Garante per la protezione dei dati personali (Italy) - 9868111
From GDPRhub
| Garante per la protezione dei dati personali - 9868111 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 25 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 11.01.2023 |
| Published: | |
| Fine: | 5,000 EUR |
| Parties: | Associazione Nazionale Magistrati |
| National Case Number/Name: | 9868111 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (Italy) (in IT) |
| Initial Contributor: | mg |
The Italian DPA fined an Italian association representing members of the judiciary for having unlawfully disclosed personal data concerning one of its adhering members.
English Summary
Facts
An Italian association representing members of the judiciary (ANM – Associazione Nazionale Magistrati) opened a disciplinary proceeding against one of its adhering members. The data subject, a public prosecutor, lamented that the notification about the disciplinary proceeding was sent not to them directly, but rather to the office to which they belonged.
The controller replied that a message directly addressed to the data subject would not have guaranteed adequate levels of protection in terms of security of communications. Moreover, the ANM decided to use the institutional email account in order to be certain that the data subject received the notification.
The Italian DPA opened an investigation about potential violations of Articles 5(1)(f), 25 and 32 GDPR.
Holding
The Italian DPA found that the controller violated the principle of confidentiality. The argument that sending the message to the public prosecutor’s personal email account would not have guaranteed security in communications was groundless. If the controller wanted to be certain that the notification was properly delivered, alternative and less intrusive measures could be put into place.
The DPA fined the controller € 5,000 pursuant to Articles 58(2)(i) and 83 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9868111]
Injunction order against the National Association of Magistrates - 11 January 2023
Register of measures
no. 20 of 11 January 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by Prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";
CONSIDERING the complaint presented by Dr. XX against the National Association of Magistrates;
HAVING EXAMINED the documentation in the deeds;
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
SPEAKER Dr. Agostino Ghiglia;
WHEREAS
1. The complaint.
Dr. XX, a magistrate in service at the Public Prosecutor's Office at the Court of XX, contested an unlawful processing of his personal data by the National Association of Magistrates (hereinafter, "ANM" or "Association"), to which the interested party is signed up.
He complains about having received from the head of the Prosecutor's Secretariat Office, on 19 March 2021, "an envelope containing a confidential note [...] [concerning] the news of the opening of a disciplinary procedure within the ANM opened in the own comparisons".
Following this delivery, the applicant learned that the aforementioned confidential note, together with the related accompanying message, had been sent via e-mail by the ANM, on 18 March 2021, not to his personal e-mail address ( XX), moreover in the full availability of the Association and "well known by the sender", but to the certified e-mail address of the Protocol Office of the Public Prosecutor's Office where the interested party works (XX).
The transmission of the aforementioned message and of the note attached thereto to a non-personal e-mail address, as well as the subsequent printing and delivery by hand of the latter to the interested party by the Public Prosecutor's Office would have determined, according to the applicant, a 'undue disclosure of personal data to third parties (first, the employees of the Protocol Office; subsequently, the Prosecutor and the staff of the related Secretariat Office) who are not entitled to have knowledge of it.
Moreover, the object of the letter itself ("Communication Board of Arbitrators Anm"), together with the name of the file attached to it ("Notice Dr. XX"), would have been sufficient in themselves, regardless of the opening and reading of the latter, to reveal the content – or at least the tenor – of the communication.
Considering this disclosure in violation of the regulations on the protection of personal data, the applicant requested the intervention of the Authority for the adoption of the related provisions of the case.
As proof of the statements made, the complainant produced:
− copy of the e-mail sent by the ANM to the Public Prosecutor's Office on 18 March 2021, containing the following text: "To the kind attention of Dr. XX - We forward, attached to this letter, a communication reserved to you by the Board of Arbiters. Best regards";
− copy of the notice attached therein, containing the information relating to the disciplinary procedure initiated by the Association against him;
− copy of a note, dated 24 March 2021, with which the person in charge of the Prosecutor's Secretariat, having acknowledged the content of the e-mail, informed the interested party of the instructions received from the same Prosecutor regarding the delivery "into your hands" of the aforementioned communication.
2. The response of the ANM.
With a note dated 13 July 2022, the ANM sent its observations on the matter, confirming that, in application of a specific provision of the Procedural Regulation on the disciplinary activity of the Board of Arbitrators (Article 6, in accordance with the which the Panel "notifies the magistrate concerned by means of a confidential communication by the secretariat, at the office in which he works or at the place where he is even temporarily located"), the secretariat of the Association has proceeded to transmit, to the 'certified e-mail address of the Public Prosecutor's Office where the applicant operates, a communication containing as an attachment the notice of initiation of disciplinary proceedings against him, accompanied however with the "specific indication of the confidential and personal nature of the communication itself ”.
This arrangement, in the perspective indicated by the Association, should have guaranteed confidentiality and confidentiality of the personal data of the interested party, ensuring the delivery of the message and the related notice attached directly and only to the latter.
However, the same Association declared that it had in any case subsequently modified its operating practice, specifying that in the "continuation of the activities of the Board of Arbitrators and with reference to other accused magistrates, it was then preferred to entrust the communication of the objection to other forms of communication, using the personal e-mail address of the magistrate from time to time concerned".
For further clarification of the incident, the Board of Arbitrators sent its further observations (note of 18 July 2022), specifying that:
− the use of the XX address, although available to the Association, did not guarantee security regarding the confidentiality of the communication, given the declared practice according to which many magistrates would make the institutional email addresses available to their collaborators "for the functional needs of the 'office";
− the private and personal e-mail address of the interested party was not known to the Association;
− certified e-mail address used was attributable to the Office "where all confidential or secret communications intended for it arrive" and whose staff are bound by secrecy pursuant to art. 49 of Legislative Decree no. 82/2005 (Digital Administration Code);
− it was the duty of the protocol officers themselves to "sort" the correspondence to the person concerned, without proceeding to open the message;
− it is not known whether there was material apprehension of the content of the communication on the part of the correspondence officer.
With respect to the present case, therefore, according to the Board of Arbitrators, profiles of non-compliance with the regulations on the protection of personal data would not have been identifiable, all the more due to the fact that the conduct of the magistrate would have already been known following a his previous interview reported in the volume "XX".
Having assessed the overall findings in the documents, the Office proceeded to notify the Association, pursuant to art. 166, paragraph 5, of the Code, the act of initiating the corrective and sanctioning procedure in relation to the violation of articles 5, par. 1, lit. f), 25 and 32 of the Regulation (note of 2 November 2022).
The Association sent its memorandums on 10 December 2022, in which it reiterated, in particular, that:
− the Board of Arbitrators "had, initially, considered that the use of the certified e-mail address of the Judicial Office to which the interested party belongs, with the specification of the confidential nature of the communication, responded to the dual need to ensure the receipt of the deed by the addressee, on the one hand, and the confidentiality of the information contained therein, on the other, considering, in particular, the position of guarantee assumed, within the judicial offices, by the administrative staff assigned to receipt of mail, bound to secrecy pursuant to art. 49 of the Digital Administration Code";
− "already in March 2021, the Board of Arbitrators has [...] given indications to the personnel assigned to the General Secretariat of the ANM to transmit communications relating to intra-associative disciplinary proceedings only by registered letter with return receipt and to the institutional e-mail addresses of the interested parties, believing that this method of communication could better guarantee the confidentiality of the information contained therein";
− the Association "regrets [...] the alleged undue disclosure of confidential information by Dr. XX, in the reasonable belief that it was a single and isolated fact".
3. The legislation on the protection of personal data.
Based on the art. 24 of the RGPD, "the data controller implements appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out in compliance with this regulation". “These measures should take into account, inter alia, the risk to the rights and freedoms of natural persons” (recital n. 74 of the RGPD).
Based on the art. 25 of the GDPR, it is then established that the owner, "both at the time of determining the means of processing and at the time of the processing itself [...] implements adequate technical and organizational measures, [...], aimed at effectively implementing the principles of data protection, such as minimisation, and to integrate the necessary guarantees in the processing in order to meet the requirements of this regulation and protect the rights of data subjects".
Pursuant to art. 32 of the GDPR, the data controller is also required to "[...] implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk [...]"; "in assessing the appropriate level of security, special account shall be taken of the risks presented by the processing which derive in particular [...] from unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or however treated".
In order to “maintain security and prevent processing in breach of this Regulation, the controller […] should [therefore] assess the risks inherent in the processing and implement measures to limit those risks […]. These measures should ensure an adequate level of security, including confidentiality, taking into account the state of the art and implementation costs with respect to the risks presented by the treatments and the nature of the personal data to be protected. When assessing the data security risk, consideration should be given to the risks presented by the processing of personal data, such as accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, which could in particular cause physical, material or immaterial damage” (Recital n. 83 of the RGPD).
Finally, the processing of personal data must take place in compliance with the principles applicable to the processing (Article 5, paragraph 1, letter a) -f) of the GDPR), including that of "integrity and confidentiality", in the mind of the which personal data are "processed in such a way as to ensure adequate security of personal data, including protection, by means of appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage".
As known, the data controller is responsible for compliance with the aforementioned principles and must be able to demonstrate compliance with them (Article 5, paragraph 2, of the GDPR).
4. Evaluations by the Office.
Following the examination of the documentation produced and the declarations made by the parties during the proceedings, given that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the ANM, in notifying the deed of initiation of a disciplinary procedure against today's complainant, used - in application of a specific provision of the Procedural Regulation on the disciplinary activity of the Board of Arbitrators and in the belief that the "confidential" wording affixed to the communication was sufficient to satisfy the need for confidentiality of the information contained therein −, the certified e-mail address of the Protocol Office of the Public Prosecutor's Office where the interested party works (XX ), in place of the personal one attributable to him, even if available to the Association.
Although this forwarding took place in implementation of a precise internal provision of the Association and was dictated by the need to acquire certainty regarding the delivery and receipt of the deed by the interested party, it must however be noted that the conduct by the ANM, for the reasons set out below, does not comply with the regulations on the protection of personal data.
And in fact, given the non-involvement of the Public Prosecutor's Offices in the relationship (and related vicissitudes) between the ANM and today's request, also noted that the Association considered it could not use the "institutional" e-mail address " of the interested party, even if available, due to the absence of guarantees of confidentiality regarding the recipients of the message (subject to then transmitting, however, the same message to a non-personal P.E.C. address, accessible by a plurality of people), it is valid here it should be noted that the ANM's choice to send the aforementioned communication to an e-mail address other than the one indicated at the time by the applicant determined, in fact, the knowledge of information referred to him which should have remained confidential.
The arguments put forward in defense by the ANM, aimed at demonstrating the legitimacy of its actions and the groundlessness of the objections raised, are indeed not suitable for overcoming the findings notified by the Office with the deed of initiation of the aforementioned procedure.
The knowledge of the personal data of the interested party, by subjects not entitled to have knowledge of it, could in fact have easily been avoided, in the case in question, simply by sending the e-mail disputed here to the individual e-mail address in the availability of the Association, among other things probably acquired - considering the very nature of the data - precisely for the purpose of contact with the applicant.
Nor, in this regard, is the circumstance - also alleged by the ANM during the investigation - according to which the use of this e-mail address would not have been assisted by adequate guarantees of confidentiality, given that the Association is not required to know and/or evaluate the methods of use of e-mail addresses (even if hypothetically shared with other collaborators) by their subscribers.
As for the need for certainty regarding the effective receipt and knowledge of the document served by the applicant, it is sufficient to point out here that it would have been sufficient, for the purpose, to make use of other suitable instruments offered in this regard by the legal system, such as the transmission of a registered letter with return receipt to the applicant's postal address (solution, moreover, prefigured by the Association itself in the note of 10 December 2022). In any case, it would have been the task of the latter to contact the interested party in order to obtain any alternative addresses to which the communication considered here could be transmitted in a certain, secure and confidential manner.
In the light of the foregoing considerations and of the documentation acquired in the records, it therefore appears that the ANM has processed personal data of the interested party in conflict with the provisions of the current legislation on the protection of personal data, having specific regard to the provisions of the articles 5, par. 1, lit. f), 25 and 32 of the Regulation.
5. Conclusions
The violation of the aforementioned provisions, in addition to the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation, can lead to the imposition of administrative fines (art. 83, par. 1 and 5, of the Regulation).
With respect to the first profile, the ANM declared, during the procedure, and assuming all responsibility in this regard (Article 168 of the Code), that it had already voluntarily corrected its operating practice, favoring the forwarding of the start-up communications of disciplinary proceedings to the personal addresses (email or postal) of the individual magistrates concerned from time to time (notes of 13 July 2022 and 10 December 2022, cited above).
In the light of these findings, it is therefore considered possible to postpone the adoption of an injunction against the Association (art. 58, par. 2, letter d), of the Regulations), since the latter has declared that it has already adopted, for the purpose of forwarding to its members communications of the initiation of disciplinary proceedings, a practice compliant with the regulations on the protection of personal data.
As regards the imposition and quantification of possible sanctions, given that the latter must in each individual case be "effective, proportionate and dissuasive" (art. 83, paragraph 1, of the Regulation), it is necessary here to proceed with an assessment that takes in due account, individually and as a whole, of all the elements envisaged by art. 83, par. 2, lit. a)-k), of the Regulation, related to the concrete case.
In relation to the case in question, it is believed that, in particular, the nature and seriousness of the violation, the level of damage suffered by the interested party must be highlighted (given the undoubted repercussions, even only in terms of image, derived instantly from unauthorized knowledge of such strictly confidential information) as well as the degree of responsibility of the owner, who was in any case in possession of another suitable e-mail address that could be traced back instantly.
Furthermore, the culpable nature of the violation was considered (nothing noting, in fact, its occurrence in implementation of a specific internal provision of the Association - moreover perfectible - and in the mistaken belief that the guarantees of confidentiality actually adopted were sufficient, by themselves, to protect the interested party), as well as the delicacy of the data processed, which although of a "common" nature, are in any case suitable for revealing completely peculiar information and for determining negative impacts in the individual sphere of the interested parties, interfering with their context relational and professional.
On the other hand, the following additional circumstances were duly taken into account:
− the absence, at present, of specific precedents against the Association;
− the episodic and extemporary nature of the violation;
− the small number of subjects involved;
− the subsequent spontaneous adoption of behaviors compliant with current legislation;
− the substantially collaborative conduct held by the Association during the proceedings;
− the absence, at present, of further complaints or reports to the Guarantor on similar issues.
On the basis of the aforementioned elements, it is therefore believed to be able to determine the amount of the pecuniary sanction against the National Association of Magistrates in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. f), 25 and 32 of the Regulation.
Taking into account that the preliminary investigation concerned the unlawful processing of personal data in the context of a disciplinary procedure, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.
Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THAT BEING CONSIDERED, THE GUARANTOR
declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the illegality of the processing carried out by the National Association of Magistrates for the violation of the articles 5, par. 1, lit. f), 25 and 32 of the Regulation, in the terms set out in the justification;
ORDER
to the National Association of Magistrates, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to pay the administrative fine of 5,000.00 (five thousand) euros for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ENJOYS
to the aforementioned Association to pay the sum of 5,000.00 (five thousand) euros, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and 16 of the Guarantor's Regulation n. 1/2019, and notes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 11 January 2023
PRESIDENT
Station
THE SPEAKER
guille
THE SECRETARY GENERAL
Matthew
[doc. web no. 9868111]
Injunction order against the National Association of Magistrates - 11 January 2023
Register of measures
no. 20 of 11 January 2023
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by Prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");
HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";
CONSIDERING the complaint presented by Dr. XX against the National Association of Magistrates;
HAVING EXAMINED the documentation in the deeds;
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
SPEAKER Dr. Agostino Ghiglia;
WHEREAS
1. The complaint.
Dr. XX, a magistrate in service at the Public Prosecutor's Office at the Court of XX, contested an unlawful processing of his personal data by the National Association of Magistrates (hereinafter, "ANM" or "Association"), to which the interested party is signed up.
He complains about having received from the head of the Prosecutor's Secretariat Office, on 19 March 2021, "an envelope containing a confidential note [...] [concerning] the news of the opening of a disciplinary procedure within the ANM opened in the own comparisons".
Following this delivery, the applicant learned that the aforementioned confidential note, together with the related accompanying message, had been sent via e-mail by the ANM, on 18 March 2021, not to his personal e-mail address ( XX), moreover in the full availability of the Association and "well known by the sender", but to the certified e-mail address of the Protocol Office of the Public Prosecutor's Office where the interested party works (XX).
The transmission of the aforementioned message and of the note attached thereto to a non-personal e-mail address, as well as the subsequent printing and delivery by hand of the latter to the interested party by the Public Prosecutor's Office would have determined, according to the applicant, a 'undue disclosure of personal data to third parties (first, the employees of the Protocol Office; subsequently, the Prosecutor and the staff of the related Secretariat Office) who are not entitled to have knowledge of it.
Moreover, the object of the letter itself ("Communication Board of Arbitrators Anm"), together with the name of the file attached to it ("Notice Dr. XX"), would have been sufficient in themselves, regardless of the opening and reading of the latter, to reveal the content – or at least the tenor – of the communication.
Considering this disclosure in violation of the regulations on the protection of personal data, the applicant requested the intervention of the Authority for the adoption of the related provisions of the case.
As proof of the statements made, the complainant produced:
− copy of the e-mail sent by the ANM to the Public Prosecutor's Office on 18 March 2021, containing the following text: "To the kind attention of Dr. XX - We forward, attached to this letter, a communication reserved to you by the Board of Arbiters. Best regards";
− copy of the notice attached therein, containing the information relating to the disciplinary procedure initiated by the Association against him;
− copy of a note, dated 24 March 2021, with which the person in charge of the Prosecutor's Secretariat, having acknowledged the content of the e-mail, informed the interested party of the instructions received from the same Prosecutor regarding the delivery "into your hands" of the aforementioned communication.
2. The response of the ANM.
With a note dated 13 July 2022, the ANM sent its observations on the matter, confirming that, in application of a specific provision of the Procedural Regulation on the disciplinary activity of the Board of Arbitrators (Article 6, in accordance with the which the Panel "notifies the magistrate concerned by means of a confidential communication by the secretariat, at the office in which he works or at the place where he is even temporarily located"), the secretariat of the Association has proceeded to transmit, to the 'certified e-mail address of the Public Prosecutor's Office where the applicant operates, a communication containing as an attachment the notice of initiation of disciplinary proceedings against him, accompanied however with the "specific indication of the confidential and personal nature of the communication itself ”.
This arrangement, in the perspective indicated by the Association, should have guaranteed confidentiality and confidentiality of the personal data of the interested party, ensuring the delivery of the message and the related notice attached directly and only to the latter.
However, the same Association declared that it had in any case subsequently modified its operating practice, specifying that in the "continuation of the activities of the Board of Arbitrators and with reference to other accused magistrates, it was then preferred to entrust the communication of the objection to other forms of communication, using the personal e-mail address of the magistrate from time to time concerned".
For further clarification of the incident, the Board of Arbitrators sent its further observations (note of 18 July 2022), specifying that:
− the use of the XX address, although available to the Association, did not guarantee security regarding the confidentiality of the communication, given the declared practice according to which many magistrates would make the institutional email addresses available to their collaborators "for the functional needs of the 'office";
− the private and personal e-mail address of the interested party was not known to the Association;
− certified e-mail address used was attributable to the Office "where all confidential or secret communications intended for it arrive" and whose staff are bound by secrecy pursuant to art. 49 of Legislative Decree no. 82/2005 (Digital Administration Code);
− it was the duty of the protocol officers themselves to "sort" the correspondence to the person concerned, without proceeding to open the message;
− it is not known whether there was material apprehension of the content of the communication on the part of the correspondence officer.
With respect to the present case, therefore, according to the Board of Arbitrators, profiles of non-compliance with the regulations on the protection of personal data would not have been identifiable, all the more due to the fact that the conduct of the magistrate would have already been known following a his previous interview reported in the volume "XX".
Having assessed the overall findings in the documents, the Office proceeded to notify the Association, pursuant to art. 166, paragraph 5, of the Code, the act of initiating the corrective and sanctioning procedure in relation to the violation of articles 5, par. 1, lit. f), 25 and 32 of the Regulation (note of 2 November 2022).
The Association sent its memorandums on 10 December 2022, in which it reiterated, in particular, that:
− the Board of Arbitrators "had, initially, considered that the use of the certified e-mail address of the Judicial Office to which the interested party belongs, with the specification of the confidential nature of the communication, responded to the dual need to ensure the receipt of the deed by the addressee, on the one hand, and the confidentiality of the information contained therein, on the other, considering, in particular, the position of guarantee assumed, within the judicial offices, by the administrative staff assigned to receipt of mail, bound to secrecy pursuant to art. 49 of the Digital Administration Code";
− "already in March 2021, the Board of Arbitrators has [...] given indications to the personnel assigned to the General Secretariat of the ANM to transmit communications relating to intra-associative disciplinary proceedings only by registered letter with return receipt and to the institutional e-mail addresses of the interested parties, believing that this method of communication could better guarantee the confidentiality of the information contained therein";
− the Association "regrets [...] the alleged undue disclosure of confidential information by Dr. XX, in the reasonable belief that it was a single and isolated fact".
3. The legislation on the protection of personal data.
Based on the art. 24 of the RGPD, "the data controller implements appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out in compliance with this regulation". “These measures should take into account, inter alia, the risk to the rights and freedoms of natural persons” (recital n. 74 of the RGPD).
Based on the art. 25 of the GDPR, it is then established that the owner, "both at the time of determining the means of processing and at the time of the processing itself [...] implements adequate technical and organizational measures, [...], aimed at effectively implementing the principles of data protection, such as minimisation, and to integrate the necessary guarantees in the processing in order to meet the requirements of this regulation and protect the rights of data subjects".
Pursuant to art. 32 of the GDPR, the data controller is also required to "[...] implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk [...]"; "in assessing the appropriate level of security, special account shall be taken of the risks presented by the processing which derive in particular [...] from unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or however treated".
In order to “maintain security and prevent processing in breach of this Regulation, the controller […] should [therefore] assess the risks inherent in the processing and implement measures to limit those risks […]. These measures should ensure an adequate level of security, including confidentiality, taking into account the state of the art and implementation costs with respect to the risks presented by the treatments and the nature of the personal data to be protected. When assessing the data security risk, consideration should be given to the risks presented by the processing of personal data, such as accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, which could in particular cause physical, material or immaterial damage” (Recital n. 83 of the RGPD).
Finally, the processing of personal data must take place in compliance with the principles applicable to the processing (Article 5, paragraph 1, letter a) -f) of the GDPR), including that of "integrity and confidentiality", in the mind of the which personal data are "processed in such a way as to ensure adequate security of personal data, including protection, by means of appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage".
As known, the data controller is responsible for compliance with the aforementioned principles and must be able to demonstrate compliance with them (Article 5, paragraph 2, of the GDPR).
4. Evaluations by the Office.
Following the examination of the documentation produced and the declarations made by the parties during the proceedings, given that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the ANM, in notifying the deed of initiation of a disciplinary procedure against today's complainant, used - in application of a specific provision of the Procedural Regulation on the disciplinary activity of the Board of Arbitrators and in the belief that the "confidential" wording affixed to the communication was sufficient to satisfy the need for confidentiality of the information contained therein −, the certified e-mail address of the Protocol Office of the Public Prosecutor's Office where the interested party works (XX ), in place of the personal one attributable to him, even if available to the Association.
Although this forwarding took place in implementation of a precise internal provision of the Association and was dictated by the need to acquire certainty regarding the delivery and receipt of the deed by the interested party, it must however be noted that the conduct by the ANM, for the reasons set out below, does not comply with the regulations on the protection of personal data.
And in fact, given the non-involvement of the Public Prosecutor's Offices in the relationship (and related vicissitudes) between the ANM and today's request, also noted that the Association considered it could not use the "institutional" e-mail address " of the interested party, even if available, due to the absence of guarantees of confidentiality regarding the recipients of the message (subject to then transmitting, however, the same message to a non-personal P.E.C. address, accessible by a plurality of people), it is valid here it should be noted that the ANM's choice to send the aforementioned communication to an e-mail address other than the one indicated at the time by the applicant determined, in fact, the knowledge of information referred to him which should have remained confidential.
The arguments put forward in defense by the ANM, aimed at demonstrating the legitimacy of its actions and the groundlessness of the objections raised, are indeed not suitable for overcoming the findings notified by the Office with the deed of initiation of the aforementioned procedure.
The knowledge of the personal data of the interested party, by subjects not entitled to have knowledge of it, could in fact have easily been avoided, in the case in question, simply by sending the e-mail disputed here to the individual e-mail address in the availability of the Association, among other things probably acquired - considering the very nature of the data - precisely for the purpose of contact with the applicant.
Nor, in this regard, is the circumstance - also alleged by the ANM during the investigation - according to which the use of this e-mail address would not have been assisted by adequate guarantees of confidentiality, given that the Association is not required to know and/or evaluate the methods of use of e-mail addresses (even if hypothetically shared with other collaborators) by their subscribers.
As for the need for certainty regarding the effective receipt and knowledge of the document served by the applicant, it is sufficient to point out here that it would have been sufficient, for the purpose, to make use of other suitable instruments offered in this regard by the legal system, such as the transmission of a registered letter with return receipt to the applicant's postal address (solution, moreover, prefigured by the Association itself in the note of 10 December 2022). In any case, it would have been the task of the latter to contact the interested party in order to obtain any alternative addresses to which the communication considered here could be transmitted in a certain, secure and confidential manner.
In the light of the foregoing considerations and of the documentation acquired in the records, it therefore appears that the ANM has processed personal data of the interested party in conflict with the provisions of the current legislation on the protection of personal data, having specific regard to the provisions of the articles 5, par. 1, lit. f), 25 and 32 of the Regulation.
5. Conclusions
The violation of the aforementioned provisions, in addition to the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation, can lead to the imposition of administrative fines (art. 83, par. 1 and 5, of the Regulation).
With respect to the first profile, the ANM declared, during the procedure, and assuming all responsibility in this regard (Article 168 of the Code), that it had already voluntarily corrected its operating practice, favoring the forwarding of the start-up communications of disciplinary proceedings to the personal addresses (email or postal) of the individual magistrates concerned from time to time (notes of 13 July 2022 and 10 December 2022, cited above).
In the light of these findings, it is therefore considered possible to postpone the adoption of an injunction against the Association (art. 58, par. 2, letter d), of the Regulations), since the latter has declared that it has already adopted, for the purpose of forwarding to its members communications of the initiation of disciplinary proceedings, a practice compliant with the regulations on the protection of personal data.
As regards the imposition and quantification of possible sanctions, given that the latter must in each individual case be "effective, proportionate and dissuasive" (art. 83, paragraph 1, of the Regulation), it is necessary here to proceed with an assessment that takes in due account, individually and as a whole, of all the elements envisaged by art. 83, par. 2, lit. a)-k), of the Regulation, related to the specific case.
In relation to the case in question, it is believed that, in particular, the nature and seriousness of the violation, the level of damage suffered by the interested party must be highlighted (given the undoubted repercussions, even only in terms of image, derived instantly from unauthorized knowledge of such strictly confidential information) as well as the degree of responsibility of the owner, who was in any case in possession of another suitable e-mail address that could be traced back instantly.
Furthermore, the culpable nature of the violation was considered (nothing noting, in fact, its occurrence in implementation of a specific internal provision of the Association - moreover perfectible - and in the mistaken belief that the guarantees of confidentiality actually adopted were sufficient, by themselves, to protect the interested party), as well as the delicacy of the data processed, which although of a "common" nature, are in any case suitable for revealing completely peculiar information and for determining negative impacts in the individual sphere of the interested parties, interfering with their context relational and professional.
On the other hand, the following additional circumstances were duly taken into account:
− the absence, at present, of specific precedents against the Association;
− the episodic and extemporary nature of the violation;
− the small number of subjects involved;
− the subsequent spontaneous adoption of behaviors compliant with current legislation;
− the substantially collaborative conduct held by the Association during the proceedings;
− the absence, at present, of further complaints or reports to the Guarantor on similar issues.
On the basis of the aforementioned elements, it is therefore believed to be able to determine the amount of the pecuniary sanction against the National Association of Magistrates in the amount of 5,000.00 (five thousand) euros for the violation of articles 5, par. 1, lit. f), 25 and 32 of the Regulation.
Taking into account that the preliminary investigation concerned the unlawful processing of personal data in the context of a disciplinary procedure, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.
Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THAT BEING CONSIDERED, THE GUARANTOR
declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the illegality of the processing carried out by the National Association of Magistrates for the violation of the articles 5, par. 1, lit. f), 25 and 32 of the Regulation, in the terms set out in the justification;
ORDER
to the National Association of Magistrates, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to pay the administrative fine of 5,000.00 (five thousand) euros for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
ENJOYS
to the aforementioned Association to pay the sum of 5,000.00 (five thousand) euros, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law no. 689/1981;
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and 16 of the Guarantor's Regulation n. 1/2019, and notes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 11 January 2023
PRESIDENT
Station
THE SPEAKER
guille
THE SECRETARY GENERAL
Matthew
