Garante per la protezione dei dati personali (Italy) - 9842783

From GDPRhub
Garante per la protezione dei dati personali - 9842783
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 9 GDPR
Article 2-septies (8) of the Codice in Materia di Protezione dei Dati Personali
Article 2-ter of the Codice in Materia di Protezione dei Dati Personali
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.12.2022
Published: 01.12.2022
Fine: 6,000 EUR
Parties: Azienda di Rilievo Nazionale ad Alta Specializzazione A.R.N.A.S. Civico - di Cristina Benfratelli (the controller)
XX (the data subject)
National Case Number/Name: 9842783
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA fined a hospital €6,000 for publishing documents connected to the retirement of a nurse from the hospital on its website, which included their personal and health data

English Summary

Facts

A nurse (the data subject) filed a complaint with the Italian DPA against the hospital (the controller) where they worked due to the publication on the controller's institutional website of two measures (following the data subject's request for retirement) which contained personal data of the data subject, including health data. More specifically, the controller published on its institutional website, and indexed on search engines, measures that contained the data subject’s state of invalidity, as well as detailed information relating to the employment relationship (such as the request for retirement). However, there was an error in the calculation of the period of actual service of the data subject that needed to be rectified. The controller forwarded to the DPA the notification of the violation pursuant to Article 33 GDPR ascertaining its willingness to cooperate with the supervisory authority. Following that, the controller removed the measure after 6 days from publication. Moreover, as soon as the controller learnt from the DPA’s notification that the measure was still being indexed on the Internet, it immediately solved the problem by deactivating the indexation of the attachments by search engines. Additionally, the controller indicated that it started taking actions in line with the soon-to-be-approved Privacy Code of Conduct in Healthcare and had a solid intention to adopt it once authorised in accordance with Article 40 GDPR. Finally, it emphasised that the breach resulted from the intention to detail the justifications for the amendment of one of the 2 previously published provisions where that rectification was necessary to acknowledge the period of actual service.

Holding

The Italian DPA claimed that the controller did not prove the existence of any specific regulatory provision allowing the publication of the measures which were subject to the complaint, nor did it consider sufficient the mere reference to the rules concerning the publicity of acts (such as Article 32 of the law no. 69 of 18 June 2009, referred to by the controller, as well as art. 124, legislative decree no. 267 of 18 August 2000). It argued, moreover, that the publication of the measures was in any case protracted, well beyond the 15-day period provided for by the legislation.

It also considered that the dissemination of personal data relating to the data subject was done in the absence of an appropriate legal basis and, considering that these included data relating to the condition of invalidity, in violation of the general prohibition on the dissemination of data relating to health, the Italian DPA concluded that the controller breached Article 5 GDPR, Article 6 GDPR and Article 9 GDPR and Articles 2-ter as well as 2-septies (8) of the Code in the text prior to the amendments made by Law Decree No. 139 of 8 October 2021).

Thus, taking into account the particular sensitivity of the unlawfully processed personal data, including those relating to health, as well as considering that the processing of personal data concerned only one data subject and that the controller notified the DPA of what had occurred (Article 33 GDPR) by taking steps to remove the personal data in question from its institutional website and that the indexation on generalist websites of the aforesaid measures occurred due to the presence of "a bug in the platform" that managed the publication of the documents. Also considering the absence of previous relevant violations committed by the data controller or previous measures pursuant to Article 58 GDPR, the Italian DPA imposed a €6,000 fine to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9842783]

Injunction order against A.R.N.A.S. Civic - December 1st

Register of measures
no. 404 of 1 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

With a complaint presented by an employee of the highly specialized national relief company A.R.N.A.S. Civico - by Cristina Benfratelli (hereinafter the "Hospital"), the publication on the Company's institutional website of two measures was complained about, containing personal data of the interested party, also relating to health.

In particular, the complainant represented that:

- being "already an employee [of the Hospital] with the qualification of professional nurse, having acquired the requisites for retirement, [...] presented an application for retirement", approved with resolution no. XX;

- considering that this resolution contained some errors "in relation to the personal data and the calculation of the period of seniority accrued, circumstances that were promptly represented", the Hospital Authority proceeded to issue a new resolution, no. XX of the XX, in which the previous one was corrected;

- the rectification resolution, no. XX reported "the invalidity status [of the complainant] with an indication of the percentage [of the same]".

The circumstance of the publication of the resolutions subject to the complaint and the relative indexing on search engines was verified by the Office (see service report in the file).

2. The preliminary investigation.

Based on the elements acquired, the Office notified the Hospital, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2 of the Regulation, given that the publication on its institutional website and the indexing on search engines of resolutions no. XX of the XX and n.XX of the XX, determined the "dissemination" of the complainant's personal data, also relating to health, in violation of articles 5, 6 and 9 of the Regulation and 2-ter and 2-septies, paragraph 8, of the Code. Therefore he invited the aforesaid owner to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law n. 689 of the 11/24/1981).

The Hospital has sent its defense briefs, representing, in particular, that:

- "the resolution object of the complaint (resolution of the general manager n.XX "amendment of resolution n.XX of XX") was published in the Praetorian Register on the XX with expiry on the XX. The rectification was necessary because in resolution 530 [...] the period of service had been counted partially incorrectly and therefore it was necessary to acknowledge the actual period of service. [...] As for the nature, object and purpose of the processing, reference is made to the execution of a task in the public interest (Albo Pretorio Online estate, art.32 of Law 69/2009)";

- “it is excluded [...] that the violation was intentional in nature. [...] The concern to justify in detail a previous resolution - which in fact constitutes a disadvantage [for the complainant] - could make one forget the existence of rules, such as the ban on the dissemination of health data";

- "as soon as he learned from the notification of the authority that the provision was still indexed on the internet through generalist search engines, the Head of Company Data Protection asked the head of the U.O. Management which ascertained the presence of a bug of the platform [...] which manages the documents attached to the articles. The problem was immediately resolved by disabling the indexing of the attachments [...] by search engines";

- "as regards the specific case, the platform that hosts the Praetorian Register is configured in the correct way 'by design', so as to remove the provisions on the date of the end of publication (15 days from the beginning), and only because of a bug - promptly removed - the measure proved to be temporarily ineffective”;

- "the Controller proceeded to transmit to the Authority the notification of the violation pursuant to art. 33 of the GDPR: there are no doubts about the will of the Data Controller to cooperate with the Authority; the only possible remedy to the violation, consisting in not making the Resolution in question further visible, consisted in removing the Provision 6 days after its publication and fixing the previously mentioned bug";

- "the Company [...] is following the preparation of the Privacy Code of Conduct in healthcare; it is the firm intention of the Company to adhere to this Code, as soon as it is approved as per art. 40. However, the Company is already working towards this objective, directing its choices according to the indications of the draft Code already made public";

- "as mentioned above, without wanting to minimize the incident, it is reiterated that the violation arose from the concern to clearly specify the reasons for the modification of a previously published Provision, and therefore dwell on the real reasons for the need for the modification".

3. Applicable legislation.

3.1 The regulatory framework.

The regulation of personal data protection provides that public bodies, even if they operate in the performance of their duties as employers, can process the personal data of workers, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks envisaged by national sector regulations (articles 6, paragraph 1, letter c), 9, par. 2, lit. b), and 4, and 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letter e), of the Regulation).

European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this regulation with regard to treatment, in accordance with paragraph 1, letters c) and e), determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing [...]" (Article 6, paragraph 2, of the Regulation). In this regard, it should be noted that processing operations which consist in the "dissemination" of personal data are permitted only when provided for by a law or regulation (Article 2-ter, paragraphs 1 and 3 of the Code, in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021).

With regard to the particular categories of personal data, the processing is, as a rule, permitted, as well as to fulfill specific obligations "in the field of labor law [...] to the extent that it is authorized by law [...] in the presence of appropriate guarantees " (Article 9, paragraph 2, letter b), of the Regulation), even where "necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide appropriate and specific measures to protect the fundamental rights and interests of the data subject" (Article 9, paragraph 2, letter g), of the Regulation).

In any case, data relating to health, i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, par. 1, no. 15, of the Regulation; see also recital 35 of the same), due to their particular delicacy, "they cannot be disclosed" (art. 2-septies, paragraph 8, and art. 166, paragraph 2, of the Code and article 9, paragraphs 1, 2, 4, of the Regulation).

In any case, the data controller is required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).

3.2 Disclosure of employee personal data

As can be seen from the deeds and statements made by the data controller during the investigation, as well as from the assessment carried out on the basis of the elements acquired following the investigation and subsequent assessments by this Department, the A.R.N.A.S. Civico - by Cristina  Benfratelli, has published, on its institutional website, and indexed on search engines, the provisions  n. XX and no. XX, containing the complainant's personal data, including data relating to health, such as the state of disability.

In particular, provision no. XX, concerning the rectification of provision n.XX, with which the retirement of the complainant had been ordered, even though it was issued in order to "justify [...] a previous resolution - which constituted a de facto disadvantage" for the complainant, and therefore with the intention of acting in the exclusive interest of the same, however contained the express reference to the "report of recognition of civil invalidity" of the complainant, as well as detailed information relating to events connected to the employment relationship (e.g. the request to retire the interested party).

In this regard, it should be noted that, as known, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health ”, due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (art. 2-septies, paragraph 8, of the Code and art. 9, par. 4, of the Regulation: see provv.ti n. 290 of 1 September 2022, web doc. n. 9811361, n. 150 of 28 April 2022, web doc. n. 9777200, n. 319 of 16 September 2021, doc . web n. 9704048, n. 255 of 24 June 2021, web doc. n. 9688099).

Furthermore, without prejudice to the prohibition on the publication of data relating to health, the Hospital has not proved the existence of any specific regulatory provision which allows the publication of the provisions which are the subject of the complaint, nor can the mere reference to the regulations concerning the publicity of the documents on the Praetorian Register (art. 32, law 18 June 2009, n. 69, referred to by the Hospital, as well as art. 124, legislative decree 18 August 2000, n. 267), also considering that, however, the publication of the provisions continued, well beyond the 15-day deadline set by the law. It also emerged during the investigation, and confirmed by the data controller, that the aforementioned documents were "indexed [i] on the internet through general search engines [...] due to the presence of a platform bug".

It should be remembered that this Authority, on several occasions, has clarified that even the presence of a specific advertising regime - which in any case must also be respected with regard to the publication time frame established by this - cannot lead to any automatism with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see, among many others, most recently provision n. 299 of 15 September 2022, web doc. n. 9815665 and previous provisions therein recalled). This, moreover, is also confirmed by the personal data protection system contained in the Regulation, in the light of which it is envisaged that the data controller must "implement adequate technical and organizational measures to ensure that they are processed, by default, only the personal data necessary for each specific purpose of the processing" and must be "able to demonstrate" - in the light of the principle of "accountability" - that he has done so (articles 5, paragraph 2; 24 and 25, paragraph 2 , Regulation).

Indeed, in numerous decisions, the Guarantor has reiterated that even in the presence of a legal provision which provides for the obligation to publish certain deeds and documents (for example, those to be carried out on the online Praetorian Register) all the limits established by the principles of data protection with regard to the lawfulness and minimization of data (see Article 5, paragraph 1, letter c), of the Regulation; part II, par. 3.a. of the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of publicity and transparency on the web by public entities and other obliged entities" of 15 May 2014, doc. web no. 3134436

In the light of the foregoing considerations, given the definition of personal data and data relating to health (Article 4, points 1 and 15, of the Regulation), it is believed that the publication on the institutional website of the aforementioned measures has led to the dissemination of personal data referring to the complainant in the absence of a suitable regulatory prerequisite and, considering that among these there were also data relating to the condition of disability, in violation of the general prohibition on the dissemination of data relating to health (articles 5, 6 and 9 of the Regulation and Article 2-ter as well as 2-septies, paragraph 8, of the Code in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

4. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ it should be noted that the elements provided by the data controller in the defense briefs do not allow for overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of the present proceeding, not resorting Moreover, any of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.
Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the hospital is noted, in violation of articles 5, 6 and 9 of the Regulation and of the art. 2-ter and 2-septies, paragraph 8 of the Code, in the text prior to the amendments made by Legislative Decree 8 October 2021, no. 139.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5, of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code – the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular delicacy of unlawfully processed personal data, including those relating to health, was considered, in contrast with the indications that, for some time now, the Guarantor has provided to public and private employers with the Guidelines referred to above and with numerous decisions on individual cases.

On the other hand, it was considered that the processing of personal data concerned only one interested party and that the Hospital had notified the Guarantor of what had occurred (art. 33 of the Regulation) taking steps to remove the personal data in question from its website institutional and that the indexing on the general sites of the aforesaid provisions occurred due to the presence of "a bug in the platform" which manages the publication of the documents. Furthermore, it was favorably taken into consideration that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of 6,000 (six thousand) euros for the violation of articles 5, 6, 9 of the Regulation and of the art. 2-septies, paragraph 8, of the Code and of art. 2-ter in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139 of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account the nature of the data being processed, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), declares the illegality of the processing of personal data carried out by A.R.N.A.S. Civico - by Cristina Benfratelli in the terms described in the motivation, consisting in the violation of the articles 5, 6, 9 of the Regulation and of the art. 2-septies, paragraph 8, of the Code and of art. 2-ter in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139 of the Code;

ORDER

pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the A.R.N.A.S. Civico - by Cristina Benfratelli in the person of the pro-tempore legal representative, registered office in Piazza Nicola Leotta 4 - 90127 Palermo, Tax Code 05841770828, to pay the sum of 6,000 (six thousand) euros as a pecuniary administrative fine for the violations indicated in the this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

at the A.R.N.A.S. Civic - by Cristina Benfratelli - without prejudice to the provisions of art. 166, paragraph 8 of the Code, to pay the sum of 6,000 (six thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of Regulation no. 1/2019).

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 1st December 2022

PRESIDENT
station

THE SPEAKER
station

THE SECRETARY GENERAL
Matthew

[doc. web no. 9842783]

Injunction order against A.R.N.A.S. Civic - December 1st

Register of measures
no. 404 of 1 December 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

With a complaint presented by an employee of the highly specialized national relief company A.R.N.A.S. Civico - by Cristina Benfratelli (hereinafter the "Hospital"), the publication on the Company's institutional website of two measures was complained about, containing personal data of the interested party, also relating to health.

In particular, the complainant represented that:

- being "already an employee [of the Hospital] with the qualification of professional nurse, having acquired the requisites for retirement, [...] presented an application for retirement", approved with resolution no. XX;

- considering that this resolution contained some errors "in relation to the personal data and the calculation of the period of seniority accrued, circumstances that were promptly represented", the Hospital Authority proceeded to issue a new resolution, no. XX of the XX, in which the previous one was corrected;

- the rectification resolution, no. XX reported "the invalidity status [of the complainant] with an indication of the percentage [of the same]".

The circumstance of the publication of the resolutions subject to the complaint and the relative indexing on search engines was verified by the Office (see service report in the file).

2. The preliminary investigation.

Based on the elements acquired, the Office notified the Hospital, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2 of the Regulation, given that the publication on its institutional website and the indexing on search engines of resolutions no. XX of the XX and n.XX of the XX, determined the "dissemination" of the complainant's personal data, also relating to health, in violation of articles 5, 6 and 9 of the Regulation and 2-ter and 2-septies, paragraph 8, of the Code. Therefore he invited the aforesaid owner to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law n. 689 of the 11/24/1981).

The Hospital has sent its defense briefs, representing, in particular, that:

- "the resolution object of the complaint (resolution of the general manager n.XX "amendment of resolution n.XX of XX") was published in the Praetorian Register on the XX with expiry on the XX. The rectification was necessary because in resolution 530 [...] the period of service had been counted partially incorrectly and therefore it was necessary to acknowledge the actual period of service. [...] As for the nature, object and purpose of the processing, reference is made to the execution of a task in the public interest (Albo Pretorio Online estate, art.32 of Law 69/2009)";

- “it is excluded [...] that the violation was intentional in nature. [...] The concern to justify in detail a previous resolution - which in fact constitutes a disadvantage [for the complainant] - could make one forget the existence of rules, such as the ban on the dissemination of health data";

- "as soon as he learned from the notification of the authority that the provision was still indexed on the internet through generalist search engines, the Head of Company Data Protection asked the head of the U.O. Management which ascertained the presence of a bug of the platform [...] which manages the documents attached to the articles. The problem was immediately resolved by disabling the indexing of the attachments [...] by search engines";

- "as regards the specific case, the platform that hosts the Praetorian Register is configured in the correct way 'by design', so as to remove the provisions on the date of the end of publication (15 days from the beginning), and only because of a bug - promptly removed - the measure proved to be temporarily ineffective";

- "the Controller proceeded to transmit to the Authority the notification of the violation pursuant to art. 33 of the GDPR: there are no doubts about the Data Controller's willingness to cooperate with the Authority; the only possible remedy to the violation, consisting in not making the Resolution in question further visible, consisted in removing the Provision 6 days after its publication and fixing the previously mentioned bug";

- "the Company [...] is following the preparation of the Privacy Code of Conduct in healthcare; it is the firm intention of the Company to adhere to this Code, as soon as it is approved as per art. 40. However, the Company is already working towards this objective, directing its choices according to the indications of the draft Code already made public";

- "as mentioned above, without wanting to minimize the incident, it is reiterated that the violation arose from the concern to clearly specify the reasons for the modification of a previously published Provision, and therefore dwell on the real reasons for the need for the modification".

3. Applicable legislation.

3.1 The regulatory framework.

The regulation of personal data protection provides that public bodies, even if they operate in the performance of their duties as employers, can process the personal data of workers, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks envisaged by national sector regulations (articles 6, paragraph 1, letter c), 9, par. 2, lit. b), and 4, and 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letter e), of the Regulation).

European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this regulation with regard to treatment, in accordance with paragraph 1, letters c) and e), determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing [...]" (Article 6, paragraph 2, of the Regulation). In this regard, it should be noted that processing operations which consist in the "dissemination" of personal data are permitted only when provided for by a law or regulation (Article 2-ter, paragraphs 1 and 3 of the Code, in the text prior to the changes made by Legislative Decree No. 139 of 8 October 2021).

With regard to the particular categories of personal data, the processing is, as a rule, permitted, as well as to fulfill specific obligations "in the field of labor law [...] to the extent that it is authorized by law [...] in the presence of appropriate guarantees " (Article 9, paragraph 2, letter b), of the Regulation), even where "necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide appropriate and specific measures to protect the fundamental rights and interests of the data subject" (Article 9, paragraph 2, letter g), of the Regulation).

In any case, data relating to health, i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (Article 4, par. 1, no. 15, of the Regulation; see also recital 35 of the same), due to their particular delicacy, "they cannot be disclosed" (art. 2-septies, paragraph 8, and art. 166, paragraph 2, of the Code and article 9, paragraphs 1, 2, 4, of the Regulation).

In any case, the data controller is required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party" and must be "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c), of the Regulation).

3.2 Disclosure of employee personal data

As can be seen from the deeds and statements made by the data controller during the investigation, as well as from the assessment carried out on the basis of the elements acquired following the investigation and subsequent assessments by this Department, the A.R.N.A.S. Civico - by Cristina  Benfratelli, has published, on its institutional website, and indexed on search engines, the provisions  n. XX and no. XX, containing the complainant's personal data, including data relating to health, such as the state of disability.

In particular, provision no. XX, concerning the rectification of provision n.XX, with which the retirement of the complainant had been ordered, even though it was issued in order to "justify [...] a previous resolution - which constituted a de facto disadvantage" for the complainant, and therefore with the intention of acting in the exclusive interest of the same, however contained the express reference to the "report of recognition of civil invalidity" of the complainant, as well as detailed information relating to events connected to the employment relationship (e.g. the request to retire the interested party).

In this regard, it should be noted that, as known, "data relating to health", i.e. those "related to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health ”, due to the greater guarantees that the Regulation and the Code recognize due to the particular delicacy of this category of data, "cannot be disclosed" (art. 2-septies, paragraph 8, of the Code and art. 9, par. 4, of the Regulation: see provv.ti n. 290 of 1 September 2022, web doc. n. 9811361, n. 150 of 28 April 2022, web doc. n. 9777200, n. 319 of 16 September 2021, doc . web n. 9704048, n. 255 of 24 June 2021, web doc. n. 9688099).

Furthermore, without prejudice to the prohibition on the publication of data relating to health, the Hospital has not proved the existence of any specific regulatory provision which allows the publication of the provisions which are the subject of the complaint, nor can the mere reference to the regulations concerning the publicity of the documents on the Praetorian Register (art. 32, law 18 June 2009, n. 69, referred to by the Hospital, as well as art. 124, legislative decree 18 August 2000, n. 267), also considering that, however, the publication of the provisions continued, well beyond the 15-day deadline set by the law. It also emerged during the investigation, and confirmed by the data controller, that the aforementioned documents were "indexed [i] on the internet through general search engines [...] due to the presence of a platform bug".

It should be remembered that this Authority, on several occasions, has clarified that even the presence of a specific advertising regime - which in any case must also be respected with regard to the publication time frame established by this - cannot lead to any automatism with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see, among many others, most recently provision n. 299 of 15 September 2022, web doc. n. 9815665 and previous provisions therein recalled). This, moreover, is also confirmed by the personal data protection system contained in the Regulation, in the light of which it is envisaged that the data controller must "implement adequate technical and organizational measures to ensure that they are processed, by default, only the personal data necessary for each specific purpose of the processing" and must be "able to demonstrate" - in the light of the principle of "accountability" - that he has done so (articles 5, paragraph 2; 24 and 25, paragraph 2 , Regulation).

Indeed, in numerous decisions, the Guarantor has reiterated that even in the presence of a legal provision which provides for the obligation to publish certain deeds and documents (for example, those to be carried out on the online Praetorian Register) all the limits established by the principles of data protection with regard to the lawfulness and minimization of data (see Article 5, paragraph 1, letter c), of the Regulation; part II, par. 3.a. of the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of publicity and transparency on the web by public entities and other obliged entities" of 15 May 2014, doc. web no. 3134436

In the light of the foregoing considerations, given the definition of personal data and data relating to health (Article 4, points 1 and 15, of the Regulation), it is believed that the publication on the institutional website of the aforementioned measures has led to the dissemination of personal data referring to the complainant in the absence of a suitable regulatory prerequisite and, considering that among these there were also data relating to the condition of disability, in violation of the general prohibition on the dissemination of data relating to health (articles 5, 6 and 9 of the Regulation and Article 2-ter as well as 2-septies, paragraph 8, of the Code in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021).

4. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ it should be noted that the elements provided by the data controller in the defense briefs do not allow for overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of the present proceeding, not resorting Moreover, any of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.
Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the hospital is noted, in violation of articles 5, 6 and 9 of the Regulation and of the art. 2-ter and 2-septies, paragraph 8 of the Code, in the text prior to the amendments made by Legislative Decree 8 October 2021, no. 139.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5, of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code – the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular delicacy of unlawfully processed personal data, including those relating to health, was considered, in contrast with the indications that, for some time now, the Guarantor has provided to public and private employers with the Guidelines referred to above and with numerous decisions on individual cases.

On the other hand, it was considered that the processing of personal data concerned only one interested party and that the Hospital had notified the Guarantor of what had occurred (art. 33 of the Regulation) taking steps to remove the personal data in question from its website institutional and that the indexing on the general sites of the aforesaid provisions occurred due to the presence of "a bug in the platform" which manages the publication of the documents. Furthermore, it was favorably taken into consideration that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of 6,000 (six thousand) euros for the violation of articles 5, 6, 9 of the Regulation and of the art. 2-septies, paragraph 8, of the Code and of art. 2-ter in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139 of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account the nature of the data being processed, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), declares the illegality of the processing of personal data carried out by A.R.N.A.S. Civico - by Cristina Benfratelli in the terms described in the motivation, consisting in the violation of the articles 5, 6, 9 of the Regulation and of the art. 2-septies, paragraph 8, of the Code and of art. 2-ter in the text prior to the changes made by Legislative Decree 8 October 2021, no. 139 of the Code;

ORDER

pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the A.R.N.A.S. Civico - by Cristina Benfratelli in the person of the pro-tempore legal representative, registered office in Piazza Nicola Leotta 4 - 90127 Palermo, Tax Code 05841770828, to pay the sum of 6,000 (six thousand) euros as a pecuniary administrative fine for the violations indicated in the this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

at the A.R.N.A.S. Civic - by Cristina Benfratelli - without prejudice to the provisions of art. 166, paragraph 8 of the Code, to pay the sum of 6,000 (six thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of Regulation no. 1/2019).

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 1st December 2022

PRESIDENT
Station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew