transmitted respectively by the territorially competent professional orders and by any employers) and - in cases where which "the vaccination was not carried out or the presentation of the vaccination request" - reported "the names of the subjects who have not been vaccinated to the local health authority of residence" for the start of the specific contradictory procedure with the interested party ( see, art. 4 of decree law no. 44/2021 in the text prior to the changes made with decree law no. 172/2021, applicable to the present case).

At the time, this regulatory framework did not provide for the treatments in question to which they refer, nor does it provide today, following the changes made with the d.l. no. 172/2021 and of the legislative decree no. 24/2022, that the data processing of healthcare personnel, for the purpose of ascertaining the existence of the aforementioned vaccination requirement, should also be carried out by the competent doctor, leaving this task exclusively to the territorially competent Healthcare Authority.

First of all, it should be pointed out that, based on the provisions contained in the Regulation, any organizational choice by the individual Company or Region, data controllers, to delegate their own tasks to a different subject (in this case to the competent doctor), would have required, on the basis of the personal data protection regulations, that the relative relationship (of designation as data controller) was governed by a contract or other legal act pursuant to art. 28 of the Regulation (see also recital 81 and art. 4, point 8 of the Regulation). In the present case, therefore, it is established that the Region has sent the lists of health workers who were not vaccinated (reporting the following data for each interested party: tax code - surname - name - date of birth - gender), not only to companies territorially competent health authorities for the initiation of the respective procedures for ascertaining the existence of the requirement, as expressly provided for by the aforementioned sector provision, but also to the competent doctors operating at the same (who acted as independent data controllers with respect to the Region).

The Region illustrated the specific assessments carried out in the delicate reference period - in the face of a recently adopted regulatory framework and in the absence of specific implementing provisions - regarding the involvement of the figure of the competent doctor, considered useful for speeding up the vaccination process and "as the main element of guarantee and protection of the personal data security of healthcare workers employed by the Aulss within their working environment", on the assumption of compliance of the treatments carried out with the sector regulations on workers' health and workplace safety (Legislative Decree no. 81/2008).

In this regard, it is noted that, albeit with reference to a different working context, the Guarantor has highlighted that the purpose of ascertaining the requirements for accessing and carrying out certain professions envisaged by specific sector provisions must in any case be kept distinct from the different and more general (albeit connected) purpose of protecting health and safety in the workplace (see, on this point, provision of 27 April 2016, web doc. n. 5149198, in relation to the processing of health data of seafarers by the competent doctor of the air carrier).

In pursuing the purpose of protection and safety in the workplace, the competent doctor operates on the basis of the specific regulatory framework of the sector as an independent data controller and even in the emergency period, does not process the data on behalf of or on the basis of the instructions and indications of other subjects (public bodies, health authorities, employers), but in his capacity as data controller (on this point (cf., policy document "The role of the "competent doctor" in matters of safety in the workplace, also with reference to the emergency context", web doc. n. 9585367 and provision of 22 July 2021, web doc. n.9683814).

In this context, the purposes and operations of the treatment that must be implemented by the competent doctor are determined exclusively by law.

Although therefore, as clarified on several occasions by the Guarantor, the competent doctor in the context of carrying out his duties in the matter can legitimately become aware of information and personal data also relating to the successful or unsuccessful vaccination of employees (art. 9, par. 2, letter h), and 3 of the Regulation; see also art. 2-sexies, paragraph 2, lett. u), of the Code), this must in any case take place within the limits and under the conditions established by law, in particular in the context of carrying out one's health surveillance duties (Articles 41, paragraphs 2 and 4 and 279 of Legislative Decree 81/ 2008; see, in particular, FAQ on "Processing of data relating to the anti Covid-19 vaccination in the workplace" www.gpdp.it - web doc. n. 9543615; see, policy document "The role of "competent doctor" in matters of safety in the workplace, also with reference to the emergency context", web doc. n. 9585367, cit. ; provision of 22 July 2021, web doc. n.9683814.cit.).

Contrary to what was declared by the Region, the legitimacy of the communication in favor of the competent doctor cannot therefore lie in the fact that the personal data were "knowable if not already known" for another purpose (and "referring only to professionals and operators collaborators of the same public health agencies in which the competent doctor worked"), finding this eventual knowability a basis in the performance of the tasks that the law (and not regional indications and circulars) assigns to him exclusively for the aforementioned purpose of safety of the places of work. In this regard, moreover, the Region itself, which in any case did not act as employer of the interested parties, finally highlighted that "for the transmission of data of the unvaccinated [...] it did not follow the ordinary communication channels with the competent doctor for the purposes of Legislative Decree 81/08”, confirming the non-involvement of the treatment put in place with respect to the aforementioned regulatory framework for the protection of occupational health and safety.

In the defense briefs and during the hearing, the Region intended to further clarify  that the aforementioned regional note containing the indications for the healthcare companies was not intended to involve the competent doctor in the procedure for verifying the professional requisites of the interested parties, since it remained so task exclusively to the territorially competent Health Authorities, but that, instead, the aforementioned transmission of data was justified by the "involvement of the competent doctor in the vaccination procedure whose organization was, by law, in the hands of the Region".

In this regard, it should be noted that the lists of personal data transmitted by the Region referred to personnel who, from the consultation of the vaccination register carried out at the time, did not appear to have joined the vaccination campaign. This audience of subjects could therefore certainly still be the subject of an awareness campaign, but it did not coincide with the audience of recipients of the provision of the health service in the process of administering the vaccination. Both, due to the distinction, on a chronological and functional level, of the phase of promotion and awareness of the interested parties - by definition prior to any participation in the vaccination campaign - from that relating to the actual vaccination process which, instead, presupposes the participation of the concerned, and consists in the actual administration of the vaccine doses.

In this phase, the possible involvement of the competent doctor as a vaccinating health professional would have taken place, not already in the context of the performance by the same of the coroner's activity and of the tasks typically performed by the latter in matters of safety and health of the workplaces, but as an authorized operator (vaccinator) in the performance of health and preventive medicine activities, i.e. the provision of health services (also in the wake of the indications of the Ministry of Health referred to by the Region during the preliminary investigation) .

Therefore, what was declared by the Region in order to justify the aforementioned communication of the lists of unvaccinated health workers to the competent doctors of the relative regional health structures to which they belong cannot be considered acceptable, on the mere assumption that "the competent doctor could fully enter the path of vaccination: this figure, in fact, by training and structure could guarantee the correct performance of health operations and also the confidentiality of the information known within the work environment" and that the transmission would have given rise to a making available to subjects authorised.

In this regard, it should be remembered that, even in the exceptional emergency context, the Guarantor has always drawn the attention of the data controllers to operate within the scope and within the limits established by the applicable legislation, which constitutes the legal basis for the related processing of personal data ( articles 5, 6, 9 of the Regulation), this also with regard to each of the institutional subjects involved in the implementation and management of the vaccination plan, avoiding the implementation of initiatives not provided for by the law or the confusion of the respective roles which, in some circumstances, can lead to illicit data communications and, sometimes, possible harmful effects for the interested parties, especially in particularly delicate contexts such as work and professional.

Finally, neither can what is represented in relation to the technical measures adopted in order to put in place "safe transmission methods" of the data, for the purpose of excluding the responsibility of the Region in the case in question, be considered sufficient. While acknowledging the attention shown in terms of processing security, it is underlined that the solution adopted nonetheless responds to a "planning" choice of the owner who, when determining the means of processing, adopts the technical and organizational measures appropriate to the risk also in implementation of the principle of minimization of the data being processed (see articles 5, paragraph 1, letter c), 24 and 25 of the Regulation), remaining however, in any case, necessary the preliminary verification regarding the occurrence of the conditions of lawfulness of the processing which, in the present case, was not found.

In any case, it represents the need to speed up the process of vaccinating health professionals in the regional territory - also given the high rate of health workers who were not vaccinated at the time - and to raise the awareness of health personnel working in the region, even though they are among the guidance and coordination tasks that the sector regulatory framework assigns to the regions, was the basis for the launch of a procedure parallel to that provided for by law and which does not find legitimacy in the current regulatory framework.

These needs - also with a view to reducing and streamlining the administrative procedures of the competent offices of the healthcare companies as assessment bodies - could, however, also have been pursued through information campaigns and staff awareness at the individual healthcare companies, if of the case with the help of the competent doctors, without however resorting to the communication of personal data, not provided for by law, made by the Region in favor of the competent doctors through the successful transmission of the lists of health professionals for whom it did not appear that the vaccination.

We also take note of what was declared by the Region, regarding the non-binding nature of the general indications contained in the aforementioned regional note, although adopted with the intention of guaranteeing the immediate and uniform application on the regional territory of the rules that had introduced the vaccination requirement , which is why, as confirmed by the outcome of the investigations launched in parallel against some healthcare companies, they have not in any case followed up on the indications received from the Region, nor have any personal data been processed in any other way that does not comply with the current regulatory framework.

Given the above, what was represented during the preliminary investigation cannot be considered sufficient to exclude the responsibility of the Region in the case in question and therefore it is believed that the systematic and generalized making available to the competent doctors operating at the regional health authorities of the lists of all healthcare personnel who at the time of the events were not vaccinated, although they did not concern data relating to health (the reason for which the relative dispute profile is filed), still gave rise to a communication of personal data not required by law , in violation of articles 5, par. 1, lit. a) and 6, of the Regulation and of the articles 2-ter of the Code (in the text prior to the amendments referred to in Legislative Decree No. 139/2021).

4. Conclusions.

In the light of the assessments referred to above, it should be noted that the statements made by the Region in the defense writings - the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code - although worthy of consideration and indicative of the full collaboration of the data controller in order to mitigate the risks of the treatment, with respect to the situation present at the time of the start of the investigation, do not allow the findings notified by the Office to be overcome with the deed of initiation of the proceeding and are therefore insufficient to allow the filing of the present proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Region in the absence of an appropriate legal basis, in violation of articles 5 and 6 of the Regulation and of the art. 2-ter of the Code.

Without prejudice to the provisions of art. 2-decies of the Code regarding the unusability of the personal data to be communicated, except for the provisions of article 160-bis of the Code.

The violation of the aforementioned provisions renders the administrative sanction applicable pursuant to articles 58, par. 2, lit. i), and 83, par. 5, of the Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code – the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

For the purposes of applying the sanction, the nature, object and purpose of the treatment were considered as well as the particularly high number of data subjects (the lists transmitted containing the names and other personal data of approximately 12,580 public health professionals who had not been vaccinated at the date of the April 1, 2021).

On the other hand, the delicacy of the emergency context in which the events in question occurred was considered. In particular, the difficulties encountered in the application phase were taken into account as a result of the entry into force of the provisions which had introduced the professional requirement of the anti-Covid vaccination for health professionals through a complex verification system in the absence of implementation provisions at national. The uncertainty of the reference legal framework, according to what was declared, would have led the Organization to take the initiative in question at the regional level, erroneously interpreting the role of the competent doctor for the purposes of data protection and trusting, erroneously, in the legitimacy of data transmission. It was also considered that the Region operated in good faith, for the sole purpose of supporting its health authorities in a particularly complicated moment and in order to raise awareness among those interested in joining the vaccination, in a sector already heavily affected by deaths between health personnel. The Region collaborated during the investigation also in order to reduce the consequences of the data communication, an intervention from the first request for clarification by the Authority to modify the previous operational indications (see regional notes of 27.7. 2021 and of 12.8.2021, in documents). The Region has not received any other complaints or previous provisions pursuant to art. 58 of the Regulation specifically referred to the same object (art. 83, paragraph 2, letter i) of the Regulation) with respect to the conduct in question.

Based on the aforementioned elements, evaluated as a whole, the amount of the pecuniary sanction is determined, in the amount of 100,000.00 (one hundred thousand) euros for the violation of articles 5 and 6 of the Regulation and of the art. 2-ter of the Code, given that, in relation to the specific case, the sanction is effective, proportionate and dissuasive (Article 83, paragraph 1, of the Regulation).

Taking into account the large number of interested parties involved (medical, nursing and other health sector operators) and their vulnerability in their own working context, and given, more generally, the greater risks of unlawful circulation of personal information in this context for effect of data processing and communication outside the cases provided for by law, with the possible exposure of the interested parties to consequences, on a relational and professional level, other than those already expressly established by the sector regulations, it is also believed that the ancillary sanction should be applied the publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

notes the unlawfulness of the processing carried out by the Veneto Region, with registered office in Palazzo Balbi - Dorsoduro, 3901,30123 Venice, VAT number: 02392630279, for the violation of articles 5 and 6 of the Regulation as well as art. 2-ter of the Code in the terms referred to in the justification;

ORDER

to the Veneto Region in the person of its pro-tempore legal representative, with registered office in Palazzo Balbi - Dorsoduro, 3901, 30123 Venice, Tax Code 80007580279, pursuant to articles 58, par. 2, lit. i), and 83, par. 5, of the Regulation, to pay the sum of 100,000.00 (one hundred thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within the term of thirty days, an amount equal to half of the fine imposed;

ENJOYS

the Veneto Region to pay the sum of 100,000.00 (one hundred thousand) euros in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code;

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 6 October 2022

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew

[doc. web no. 9830178]

Injunction order against the Veneto Region - 6 October 2022

Register of measures
no. 320 of 6 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. Premise.

On the basis of dozens of complaints and reports from interested parties (mostly medical and nursing personnel employed in health facilities in the Veneto Region) and on the basis of questions formulated by competent doctors working at the regional health authorities - a investigation in order to verify compliance with the regulations on the protection of personal data of certain treatments carried out by the Veneto Region during the procedures aimed at ascertaining the professional requirement of anti SARS-CoV-2 vaccination for healthcare workers (art. 4 of Legislative Decree No. 44 of 1 April 2021 in the text prior to the amendments made by Legislative Decree No. 172 of 26 November 2021).

In particular, with a regional note dated 21.04.2021 (prot.reg. n. 182866), addressed to the regional health authorities, the Region stated that it had promptly initiated "the procedure governed by the d.l. n 44/2021 by transmitting to the territorially competent companies the lists of healthcare professionals/healthcare operators residing there who have not been vaccinated as of 04/05/2021" specifying that "similarly to the procedures already followed, these lists will be made available to the Competent Doctor of each Company by accessing a password-protected list”. The same note also asked the Companies to provide the contact details of each Service of the Company Doctor/Preventive Medicine Service and a model invitation to vaccination was sent, with the request for a speedy transmission to the personnel concerned.

2. The preliminary investigation.

In response to the Office's requests for information, the Veneto Region with a note dated 17 August 21 and with a supplementary note dated 3 November 2021 stated that:

"Limited to the workers of the Regional Health Service Companies, in absolute good faith and trying to pursue at the same time the objective of protecting public health, maintaining safety conditions in the provision of treatment and assistance services and protecting the right to the confidentiality of the personal data of the subjects concerned, a parallel initiative has been launched, and in no way a substitute for the ordinary one (governed by Legislative Decree No. 44/2021), aimed exclusively at reinforcing the invitation to vaccinate subjects employed in each Company of the Regional Health Service" (note 17 August 2021, cit.);

“the lists of subjects found not vaccinated following the verification carried out pursuant to the aforementioned art. 4, paragraph 4, have been transmitted to the individual companies to which they belong, not to the Employer, but to the figure expressly responsible for dealing with the health aspects of the workers, to be identified in the Competent Doctor" (note 17 August 2021, cit.) ;

"the indications disseminated at the regional level, with the aim of promoting the homogeneity of the decisions taken by the individual companies of the Regional Health Service, envisaged that the Company Doctor should possibly transmit information about the vaccination status of the workers contained in the health and risk records established for each worker not to the respective Employer, but to the reference Local Health Authority, i.e. to the subject already entitled to receive such information, also pursuant to Legislative Decree 44/2021” (note 17 August 2021, cit.);

“The D.L. no. 44 [...] was published in the Official Gazette and entered into force on the same date. This rule and, in particular, the provisions of art. 4 of the same, have led to the involvement of numerous actors (region, public healthcare companies, private healthcare facilities, professional orders) dutifully called to interact in a very pressing and innovative procedural sequence. This in full emergency context, close to the Easter holidays, in the absence of unambiguous application provisions and in a very difficult and intense historical moment for all institutions ";

in this framework "the Region [...] has acted with every possible promptness in the awareness of the priority of health care. This at a time when the same was already subject, by other control bodies, to heavy investigations into the actual timeliness and effectiveness of the action to guarantee the protection of the population and health workers from the spread of the infection; the region was also exposed on several fronts to social alarm deriving, on the one hand, from the attention of the media on the daily data referring to the number of infections and deaths caused by Covid 19 also among health workers and, on the other hand, from multiple sources of dispute on the mandatory nature of vaccines”;

“article 4 of the D.L. 44/2021 was the subject of subsequent additions [...which led to] uncertainty of the reference regulatory framework, [such as] the circular of the Ministry of Health (of 08.04.2021, prot. 10035309), concerning the "Certifications of exemption from anti-COVID-19 vaccination", the effectiveness of which was then extended to 11.30.2021 by the subsequent circular dated 09/25/2021 (prot. n.43366) and the modification introduced by art. 2 of the Legislative Decree 10 September 2021 no. 122 which extended the vaccination obligation also to all workers employed in residential, social welfare and social-health facilities”;

"the purpose of the regional indications in the matter in question was to immediately implement [these rules] and to promote uniformity in the procedures to be followed [...] in the wake of the broader role of this administration required to guarantee the homogeneity of the levels assistance essentials (LEA) throughout the regional territory”;

"the regional indications contained general guidelines with a collaborative contribution aimed at standardizing as far as possible the planning of the requested activities and proved to be a useful tool for facilitating the AULSS in the fulfillments to which they were required, even if they were not cogent or binding [...]"; "in fact, the Aulss have autonomously examined and interpreted the regional indications regarding their feasibility and concrete adaptability to the organization of the individual company realities, each according to its own orientation";

“The active role of the competent doctor in the vaccination of subjects at risk for occupational exposure is described not only in Legislative Decree 81/2008 (art. 279), but also in the "National Vaccination Prevention Plan 2017-2019 (PNPV) ", approved in the State-Regions Conference on 01.19.2017 and extended to 12.31.2021 in consideration of the exceptional conditions caused by the COVID-19 pandemic; With particular reference to the anti-COVID 19 vaccination campaign, the active role of the competent doctor is expressly provided for in the "Interim recommendations on the target groups of anti-SARS-CoV-2/COVID-19 vaccination" referred to in the decree of the Minister of Health of 03.12.2021 and the subsequent document containing "Interim indications for antiSARS-CoV-2/COVID-19 vaccination in the workplace", approved by the Ministry of Health, Ministry of Labor and Social Policies, Support Structure for activities of the Extraordinary Commissioner for the COVID-19 emergency and for the execution of the national vaccination campaign, INAIL and the Conference of Regions and Autonomous Provinces";

for these reasons it was "therefore considered to identify in the figure of the competent doctor the subject already in charge of managing the health aspects of the workers, precisely as the main element of guarantee and protection of the security of the personal data of the health workers employed by the Aulss within one's working environment”;

"this role was deemed compliant with the skills and responsibilities that the law for the protection of workers' health and safety (Legislative Decree no. 81/2008) assigns to the company doctor in the field of prevention of occupational risks, including contagion from biological agents (including SARS-CoV-2), also in compliance with the Document of 13 May 2021 "Data protection - the role of the competent doctor in matters of safety in the workplace, also with reference to the emergency context [ 9585300] "of the GPDP”;

with the note in question, the Region "also gave indications regarding the involvement of the figure of the competent doctor exclusively for the companies of the Veneto Regional Health Service, in the dual role deriving from the provisions of Legislative Decree 44/21 of competent ascertaining companies for the residence of health workers and of companies required to suspend unvaccinated health workers sine titulo as employers "communicating "that the lists of unvaccinated health workers employed by each Health Company would be made available to the respective competent doctors through access to a password-protected list for the sole purpose of accelerating the obligations already under their responsibility in the light of current legislation (in fact, it should not be forgotten that these data were already known to the competent doctor, by virtue of the article 279 of Legislative Decree 81/2008)";

"the link for access to the list of employees of each Healthcare Company was sent to the institutional e-mail address of each company doctor (not to generic service addresses, but to the named address of each company doctor as provided by each Health Authority). The password for access to this list was not transmitted at the same time as the link provided for access but was communicated through a separate channel. This in order to avoid any possible risk of data breach, starting from the abstract definition of the processing procedure [...] In this regard it should in fact be specified that only the following data have been made available: tax code - surname - first name - date of birth - gender and not data relating to health, as can be seen from the facsimile sent to the competent doctors”;

"Vaccination is a health care service, however having or not been subjected to it without any other additional contextual information does not seem to be considered in itself a datum relating to the health of the person concerned";

in any case "in the light of these results and the reflections suggested by the requests [of the Guarantor], the region has sent a communication to all the Aulss of the Veneto (prot. no. 360812 of 12.08.21, attached sub 2) in order to prudently relieve the competent doctor - in the case he has actually adhered to the indication - from supervising this activity given that the regional indication was to be interpreted as a garrison aimed at propitiating the adherence to vaccination";

“The intent of the regional initiatives mentioned was, therefore, to promote the activity of "good-natured conviction" of health workers (not yet vaccinated) to adhere to the obligation referred to in Legislative Decree no. 44/2021 (fulfillments related to vaccination hesitancy), thus reinforcing the invitation to vaccinate only workers in service at the Health Trusts of the Veneto Regional Health Service [...and] to avert the risk that the "non-compliance" with the aforementioned obligation and the consequent suspension of "non-adhering" healthcare personnel, would lead to a serious shortage of personnel for some hospital departments or services, with disservices to the detriment of the levels of assistance for users/citizens and an aggravation of workloads for healthcare personnel "adherent"”;

"the transmission by the Veneto region of the lists of health workers in service at the Health Trusts of the Regional Health Service to the competent doctors only took place to fulfill a task specific to the region, carried out in the public interest and for the exercise of public powers attributed to it, as described above, with the technical guarantees deemed necessary and adequate to protect the security of personal data and avoid data breaches".

With a note dated 13 January 2022, the Office, based on the elements acquired, notified the Region, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforementioned data controller to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24 November 1981).

With the note mentioned above, the Office noted that the systematic and generalized making available to the competent doctors operating at the regional health agencies of the lists of all health personnel who at the material time were not vaccinated, gave rise to a "communication" of personal data not required by law - neither by the sector law relating to vaccination checks as a professional requirement (Article 4 of Legislative Decree No. 44/2021), nor by that relating to safety in the workplace (Legislative Decree s n. 81/2008) -  and therefore in the absence of a suitable legal basis, in violation of articles 5, par. 1, lit. a), 6 and 9 of the Regulation and of the articles 2-ter and 2 sexies of the Code, in the text prior to the amendments referred to in Legislative Decree n.139/2021.

With a note dated 18 February 2022, the Region sent its defense briefs, specifying, among other things, that:

"the conduct was consummated in a single communication never repeated [...and] was sent to the competent doctors of the public companies of the Regional Health System (SSR) for the mere information of data, knowable to them if not already known, referring only to professionals and health workers who collaborate with the same public health authorities in which the competent doctor worked";

"the sending was carried out in such a way as to make the transmission "secure": the list of employees of the public health company pertaining to each competent doctor was sent to the individual e-mail box of each doctor as provided by the companies -not to that of the protocol or the structure of the competent doctor- and the access password was transmitted with a separate channel”;

“the potential usability of the transmitted data was immediately interrupted after the Authority's request for clarification, as confirmed by the note dated 27 July 2021 signed by the Director of the Health and Social Area prot. 334644 and with communication dated 12 August 2021 prot. 360812”;

"the assumption of the involvement of the competent doctor of the Companies and Entities of the Regional Health Service was not, in the intentions pursued by the Region, referred to the procedure for ascertaining the violation of the obligation pursuant to art. 4 paragraph 5 DL 44/2021, but wanted for the participation of the competent doctor in the vaccination procedure. In particular, aimed at promoting vaccination among all professionals and health workers for whom art. 4, paragraph I, of Legislative Decree 44/2021 had introduced the vaccination obligation”;

"the initiative [...was] implemented in a period of maximum excitement due to the need to give immediate responses to the pressing requests of the authorities and users, to safeguard the health and life of people above all in places of care and assistance ; this at a time when there were not yet clear indications from the government and central state authorities regarding the methods of processing and communicating data between subjects operating in the health sector during the emergency caused by the spread of COVID-19”;

"the situation also in the Veneto Region, in April 2021, was very complex and highly problematic: the total number of health workers who were not vaccinated (both in the public and private sector) in the Region (after crossing the data based on paragraph 4 of Article 4 of Legislative Decree 44/2021 and whose names were sent to the competent ULSS) was 61,443 units (doc.2 and 2bis). In particular, among these, the number of health workers operating only in the companies and bodies of the Regional Health Service who were not vaccinated as of 1.4.2021 was 12,580 (doc.2)";

"And, therefore, it immediately appeared necessary for the Region to work to fully implement, also from the point of view of the vaccination of the health professionals of interest here, the National Strategic Plan of vaccines for the prevention of SARS-CoV-2 infections (at the time in the version of 12.12.2020) adopted with Ordinance of 2 January 2021 of the Ministry of Health (doc. 3), subsequently integrated with the "Interim recommendations on target groups of anti SARS-CoV-2 / COVID-19 vaccination, adopted with Decree of 12 March 2021 of the Minister of Health”;

"This is highlighted to underline how the Veneto Region has always operated in good faith, in a situation of very serious health emergency for the full performance of the tasks assigned to it and always with the utmost attention to data protection as provided for in the Regulation (EU) 2016/679 and in the Code as amended by Legislative Decree 101/2018";

"The first concern of the Veneto Region was to significantly promote vaccination (paragraph 1 art. 4 DL 44/2021) among the health professionals of its structures [... to] ensure the presence of health workers in public structures already in trouble due to the numbers of infections and hospitalizations [...and] limit the number of checks that the local health authorities should have started with the procedure of paragraphs 5 and 6 of art. 4 [...the] Local Health Authorities of residence of the healthcare professionals, understood as Healthcare Authorities, should have sent over 60,000 communications to the operators, carried out 60,000 checks on the relevance of the data that the interested parties would have sent to request exemption or to justify lack of vaccination. Such a workload could not be tolerated by the regional system which has, it should be said, suffered greatly, despite all the support actions put in place by the Region”;

"in this context of dramatic complexity that the communication that the Guarantor censures must be placed (note prot. Reg. n. 182866 of 4.21.2021, taken up by the subsequent note prot. Reg. 238822 of 5.25.2021): these notes, certainly not entirely clear in their wording, they had, in the Region's intentions, the sole purpose of stimulating, also through competent doctors, healthcare operators to vaccinate, seen at that time as the only way out not only for the healthcare system, but also for the protection of the individual, of patients and of all users in contact with the health system”;

“the competent doctor, therefore, in the intentions of the Veneto Region should not have been involved in the procedure relating to the verification of the violation of the vaccination obligations envisaged by art. 4 co 5 and 6 d.l. no. 44/2021, as, however, in the vaccination procedure whose organization was, by law, in the hands of the Region";

"the Region carries out functions of planning, guidance, control, as well as coordination towards the Health Authorities and, for this specific purpose of which it is responsible, has taken initiatives in the planning of actions aimed at combating the pandemic and, more specifically, in the management of the general vaccination plan and in the process of implementing the mandatory vaccination plan for professionals and health and social health workers of the Regional Health Service";

“Precisely in the ownership of this treatment and, with the tasks of coordination, programming, direction of its competence, the Veneto Region, taking as reference the "National strategic plan of vaccines for the prevention of SARS-CoV-2 infections" of 12.12 .2020 (see doc. 3), had approved the "Lines of action for the preparation of the Regional Anti-Covid Vaccine Plan" (decree 140 of 17.12.2020, doc. 11). And, on 12.22.2020, with DGR 1801, it had approved the "Guidelines for the organization of the anti COVID-19 Vaccination Plan" (doc. 12); all provisions that immediately involved the competent doctor in the processes of implementation of the vaccination plans [...] also in the "Interim indications for anti-SARS-C0V-2 / COVID-19 vaccination in the workplace (April 8, 2021 , Doc. 13), that the "vaccination" (even if entrusted to the competent doctor where present/available or to other health professionals affiliated with the Employer) represents a public health initiative, aimed at protecting the health of the community and not strictly pertains to prevention in the workplace" whose coordination was in the hands of the Region (and the "single system" coordinated by it)".

“In the regional decree approving the "Action lines for the preparation of the Regional Anti-Covid Vaccine Plan" on page 1 of the annex, in point 3, the competent doctor is included in the coordination for vaccination (doc. I l). With the subsequent resolution (doc. 12), the Region, in specifying that the 'coordination of activities at the territorial level (programming, distribution, administration and tracking, staff training, active call) relating to the vaccination campaign against SARS-CoV-2 are entrusted to the Hygiene and Public Health Services of the Prevention Departments" (doc. 12, p.3) underlines the need for the "involvement of various professional figures, including those not normally involved in vaccination activity" including competent doctors (doc. 12 p. 6) and therefore involved the competent doctor fully in the anti-COVID19 vaccination plan of employees of healthcare companies";

"To carry out the vaccination campaign against COVID-19 in the shortest possible time, the Region has therefore also involved (and not only) the Competent Physicians of Essential Public Services in the vaccination process "in synergy with the Hygiene and Health Services Public of the Prevention Departments in the role of coordination"";

"the competent doctor could fully enter the vaccination process: this figure, in fact, by training and structure could guarantee the correct performance of health operations and also the confidentiality of information known within the workplace, as also subsequently indicated by the Authority in the document of 13 May 2021 "Data protection the role of the competent doctor in matters of safety in the workplace" (web doc 9585300)”;

"For carrying out the anti SARS-CoV-2 vaccination, in fact, the competent doctor has received specific indications from the mandatory training course to participate in the anti-COVID-19 vaccination process" and from this we can deduce "an organizational functionality of the competent doctor for the vaccination process (understood as a public health initiative, aimed at protecting the health of the community) [...in this case ] as an "authorized" subject (because in almost all companies the competent doctor is also an employee) or "designated" by the Region, as recipient of specific functions for the vaccination process determined by the Veneto Region”[…] also pursuant to art. 2 quaterdecies of Legislative Decree 101/2018 by the Region […] designation [which…] (in the emergency period) [could be] conferred orally as indicated in paragraph 4 of art. 17 bis of Legislative Decree 18/2020 (art. 17 bis paragraph 4 of Legislative Decree 18/2020"; therefore this provision to authorized/designated subjects does not constitute a communication and is therefore not illegal, given that the data have been made available disposition to the competent vaccinating doctors of the health authorities, within the SSR in which the Veneto Region exercises a planning and governance function”;

in fact "the Region, for the transmission of data of the unvaccinated to its designated for the purpose of treating the vaccination, has not followed the ordinary channels of communication with the competent doctor for the purposes of Legislative Decree 81/08, but has expressly asked (see note 21.4.2021, doc. 4) to the directors of the public companies where the vaccinations were carried out, to indicate the specific e-mail address of each competent doctor for making these lists available for this specific purpose (thus avoiding the email of the protocol or the one assigned to the competent doctor's office";

“the public interest is identified by the combined provisions of art. 9 paragraph 1, letter g) of the Regulation, and of Article 2 sexies paragraph 2, letter u) of the Code ("duties of the national health service and of subjects operating in the health sector, as well as 'duties of hygiene and safety in the workplace and safety and health of the population, civil protection, protection of life and physical safety”);

“therefore it was not a question of a systematic and generalized making available of the lists of all healthcare personnel but of a single making available to authorized subjects. because they are involved in the vaccination process of the health workers working in the health company to which they belong";
During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on 29 April 2022, the Region declared, in particular, that:

"the communication of the personal data subject to the complaint was also made to the competent doctors of the health authorities in the context of the well-known emergency context linked to the SARS-CoV-2 pandemic, as the Region had to make very delicate assessments and choices, in a very short time restricted, trying to reconcile the different interests at stake and safeguard public health”;

"In this difficult context, characterized moreover by a high regulatory complexity and the absence of a uniform implementation framework, the institutional subjects involved were exposed to the risk of committing errors";

“The local health authorities had to follow around 60,000 procedures to ascertain the fulfillment of the vaccination obligations by the health personnel. Therefore, the Directorate General has tried to urge professionals to get vaccinated, in order to reduce the amount of work incumbent on the offices of the local health authorities in relation to cases of failure to fulfill the obligation, allowing them to be able to devote themselves to the care of patients”;

“In particular, the Region has decided to involve, among others, also competent doctors, as vaccinators in the Veneto Region, as the most suitable professionals, by professionalism and habit to process health data, to achieve the goal of increasing the vaccination rate among doctors and all health professionals involved”;

“It was, therefore, a preventive action aimed at encouraging doctors and health workers to get vaccinated, which falls within the competence of the Region. It was therefore not the intention of the Region to involve the competent doctors in the procedures referred to in Legislative Decree 44/2021 for the purposes of ascertaining the vaccination obligation. Instead, the Region has involved the competent doctors, as subjects of crucial importance for the success of the vaccination campaign, only to have their support in an attempt to convince doctors and health professionals who are reluctant to carry out the SARS-CoV vaccination -2, leaving intact all the responsibilities of the local health authorities regarding the obligations and procedures governed by the aforementioned Legislative Decree 44/2021. These companies have, in fact, independently initiated the proceedings for which they are responsible, as required by law”;

“The Region considered that the competent doctors constituted an important resource for the success of the vaccination campaign and that they were in an ideal position to approach the interested parties and explain to them the reasons why vaccination was necessary and appropriate for safeguard individual and public health”;

"The communication to the competent doctors has in any case taken place by adopting suitable security guarantees to protect personal data (password communicated with a separate channel) and no other person has become aware of the data";

"Based on the awareness acquired with respect to the facts in question and having taken note of the disputes object of the procedure initiated by the Guarantor, the Region has taken initiatives to try, in the future, to ensure compliance with data protection legislation as far as possible even in emergencies (preliminary and training activities by the Data Protection Officer of the Region)".

With a subsequent explanatory note dated 13 May 2022, the Region provided further elements of clarification, stating that:

- "The communication of the personal data subject to the complaint was also made to the competent doctors of the healthcare companies involved in the national and regional vaccination plan, in the context of the well-known emergency context linked to the SRAS-Cov-2 pandemic, since the Region had to make very delicate assessments and choices, in a very short time, trying to reconcile the various interests at stake and safeguard public health. In this difficult context, characterized moreover by a high regulatory complexity and by the absence of a uniform regulatory framework, the institutional subjects involved were exposed to the risk of committing errors”;

- "In particular, the Region has decided to involve, among others, also the competent doctors, as vaccinators in the ULSS companies of the Veneto Region, as the most suitable professionals, for professionalism and habit to process health data, to achieve the goal of increasing the vaccination rate among doctors and all health professionals involved".

3. Outcome of the preliminary investigation. The applicable legislation.

For the purposes of compliance with the legislation on the protection of personal data, it is, first of all, important to precisely identify the subjects who, for various reasons, can process personal data and clearly define their respective attributions, in particular that of owner and manager of the treatment and of the subjects who operate under the direct responsibility of these as authorized (Article 4, paragraph 1, point 7 of the Regulation and Articles 28 and 29 of the Code).

In the system of the Regulations, the owner is the subject responsible for the decisions regarding the purposes and methods of processing the personal data of the interested parties as well as a "general responsibility" (accountability; art. 5, paragraph 2 and 24 of the Regulation) on treatments put in place, even when these are carried out by other subjects "on their behalf", on the basis of a contract or other legal act stipulated in writing which constitutes the documented instruction by the owner also for the purpose of determining the scope of the respective responsibilities (cons. 81, articles 4, point 8) and 28 of the Regulation).

In this context, the owner is therefore the subject who, in the light of the concrete context in which data processing takes place, takes the basic decisions relating to the purposes and methods of processing on the basis of one or more conditions of lawfulness (articles 6 and 9 of the Regulation) and in compliance with data protection principles (art. 5 of the Regulation) making use of "authorised" and "instructed" personnel regarding access and data processing (articles 4, point 10 ), 29, and 32, par. 4, of the Regulation).

Public subjects may process personal data, also relating to particular categories of data (see Article 9, paragraph 1 of the Regulation), if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" or " for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (art. 6, paragraph 1, letters c) and e), as well as art. 9, par.2, lett. g) of the Regulation and 2-ter and 2-sexies of Legislative Decree no. 196 of 30 June 2003 - Code regarding the protection of personal data, hereinafter, the "Code").

The operation of communication of personal data to third parties, by public entities, is permitted only when required by a law or, in the cases provided for by law, by regulation (see art. 6, paragraph 2, of the Regulation and Article 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, applicable to the present case).

3.1. The communication of personal data of unvaccinated health workers

As a preliminary point, it is necessary to take into account the particular context that forms the backdrop to the facts in question following the provision of the anti-SARS-CoV-2 vaccination as an "essential requirement for the exercise of the profession and for the performance of work" for operators the health professions and operators of health interest pursuant to art. 4 of the legislative decree 1 April 2021, no. 44 (converted into law n. 76 of 28 May 2021 - Urgent measures for the containment of the COVID-19 epidemic, regarding anti SARS-CoV-2 vaccinations, justice and public tenders) in order to protect health public and maintain adequate safety conditions in the workplace and in the provision of care and assistance services (requirement later extended until 31 December 2022, see art. 4 of Legislative Decree 44/2021, as amended by art. 8 paragraph 2 of Legislative Decree March 24, 2022, n. 24).

With regard to the possibility of introducing the anti SARS-CoV-2 vaccination, as a requirement for the performance of particular professions or tasks, with particular regard to exposure to a greater risk of contagion in the healthcare context, the Guarantor himself had deemed it necessary, in perspective of legal certainty and the principle of non-discrimination, that the matter should be subject to uniform regulation with national law, in compliance with the principle of proportionality (Article 6, paragraph 3, letter b), of the Regulation) and of the principle of reasonableness (Article 3 of the Constitution), taking into account the specific health and epidemiological situation in progress and scientific evidence (see FAQ No. 3 on the subject of "Processing of data relating to anti-Covid-19 vaccination in the workplace " www.gpdp.it - web doc. n. 9543615).

The legislator has therefore introduced a complex system for verifying the professional requirement for these categories of workers - subsequently reformed by art. 1, paragraph 1, lett. b), of Legislative Decree 26 November 2021, no. 172 -, which involves various institutional subjects, and provides for data flows between them (employers, regions, healthcare companies, professional orders), as well as the consequences, also in terms of suspension from the exercise of the profession and from any relationship of work, for the worker without the aforementioned requirement.

The processing of personal data necessary for the verification of the aforementioned professional requirement, therefore, must be carried out in strict compliance with the limits and conditions set by this reference legislative framework which constitutes its legal basis and perimeters, uniformly at national level, the scope of processing permitted to each of the aforementioned subjects (articles 5 and 6, paragraph 2, letter b) and g), of the Regulation and art. 2-sexies of the Code; as highlighted in numerous provisions of the Guarantor in the emergency period and, in particular in the opinions given on the subsequent implementing provisions of the aforementioned framework see, among many, provision 13 December 2021, no. 430, doc. web no. 9727220).

In particular, the aforementioned art. 4, in the text prior to the amendments of the d. L. 26 November 2021, no. 172, applicable to the present case, provided for the transmission by each professional Order of the list of members - with the indication of the respective place of residence - to the region or autonomous province of their respective competence, for the purpose of verification "for through the vaccination information services” of the vaccination status of each subject included in the list. Likewise the art. 4 established that each employer should send the list of its employees with the qualification of healthcare operator, with the indication of the place of residence, to the region and the autonomous province of their respective competence. Subsequently, the region or province, in compliance with the provisions on the protection of personal data, immediately reported to the local health authority of residence the names of the subjects who were not vaccinated. At this point, the local health authority of residence, following punctual checks and only with regard to the interested parties in respect of whom the absence of the aforementioned professional requirement had been concretely ascertained, immediately notified the interested party, the employer and to the professional order to which he belongs, determining, with the adoption of the assessment deed, the suspension from the work activity of the interested party. Finally, the professional association to which he belongs immediately communicated the suspension also to the employer (see art. 4, paragraphs 5 and 6).

Therefore, it was established that each autonomous region or province, through the vaccination information services, should verify the vaccination status of each of the interested parties (on the basis of names transmitted respectively by the territorially competent professional orders and by any employers) and - in cases where which "the vaccination was not carried out or the presentation of the vaccination request" - reported "the names of the subjects who have not been vaccinated to the local health authority of residence" for the start of the specific contradictory procedure with the interested party ( see, art. 4 of decree law no. 44/2021 in the text prior to the changes made with decree law no. 172/2021, applicable to the present case).

At the time, this regulatory framework did not provide for the treatments in question to which they refer, nor does it provide today, following the changes made with the d.l. no. 172/2021 and of the legislative decree no. 24/2022, that the data processing of healthcare personnel, for the purpose of ascertaining the existence of the aforementioned vaccination requirement, should also be carried out by the competent doctor, leaving this task exclusively to the territorially competent Healthcare Authority.

First of all, it should be pointed out that, based on the provisions contained in the Regulation, any organizational choice by the individual Company or Region, data controllers, to delegate their own tasks to a different subject (in this case to the competent doctor), would have required, on the basis of the personal data protection regulations, that the relative relationship (of designation as data controller) was governed by a contract or other legal act pursuant to art. 28 of the Regulation (see also recital 81 and art. 4, point 8 of the Regulation). In the present case, therefore, it is established that the Region has sent the lists of health workers who were not vaccinated (reporting the following data for each interested party: tax code - surname - name - date of birth - gender), not only to companies territorially competent health authorities for the initiation of the respective procedures for ascertaining the existence of the requirement, as expressly provided for by the aforementioned sector provision, but also to the competent doctors operating at the same (who acted as independent data controllers with respect to the Region).

The Region illustrated the specific assessments carried out in the delicate reference period - in the face of a recently adopted regulatory framework and in the absence of specific implementing provisions - regarding the involvement of the figure of the competent doctor, considered useful for speeding up the vaccination process and "as the main element of guarantee and protection of the personal data security of healthcare workers employed by the Aulss within their own work environment", on the assumption of compliance of the treatments carried out with the sector regulations on workers' health and workplace safety (Legislative Decree no. 81/2008).

In this regard, it is noted that, albeit with reference to a different working context, the Guarantor has highlighted that the purpose of ascertaining the requirements for accessing and carrying out certain professions envisaged by specific sector provisions must in any case be kept distinct from the different and more general (albeit connected) purpose of protecting health and safety in the workplace (see, on this point, provision 27 April 2016, web doc. n. 5149198, in relation to the processing of health data of seafarers by the competent doctor of the air carrier).

In pursuing the purpose of protection and safety in the workplace, the competent doctor operates on the basis of the specific regulatory framework of the sector as an independent data controller and even in the emergency period, does not process the data on behalf of or on the basis of the instructions and indications of other subjects (public bodies, health authorities, employers), but in his capacity as data controller (on this point (cf., policy document "The role of the "competent doctor" in matters of safety in the workplace, also with reference to the emergency context", web doc. n. 9585367 and provision of 22 July 2021, web doc. n.9683814).

In this context, the purposes and operations of the treatment that must be implemented by the competent doctor are determined exclusively by law.

Although therefore, as clarified on several occasions by the Guarantor, the competent doctor in the context of carrying out his duties in the matter can legitimately become aware of information and personal data also relating to the successful or unsuccessful vaccination of employees (art. 9, par. 2, letter h), and 3 of the Regulation; see also art. 2-sexies, paragraph 2, lett. u), of the Code), this must in any case take place within the limits and under the conditions established by law, in particular in the context of carrying out one's health surveillance duties (Articles 41, paragraphs 2 and 4 and 279 of Legislative Decree 81/ 2008; see, in particular, FAQ on "Processing of data relating to the anti Covid-19 vaccination in the workplace" www.gpdp.it - web doc. n. 9543615; see, policy document "The role of "competent doctor" in matters of safety in the workplace, also with reference to the emergency context", web doc. n. 9585367, cit. ; provision of 22 July 2021, web doc. n.9683814.cit.).

Contrary to what was declared by the Region, the legitimacy of the communication in favor of the competent doctor cannot therefore lie in the fact that the personal data were "knowable if not already known" for another purpose (and "referring only to professionals and operators collaborators of the same public health agencies in which the competent doctor worked"), finding this eventual knowability a basis in the performance of the tasks that the law (and not regional indications and circulars) assigns to him exclusively for the aforementioned purpose of safety of the places of work. In this regard, moreover, the Region itself, which in any case did not act as employer of the interested parties, finally highlighted that "for the transmission of data of the unvaccinated [...] it did not follow the ordinary communication channels with the competent doctor for the purposes of Legislative Decree 81/08”, confirming the non-involvement of the treatment put in place with respect to the aforementioned regulatory framework for the protection of occupational health and safety.

In the defense briefs and during the hearing, the Region intended to further clarify  that the aforementioned regional note containing the indications for the healthcare companies was not intended to involve the competent doctor in the procedure for verifying the professional requisites of the interested parties, since it remained so task exclusively to the territorially competent Health Authorities, but that, instead, the aforementioned transmission of data was justified by the "involvement of the competent doctor in the vaccination procedure whose organization was, by law, in the hands of the Region".

In this regard, it should be noted that the lists of personal data transmitted by the Region referred to personnel who, from the consultation of the vaccination register carried out at the time, did not appear to have joined the vaccination campaign. This audience of subjects could therefore certainly still be the subject of an awareness campaign, but it did not coincide with the audience of recipients of the provision of the health service in the process of administering the vaccination. Both, due to the distinction, on a chronological and functional level, of the phase of promotion and awareness of the interested parties - by definition prior to any participation in the vaccination campaign - from that relating to the actual vaccination process which, instead, presupposes the participation of the concerned, and consists in the actual administration of the vaccine doses.

In this phase, the possible involvement of the competent doctor as a vaccinating health professional would have taken place, not already in the context of the performance by the same of the coroner's activity and of the tasks typically performed by the latter in matters of safety and health of the workplaces, but as an authorized operator (vaccinator) in the performance of health and preventive medicine activities, i.e. the provision of health services (also in the wake of the indications of the Ministry of Health referred to by the Region during the preliminary investigation) .

Therefore, what was declared by the Region in order to justify the aforementioned communication of the lists of unvaccinated health workers to the competent doctors of the relative regional health structures to which they belong cannot be considered acceptable, on the mere assumption that "the competent doctor could fully enter the path of vaccination: this figure, in fact, by training and structure could guarantee the correct performance of health operations and also the confidentiality of the information known within the work environment" and that the transmission would have given rise to a making available to subjects authorised.

In this regard, it should be remembered that, even in the exceptional emergency context, the Guarantor has always drawn the attention of the data controllers to operate within the scope and within the limits established by the applicable legislation, which constitutes the legal basis for the related processing of personal data ( articles 5, 6, 9 of the Regulation), this also with regard to each of the institutional subjects involved in the implementation and management of the vaccination plan, avoiding the implementation of initiatives not provided for by the law or the confusion of the respective roles which, in some circumstances, can lead to illicit data communications and, sometimes, possible harmful effects for the interested parties, especially in particularly delicate contexts such as work and professional.

Finally, neither can what is represented in relation to the technical measures adopted in order to put in place "safe transmission methods" of the data, for the purpose of excluding the responsibility of the Region in the case in question, be considered sufficient. While acknowledging the attention shown in terms of processing security, it is underlined that the solution adopted nonetheless responds to a "planning" choice of the owner who, when determining the means of processing, adopts the technical and organizational measures appropriate to the risk also in implementation of the principle of minimization of the data being processed (see articles 5, paragraph 1, letter c), 24 and 25 of the Regulation), remaining however, in any case, necessary the preliminary verification regarding the occurrence of the conditions of lawfulness of the processing which, in the present case, was not found.

In any case, it represents the need to speed up the process of vaccinating health professionals in the regional territory - also given the high rate of health workers who were not vaccinated at the time - and to raise the awareness of health personnel working in the region, even though they are among the guidance and coordination tasks that the sector regulatory framework assigns to the regions, was the basis for the launch of a procedure parallel to that provided for by law and which does not find legitimacy in the current regulatory framework.

These needs - also with a view to reducing and streamlining the administrative procedures of the competent offices of the healthcare companies as assessment bodies - could, however, also have been pursued through information campaigns and staff awareness at the individual healthcare companies, if of the case with the help of the competent doctors, without however resorting to the communication of personal data, not provided for by law, made by the Region in favor of the competent doctors through the successful transmission of the lists of health professionals for whom it did not appear that the vaccination.

We also take note of what was declared by the Region, regarding the non-binding nature of the general indications contained in the aforementioned regional note, although adopted with the intention of guaranteeing the immediate and uniform application on the regional territory of the rules that had introduced the vaccination requirement , which is why, as confirmed by the outcome of the investigations launched in parallel against some healthcare companies, they have not in any case followed up on the indications received from the Region, nor have any personal data been processed in any other way that does not comply with the current regulatory framework.

Given the above, what was represented during the preliminary investigation cannot be considered sufficient to exclude the responsibility of the Region in the case in question and therefore it is believed that the systematic and generalized making available to the competent doctors operating at the regional health authorities of the lists of all healthcare personnel who at the time of the events were not vaccinated, although they did not concern data relating to health (the reason for which the relative dispute profile is filed), still gave rise to a communication of personal data not required by law , in violation of articles 5, par. 1, lit. a) and 6, of the Regulation and of the articles 2-ter of the Code (in the text prior to the amendments referred to in Legislative Decree No. 139/2021).

4. Conclusions.

In the light of the assessments referred to above, it should be noted that the statements made by the Region in the defense writings - the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code - although worthy of consideration and indicative of the full collaboration of the data controller in order to mitigate the risks of the treatment, with respect to the situation present at the time of the start of the investigation, do not allow the findings notified by the Office to be overcome with the deed of initiation of the proceeding and are therefore insufficient to allow the filing of the present proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Region in the absence of an appropriate legal basis, in violation of articles 5 and 6 of the Regulation and of the art. 2-ter of the Code.

Without prejudice to the provisions of art. 2-decies of the Code regarding the unusability of the personal data to be communicated, except for the provisions of article 160-bis of the Code.

The violation of the aforementioned provisions renders the administrative sanction applicable pursuant to articles 58, par. 2, lit. i), and 83, par. 5, of the Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code – the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

For the purposes of applying the sanction, the nature, object and purpose of the treatment were considered as well as the particularly high number of data subjects (the lists transmitted containing the names and other personal data of approximately 12,580 public health professionals who had not been vaccinated at the date of the April 1, 2021).

On the other hand, the delicacy of the emergency context in which the events in question occurred was considered. In particular, the difficulties encountered in the application phase were taken into account as a result of the entry into force of the provisions which had introduced the professional requirement of the anti-Covid vaccination for health professionals through a complex verification system in the absence of implementation provisions at national. The uncertainty of the reference legal framework, according to what was declared, would have led the Organization to take the initiative in question at the regional level, erroneously interpreting the role of the competent doctor for the purposes of data protection and trusting, erroneously, in the legitimacy of data transmission. It was also considered that the Region operated in good faith, for the sole purpose of supporting its health authorities in a particularly complicated moment and in order to raise awareness among those interested in joining the vaccination, in a sector already heavily affected by deaths between health personnel. The Region collaborated during the investigation also in order to reduce the consequences of the data communication, an intervention from the first request for clarification by the Authority to modify the previous operational indications (see regional notes of 27.7. 2021 and of 12.8.2021, in documents). The Region has not received any other complaints or previous provisions pursuant to art. 58 of the Regulation specifically referred to the same object (art. 83, paragraph 2, letter i) of the Regulation) with respect to the conduct in question.

Based on the aforementioned elements, evaluated as a whole, the amount of the pecuniary sanction is determined, in the amount of 100,000.00 (one hundred thousand) euros for the violation of articles 5 and 6 of the Regulation and of the art. 2-ter of the Code, given that, in relation to the specific case, the sanction is effective, proportionate and dissuasive (Article 83, paragraph 1, of the Regulation).

Taking into account the large number of interested parties involved (medical, nursing and other health sector operators) and their vulnerability in their own working context, and given, more generally, the greater risks of unlawful circulation of personal information in this context for effect of data processing and communication outside the cases provided for by law, with the possible exposure of the interested parties to consequences, on a relational and professional level, other than those already expressly established by the sector regulations, it is also believed that the ancillary sanction should be applied the publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

notes the unlawfulness of the processing carried out by the Veneto Region, with registered office in Palazzo Balbi - Dorsoduro, 3901,30123 Venice, VAT number: 02392630279, for the violation of articles 5 and 6 of the Regulation as well as art. 2-ter of the Code in the terms referred to in the justification;

ORDER

to the Veneto Region in the person of its pro-tempore legal representative, with registered office in Palazzo Balbi - Dorsoduro, 3901, 30123 Venice, Tax Code 80007580279, pursuant to articles 58, par. 2, lit. i), and 83, par. 5, of the Regulation, to pay the sum of 100,000.00 (one hundred thousand) euros as an administrative fine for the violations indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within the term of thirty days, an amount equal to half of the fine imposed;

ENJOYS

the Veneto Region to pay the sum of 100,000.00 (one hundred thousand) euros in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code;

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 6 October 2022

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew