Garante per la protezione dei dati personali (Italy) - 9853446

From GDPRhub
Garante per la protezione dei dati personali - 9853446
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 58 GDPR
Article 82 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 11.01.2023
Published:
Fine: 2500
Parties: n/a
National Case Number/Name: 9853446
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Italian DPA (in IT)
Initial Contributor: LR

A local health authority in Italy failed to respond to an access request made by a data subject, who sought to understand why incorrect data appeared on her covid-19 vaccination certificate.

English Summary

Facts

In this case the controller, the Brindisi Local Health Authority, was distributing covid-19 vaccines. The data subject, an individual person, attended an appointment to receive her second dose of the vaccine. She was informed at the health centre that, according to their records, she had already received the second dose.

The data subject made an access request (Article 15 GDPR) to the health authority, and they failed to respond. Thereafter, she filed a complaint with the Italian DPA, to order the authority to comply with her rights under the GDPR.

The DPA invited the health authority to made submissions in response to the complaint. The controller stated, firstly, that there was a large influx of patients during that time, and this required a massive recording of personal data, during which the “absolutely unintentional” error took place. Secondly, no undue use could have been made of the personal data on this occasion. They also confirmed that there is no longer any processing of the data subject’s data taking place, as the erroneous data has been corrected, and the name is no longer present in the files. Finally, the authority re-emphasised the extraordinary workload it had to undertake during that time, which hindered the timely fulfilment of the procedure.

Holding

Issuing its decision, the DPA stated that the health authority, if they were unable to respond to the request, had a duty to inform the data subject without delay, and at least within one month of receipt of the request of the reasons for non-compliance and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy (Article 12(4) GDPR). Accordingly, as they failed to respond in such a way, the authority had infringed Articles 12 and 15 GDPR.

With regard to corrective powers, and taking into account Article 58(2) GDPR, the authority did not consider it appropriate to adopt prescriptive measures. They did, however, find that the violation could not be considered ‘minor’, having regard to the nature, seriousness, and duration of the infringement, the degree of responsibility, and the manner in which the supervisory authority became aware of the infringement. However, they also noted that this was an isolated case; with no malicious conduct; the authority issued an apology; there have been no previous infringements; and the authority has cooperated fully with the investigation. Accordingly, the DPA issued an administrative fine of €2,500, pursuant to Article 83(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9853446]

Injunction against the Brindisi Local Health Authority - 11 January 2023

Register of measures
no. 6 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter the “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data", containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

WHEREAS

1. The complaint and the preliminary investigation

On the 20th date, a complaint was presented to the Authority by means of which the complainant, through her lawyer, complained that she had exercised the rights pursuant to articles from 15 to 22 of the Regulation against the Local Health Authority of Brindisi, located in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 (hereinafter "Health Agency") and that I have not received a reply.

In particular, on the 20th date, the interested party had requested the Healthcare Company, pursuant to art. 15 of the Regulation, access to personal data, as well as the reasons why certain data appear to be incorrect on one's own vaccination certificate issued by the Company itself.

Specifically in the matter, the interested party highlighted that "on the XX date, the first dose of the "anti-covid19" "AstraZeneca" vaccine was administered at the "Tensostructure" in via Sandro Pertini in Castellana Grotte (BA); (...) on the XX date, the same went again to the aforementioned facility to receive the second dose of the vaccine. (...) The health personnel informed the (...) (concerned) that they could not proceed with the treatment since, from the checks carried out on her health card, it appeared that she had already been administered the second vaccine dose on the XX date at the "Institute Scolastico Falcone” in Mesagne (BR), showing her a copy of a vaccination certificate issued by ASL Brindisi (…). However, the same had never been to the aforementioned vaccination center, nor had she received any health treatment on the XX date at any center referable to ASL Brindisi ".

Following the failure to reply, the interested party, on the 20th date, presented a complaint to the Authority, requesting "any appropriate provision and, in particular, enjoining the data controller to satisfy the requests to exercise the rights provided for by the Regulation (in particular art. 15 and where applicable articles 17 and 19) (...)".

With a note of the XX (prot. n. XX), the Authority invited the Healthcare Company to comply with the requests of the complainant and this Company proceeded to reply to the lawyer of the complainant and, at the same time, to the Authority with a note of the XX (prot. n. XX), representing, among other things, that:

- "(...) from the checks carried out it was possible to ascertain that on the date of the twentieth at the Mesagne vaccination center there was a large turnout of the population for the anti-covid19 vaccination, as indeed happened in all the sessions held in the various vaccination HUBs of the ASL of Brindisi in the first half of the year XX. The management of such a large number of users, in a limited period of time, in order to avoid gatherings within the various vaccination hubs, with the need to proceed with a massive registration of personal data which also requires manual steps , was able to determine the purely material and absolutely unintentional error which occurred against the (…) (claimant), certainly attributable to a homonym”;

- “(…) no undue use of Mrs.'s personal data could be made on the occasion. The procedure provides, in fact, that each operator responsible for vaccination must first proceed to check the name on the consent form with the identity card, verifying the coincidence of the personal data on one and the other document. What probably occurred in the present case is that the operator in charge of the registration, after having entered the personal data and once the drop-down menu appeared which recalled all the assisted with the surname (...) (same as the interested party) , has involuntarily registered the vaccination in the name of Ms (…) and not of the same name who had actually received the administration on the 20th day”;

- "(...) it is therefore confirmed, also for the reasons that will be discussed below, that no further processing of personal data relating to (...) (the interested party) is in progress pursuant to art. 15 of the GDPR. The erroneous data entered in the Java regional vaccination registry has been corrected for some time, so the name of Ms (...) is no longer present in the aforementioned archives. In fact, once the inconvenience was detected and similar dynamics that had already occurred in the past, a short communication between the operators of the ASLs concerned was sufficient for a verification of the case and the resolution of the error by means of cancellation by the same operator of the data not correct. (...) Similarly, the lady had no delay due to the erroneous annotation in the vaccination registers, since she was still able to receive the dose at the time and place chosen by her. Certainly the failure to respond to the warning of the XX was criticisable”;

- "To justify this involuntary omission, reference must be made to the objective, and moreover well-known, difficulties in which the Department of Prevention, the competent corporate division, found itself operating during the vaccination campaign, with the elimination of extraordinary and unexpected workloads resulting from the pandemic emergency. This extraordinary situation has in fact hindered the timely fulfillment of the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (...)".

The company has documented what is represented by attaching, among other things, the "communication note from Sincon, the software house that manages the GIAVA vaccination application, which certifies the cancellation of the incorrect data on the XX date".

On the basis of the documentation in the records and the evaluations carried out, the Office, with deed of the XX (prot. n. XX), notified the Healthcare Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in article 58, par. 2, of the Regulation.

In particular, the Office, in the aforementioned deed, communicated that, on the basis of the elements acquired during the preliminary investigation, as well as the subsequent assessments carried out, it was found that the Healthcare Authority, in response to the request made by the interested party to the in order to exercise their rights under the Regulation, as well as to receive explanations regarding the incorrect data mentioned above, did not provide any response; on the 20th date, however, it had, however, proceeded to cancel the incorrect data resulting from the interested party's anti Covid-19 vaccination certificate, entered by one of its operators due to "(...) a purely material and absolutely unintentional error (...) attributable to a 'homonymy".

The Healthcare Company, as data controller, only following the invitation of this Authority of the XX - formulated by the Office in the context of the procedure relating to the aforementioned complaint - on the XX date replied to the complainant; this, in violation of the art. 12, par. 3, in relation to the art. 15 of the Regulation.

With reference to the findings, the Office also invited the data controller to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law No. 689 of 11/24/1981).

With a note dated XX, the Healthcare Company presented a defense brief, in which, reiterating what had already been communicated following the Authority's invitation to join, it highlighted, among other things, that:

- "The Prevention Department of the ASL BRINDISI promptly proceeded to materially cancel the incorrect data (on date XX) requested by the (...) complainant";

- "The reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unforeseen workloads, concretely hindering fulfillment within the established deadlines";

- "This extraordinary situation has in fact hindered the timely fulfillment of the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/ 2020)”;

- "With a note dated XX, ASL Brindisi apologized to the complainant for failing to respond to the request for access formulated by the complainant, explaining the reasons".

In view of the above, the Company has asked the Authority to proceed with the filing of the de quo proceeding and, alternatively, to qualify the case as a "minor violation" pursuant to art. 83, par. 2 and recital 148 of the Regulation, "(...) in consideration of the following circumstances:"

- "a) the episode appears to be an isolated case, attributable to non-malicious conduct by the Company";

- “b) ASL Brindisi has adopted adequate technical and organizational measures to facilitate the exercise of rights and the response to requests submitted by data subjects in accordance with the law. And indeed, with resolution No. 481/2020 it approved the "Procedure for managing the rights of data subjects - EU Regulation 2016/679". The aforementioned procedure was duly disclosed to all personnel and was published on the corporate website in the "privacy" section; moreover, all the company structures have been requested to scrupulously comply with the company procedures regarding the protection of personal data”.

2. Outcome of the preliminary investigation

Having acknowledged what was represented and documented during the preliminary investigation by the data controller both with the note of the XX (prot. n. XX), following the invitation to join formulated by the Authority, and with the defense brief of the XX, produced by the data controller following the notification of the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation

- carried out by the Authority pursuant to art. 166, paragraph 5, of the Code - it is noted that:

- the Regulation, in articles 12 and following. disposing of "rights of the interested party", provides for the right of the latter to obtain from the data controller what is required pursuant to articles from 15 to 22 of the same Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the request;

- if he does not comply with the request of the interested party, the data controller informs the latter without delay, at the latest within one month of receiving the request, of the reasons for the non-compliance and of the possibility of proposing a complaint to a supervisory authority and to lodge a judicial appeal (Article 12, paragraph 4, of the Regulation). In the same sense, Recital 59 of the same Regulation provides that "the data controller should be required to respond to the requests of the interested party (...) and to justify his possible intention not to accept such requests";

- the Health Authority, in response to the request made by the interested party on the XX date, did not provide an answer, nor did it present suitable reasons to justify this non-compliance, providing, in this sense, only following the invitation of this Authority, of the XX, formulated in the context of the procedure relating to the aforementioned complaint;

- on the twentieth date, before the interested party exercised the rights provided for by the Regulation, the Healthcare Authority had, in any case, proceeded to cancel the incorrect data resulting from the anti-Covid-19 vaccination certificate relating to the latter;

- the Company declared that the "(...) reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unexpected workloads (...) (and ) hindered the fulfillment within the time limits established by the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/2020)";

- "With a note dated XX, ASL Brindisi apologized to the complainant for failing to respond to the request for access formulated by the complainant, explaining the reasons".

- as regards the psychological attitude, according to what was declared by the Company, it was an "isolated case, attributable to non-malicious conduct by the Company".

3.  Conclusions

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗  it is represented that the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the act of initiation of the procedure, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.

In the event of a complaint, since the healthcare facility has not provided a response to the request for access to your personal data advanced - pursuant to art. 15 of the Regulation -  by the interested party on the XX, nor represented suitable reasons to justify this non-compliance, providing, in this sense, only following the invitation of this Authority, of the XX, formulated in the context of the procedure relating to the aforementioned complaint , the preliminary assessments of the Office are confirmed and the violation of art. 12, par. 3, in relation to the art. 15 of the Regulation.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5 of the Regulation, as also referred to by art. 166, paragraph 2, of the Code. In this context, considering, in any case, that the Company has provided a reply to the complainant, apologizing for the failure to reply within the terms established by the Regulation, the conditions for the adoption of prescriptive measures pursuant to art. . 58, par. 2, of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation). Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 83, par. 2, of the Regulation, in relation to which it is considered that:

- it was an isolated case and no willful behavior on the part of the Healthcare Company can be found (Article 83, paragraph 2, letters a) and b) of the Regulation);

- the Company, providing feedback following the invitation from the Authority, apologized for the incident to the complainant (Article 83, paragraph 2, letter c) of the Regulation);

- no provision concerning a pertinent violation has been previously adopted against the Healthcare Authority itself (Article 83, paragraph 2, letter e) of the Regulation);

- the Healthcare Company has behaved collaboratively with the Authority (Article 83, paragraph 2, letter f) of the Regulation);

- the Company declared that the "(...) reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unexpected workloads (...) (and ) hindered the fulfillment within the timescales established by the procedure adopted (...) for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/2020)"; (Article 83, paragraph 2, letter f) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of Euro 2,500.00 (two thousand five hundred) for the violation of art. 12, par. 3, in relation to the art. 15 of the Regulation as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that, in consideration of the matter concerning the observance of the legislation on the exercise of rights, the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the illegality of the treatment carried out by the Brindisi Local Health Authority, located in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 for the violation, in the terms set out in the justification, of the art. 12, par. 3, in relation to the art. 15 of the Regulation;

ORDER

to the Local Health Authority of Brindisi, in the person of its pro-tempore legal representative, with registered office in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 pursuant to articles 58, par. 2, lit. i), 83, para. 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of Euro 2,500.00 (two thousand five hundred) as an administrative fine for the violation indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the same healthcare facility to pay the sum of Euro 2,500.00 (two thousand five hundred), in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the entire publication of this provision on the website of the Guarantor and believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew

[doc. web no. 9853446]

Injunction against the Brindisi Local Health Authority - 11 January 2023

Register of measures
no. 6 of 11 January 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter the “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data", containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

WHEREAS

1. The complaint and the preliminary investigation

On the 20th date, a complaint was presented to the Authority by means of which the complainant, through her lawyer, complained that she had exercised the rights pursuant to articles from 15 to 22 of the Regulation against the Local Health Authority of Brindisi, located in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 (hereinafter "Health Agency") and that I have not received a response.

In particular, on the 20th date, the interested party had requested the Healthcare Company, pursuant to art. 15 of the Regulation, access to personal data, as well as the reasons why certain data appear to be incorrect on one's own vaccination certificate issued by the Company itself.

Specifically in the matter, the interested party highlighted that "on the XX date, the first dose of the "anti-covid19" "AstraZeneca" vaccine was administered at the "Tensostructure" in via Sandro Pertini in Castellana Grotte (BA); (...) on the XX date, the same went again to the aforementioned facility to receive the second dose of the vaccine. (...) The health personnel informed the (...) (concerned) that they could not proceed with the treatment since, from the checks carried out on her health card, it appeared that she had already been administered the second vaccine dose on the XX date at the "Institute Scolastico Falcone” in Mesagne (BR), showing her a copy of a vaccination certificate issued by ASL Brindisi (…). However, the same had never been to the aforementioned vaccination center, nor had she received any health treatment on the XX date at any center referable to ASL Brindisi ".

Following the failure to reply, the interested party, on the 20th date, presented a complaint to the Authority, requesting "any appropriate provision and, in particular, enjoining the data controller to satisfy the requests to exercise the rights provided for by the Regulation (in particular art. 15 and where applicable articles 17 and 19) (...)".

With a note of the XX (prot. n. XX), the Authority invited the Healthcare Company to comply with the requests of the complainant and this Company proceeded to reply to the lawyer of the complainant and, at the same time, to the Authority with a note of the XX (prot. n. XX), representing, among other things, that:

- "(...) from the checks carried out it was possible to ascertain that on the date of the twentieth at the Mesagne vaccination center there was a large turnout of the population for the anti-covid19 vaccination, as indeed happened in all the sessions held in the various vaccination HUBs of the ASL of Brindisi in the first half of the year XX. The management of such a large number of users, in a limited period of time, in order to avoid gatherings within the various vaccination hubs, with the need to proceed with a massive registration of personal data which also requires manual steps , was able to determine the purely material and absolutely unintentional error which occurred against the (…) (claimant), certainly attributable to a homonym”;

- “(…) no undue use of Mrs.'s personal data could be made on the occasion. The procedure provides, in fact, that each operator responsible for vaccination must first proceed to check the name on the consent form with the identity card, verifying the coincidence of the personal data on one and the other document. What probably occurred in the present case is that the operator in charge of the registration, after having entered the personal data and once the drop-down menu appeared which recalled all the assisted with the surname (...) (same as the interested party) , has involuntarily registered the vaccination in the name of Ms (…) and not of the same name who had actually received the administration on the 20th day”;

- "(...) it is therefore confirmed, also for the reasons that will be discussed below, that no further processing of personal data relating to (...) (the interested party) is in progress pursuant to art. 15 of the GDPR. The erroneous data entered in the Java regional vaccination registry has been corrected for some time, so the name of Ms (...) is no longer present in the aforementioned archives. In fact, once the inconvenience was detected and similar dynamics that had already occurred in the past, a short communication between the operators of the ASLs concerned was sufficient for a verification of the case and the resolution of the error by means of cancellation by the same operator of the data not correct. (...) Similarly, the lady had no delay due to the erroneous annotation in the vaccination registers, since she was still able to receive the dose at the time and place chosen by her. Certainly the failure to respond to the warning of the XX was criticisable”;

- "To justify this involuntary omission, reference must be made to the objective, and moreover well-known, difficulties in which the Department of Prevention, the competent corporate division, found itself operating during the vaccination campaign, with the elimination of extraordinary and unexpected workloads resulting from the pandemic emergency. This extraordinary situation has in fact hindered the timely fulfillment of the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (...)".

The company has documented what is represented by attaching, among other things, the "communication note from Sincon, the software house that manages the GIAVA vaccination application, which certifies the cancellation of the incorrect data on the XX date".

On the basis of the documentation in the records and the assessments carried out, the Office, with deed of the XX (prot. n. XX), notified the Healthcare Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in article 58, par. 2, of the Regulation.

In particular, the Office, in the aforementioned deed, communicated that, on the basis of the elements acquired during the preliminary investigation, as well as the subsequent assessments carried out, it was found that the Healthcare Authority, in response to the request made by the interested party to the in order to exercise their rights under the Regulation, as well as to receive explanations regarding the incorrect data mentioned above, did not provide any response; on the 20th date, however, it had, however, proceeded to cancel the incorrect data resulting from the interested party's anti Covid-19 vaccination certificate, entered by one of its operators due to "(...) a purely material and absolutely unintentional error (...) attributable to a 'homonymy".

The Healthcare Company, as data controller, only following the invitation of this Authority of the XX - formulated by the Office in the context of the procedure relating to the aforementioned complaint - on the XX date replied to the complainant; this, in violation of the art. 12, par. 3, in relation to the art. 15 of the Regulation.

With reference to the findings, the Office also invited the data controller to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law No. 689 of 11/24/1981).

With a note dated XX, the Healthcare Company presented a defense brief, in which, reiterating what had already been communicated following the Authority's invitation to join, it highlighted, among other things, that:

- "The Prevention Department of the ASL BRINDISI promptly proceeded to materially cancel the incorrect data (on date XX) requested by the (...) complainant";

- "The reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unforeseen workloads, concretely hindering fulfillment within the established deadlines";

- "This extraordinary situation has in fact hindered the timely fulfillment of the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/ 2020)";

- "With a note dated XX, ASL Brindisi apologized to the complainant for failing to respond to the request for access formulated by the complainant, explaining the reasons".

In view of the above, the Company has asked the Authority to proceed with the filing of the de quo proceeding and, alternatively, to qualify the case as a "minor violation" pursuant to art. 83, par. 2 and recital 148 of the Regulation, "(...) in consideration of the following circumstances:"

- "a) the episode appears to be an isolated case, attributable to non-malicious conduct by the Company";

- “b) ASL Brindisi has adopted adequate technical and organizational measures to facilitate the exercise of rights and the response to requests submitted by data subjects in accordance with the law. And indeed, with resolution No. 481/2020 it approved the "Procedure for managing the rights of data subjects - EU Regulation 2016/679". The aforementioned procedure was duly disclosed to all personnel and was published on the corporate website in the "privacy" section; moreover, all the company structures have been requested to scrupulously comply with the company procedures regarding the protection of personal data”.

2. Outcome of the preliminary investigation

Having acknowledged what was represented and documented during the preliminary investigation by the data controller both with the note of the XX (prot. n. XX), following the invitation to join formulated by the Authority, and with the defense brief of the XX, produced by the data controller following the notification of the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation

- carried out by the Authority pursuant to art. 166, paragraph 5, of the Code - it is noted that:

- the Regulation, in articles 12 and following. disposing of "rights of the interested party", provides for the right of the latter to obtain from the data controller what is required pursuant to articles from 15 to 22 of the same Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the request;

- if he does not comply with the request of the interested party, the data controller informs the latter without delay, at the latest within one month of receiving the request, of the reasons for the non-compliance and of the possibility of proposing a complaint to a supervisory authority and to lodge a judicial appeal (Article 12, paragraph 4, of the Regulation). In the same sense, Recital 59 of the same Regulation provides that "the data controller should be required to respond to the requests of the interested party (...) and to justify his possible intention not to accept such requests";

- the Health Authority, in response to the request made by the interested party on the XX date, did not provide an answer, nor did it present suitable reasons to justify this non-compliance, providing, in this sense, only following the invitation of this Authority, of the XX, formulated in the context of the procedure relating to the aforementioned complaint;

- on the twentieth date, before the interested party exercised the rights provided for by the Regulation, the Healthcare Authority had, in any case, proceeded to cancel the incorrect data resulting from the anti-Covid-19 vaccination certificate relating to the latter;

- the Company declared that the "(...) reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unexpected workloads (...) (and ) hindered the fulfillment within the time limits established by the procedure adopted by this Company for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/2020)";

- "With a note dated XX, ASL Brindisi apologized to the complainant for failing to respond to the request for access formulated by the complainant, explaining the reasons".

- as regards the psychological attitude, according to what was declared by the Company, it was an "isolated case, attributable to non-malicious conduct by the Company".

3.  Conclusions

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗  it is represented that the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the act of initiation of the procedure, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.

In the event of a complaint, since the healthcare facility has not provided a response to the request for access to your personal data advanced - pursuant to art. 15 of the Regulation -  by the interested party on the XX, nor represented suitable reasons to justify this non-compliance, providing, in this sense, only following the invitation of this Authority, of the XX, formulated in the context of the procedure relating to the aforementioned complaint , the preliminary assessments of the Office are confirmed and the violation of art. 12, par. 3, in relation to the art. 15 of the Regulation.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5 of the Regulation, as also referred to by art. 166, paragraph 2, of the Code. In this context, considering, in any case, that the Company has provided a reply to the complainant, apologizing for the failure to reply within the terms established by the Regulation, the conditions for the adoption of prescriptive measures pursuant to art. . 58, par. 2, of the Regulation.

The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility, the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation). Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).

Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 83, par. 2, of the Regulation, in relation to which it is considered that:

- it was an isolated case and no willful behavior on the part of the Healthcare Company can be found (Article 83, paragraph 2, letters a) and b) of the Regulation);

- the Company, providing feedback following the invitation from the Authority, apologized for the incident to the complainant (Article 83, paragraph 2, letter c) of the Regulation);

- no provision concerning a pertinent violation has been previously adopted against the Healthcare Authority itself (Article 83, paragraph 2, letter e) of the Regulation);

- the Healthcare Company has behaved collaboratively with the Authority (Article 83, paragraph 2, letter f) of the Regulation);

- the Company declared that the "(...) reasons for the lack of written response from the Prevention Department, the competent corporate division, are to be found in the coronavirus pandemic emergency which had led to extraordinary and unexpected workloads (...) (and ) hindered the fulfillment within the timescales established by the procedure adopted (...) for the exercise of the rights of the interested parties, published on the institutional website in the appropriate "privacy" section (see resolution no. 481/2020)"; (Article 83, paragraph 2, letter f) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of Euro 2,500.00 (two thousand five hundred) for the violation of art. 12, par. 3, in relation to the art. 15 of the Regulation as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that, in consideration of the matter concerning the observance of the legislation on the exercise of rights, the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the illegality of the treatment carried out by the Brindisi Local Health Authority, located in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 for the violation, in the terms set out in the justification, of the art. 12, par. 3, in relation to the art. 15 of the Regulation;

ORDER

to the Local Health Authority of Brindisi, in the person of its pro-tempore legal representative, with registered office in Brindisi, Via Napoli 8, postal code 72100 – Fiscal Code 01647800745 pursuant to articles 58, par. 2, lit. i), 83, para. 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of Euro 2,500.00 (two thousand five hundred) as an administrative fine for the violation indicated in the justification; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

to the same healthcare facility to pay the sum of Euro 2,500.00 (two thousand five hundred), in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the entire publication of this provision on the website of the Guarantor and believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew