Garante per la protezione dei dati personali (Italy) - 9868646

From GDPRhub
Garante per la protezione dei dati personali - 9868646
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 23.02.2022
Published:
Fine: n/a
Parties: Bank of Italy
National Case Number/Name: 9868646
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: Jelena

The Italian DPA held that the Bank of Italy violated Articles 5 and 6 GDPR by unlawfully disclosing personal information in the context of a recruitment procedure.

English Summary

Facts

During a recruitment procedure, an employee of the Bank of Italy (the controller) accidentally sent an email to 500 participants, where the email address of each of the candidates was clearly visible. By using the carbon copy (CC) instead of the blind carbon copy (BCC) option, the employee disclosed the email addresses of the job applicants to one another.

The email in question contained general information including a feedback request. The employee did not inform the office in charge of data protection and the participants did not raise any complaints. Consequently, in the immediate aftermath of the event, the Bank could not activate a data breach procedure, which provides for the involvement of the DPO and other staff members responsible for compliance with the GDPR and the relevant national legislation.

When the controller became aware of the breach, it sent another email to the job applicants instructing them to delete the email containing the visible addresses and not to use them or disclose them to third parties. The controller also argued that the event was an isolated one and it did not reflect the organisational measures that the Bank of Italy applies to the protection of personal data.

The Italian DPA investigated the matter.

Holding

The Italian DPA held that the Bank violated the provisions of Article 5(1)(a) and Article 6 GDPR.

The DPA held that the email addresses were personal data because the participants could be identifiable through the said email addresses (Article 4(1) GDPR). By disclosing such information, the Bank of Italy had realised a processing operation (Article 4(2) GDPR) in lack of any legal basis.

However, the DPA considered the fact that the controller implemented measures on a technical and organizational level and that this it was the first violation. Moreover data disclosed did not fall under special categories of data pursuant to Article 9 GDPR. Therefore, the DPA concluded that the circumstances of the infringement qualified it as a minor violation as defined in Recital 148 GDPR and issued a reprimand pursuant to Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9868646]

Provision of February 23, 2023

Register of measures
no. 47 of 23 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. Introduction.

With notification of the XX it was represented that by the Selection and Recruitment Team of the Bank of Italy (hereinafter the "Institute"), in the context of the completion of the public competition announced by the Institute "for 19 Experts with orientation in the legal disciplines (call of the XX)", an e-mail was sent to the e-mail addresses of about "500 participants", reminding the candidates at the address of the date and time for carrying out the pre-selective test, at the premises of the Fiera di Roma, and that the competition would be held in compliance with the measures to contain the contagion from COVID-19, also providing detailed indications to ensure the correctness and safe conduct of the test.

The e-mail in question appears to have been sent from the address noreply.Concorsi@bancaditalia.it, attributable to the e-mail domain of the Institute ("Selection and recruitment team").

2. The preliminary investigation.

In response to a request for information (note prot. n. XX of XX) the Institute, with note prot. no. XX, of the XX declared, in particular, that:

- "the XX, in carrying out the preliminary activities for carrying out a pre-selection test of a public competition, an email was sent from the address noreply.concorsi@bancaditalia.it, belonging to the unit dedicated to personnel selection, containing the operational plan on the measures to prevent infections from Covid-19 adopted during the test and containing the unencrypted e-mail addresses of the recipients";

- “in particular, for the purpose of transmitting the aforementioned plan, 8 massive emails were sent in rapid sequence, dividing the total 5,528 participants in the selection into groups of recipients. In only one of the aforementioned massive emails, due to a mere clerical error, the relative addresses were entered clearly visible in the "recipients" field rather than in the "blind copy" field, as is currently done by employees for sending emails general nature sent to candidates on the basis of the information provided within the unit dedicated to personnel selection";

- "on the basis of the aforementioned indications, in fact, the process of managing communications sent by email to competitors is organized as follows: (i) the addresses of the recipients of the emails are extracted directly from the IT database of the competition, thus limiting possible errors in identification of recipients; (ii) these addresses are reported in the "knowledge by blind copy" field of the email; (iii) the text of the email must contain, in any case, only information of a general nature and of common interest relating to the competition, previously examined by the unit manager, with the exclusion of individual information or communications”;

- "in the present case, the operator in charge of transmitting the e-mail object of the request in reply sent the same communication twice, incorrectly inserting in the first sending the addresses extracted from the computer database of the competition in the recipients field rather than in the knowledge field for hidden copying, without reporting the incident to the managers of the relevant office [...]. Consequently, in the immediate aftermath of the event, the Bank was unable to proceed with the activation of the procedure envisaged by the internal provisions (circular no. 257/04 and subsequent amendments) for the management of data breach episodes in accordance with the legislation on data protection personal data, which provide for the involvement of the Organization Service - in charge of taking care of the tasks of the Data Controller - and of the DPO";

- "it should be noted that the aforesaid clerical error concerned exclusively the email subject of the request for feedback and not also the equivalent communications intended for the other groups of participants in the same selective test. It should also be noted that no news or complaint regarding the incident has been received directly by the Bank of Italy. Therefore, only following the request for information from this Authority was it possible to activate the envisaged procedure for the management and analysis of data breaches";

- "it should be noted that the Bank of Italy, in carrying out bankruptcy procedures preliminary to the establishment of the employment relationship, collects a series of data necessary for the purpose of carrying out the competition, which includes the candidate's email address , used exclusively for sending communications strictly connected to the organizational and management profiles of the test, in compliance with the principles set forth in art. 5 of the GDPR”;

- "following the request for information from this Authority, the Bank became aware of the facts reported in the acknowledgment note and acquired the elements useful for making an assessment of the relevance of the event and the possible negative effects on the recipients of the email. Pursuant to the Circ. 257/04, the RPD then issued the expected opinion on the level of risk of violations for the rights and freedoms of the interested parties”;

- "as highlighted above, the event object of the request in reply represents the consequence of a material error, of a completely occasional and sporadic nature, which exclusively concerned one of the 8 massive emails sent in relation to the aforementioned pre-selection test";

- "taking into account the significant number of bankruptcy procedures carried out by the Bank of Italy, the indications provided to the employees for the management of communications to candidates, except in the only case covered by the request in reply, were found to be suitable for avoiding the occurrence of events of the kind. In any case, in the light of what happened, significant organizational measures were taken to further strengthen the aforementioned operating process";

- "for the purposes of assessing the level of risk related to the event, it is worth highlighting that the email subject of the request for information contained exclusively a communication of a general nature addressed to a plurality of candidates without distinction, concerning only the organizational profiles of the pre-selective test and not also indications or information of an individual nature”;

- it should also be kept in mind that the email addresses used for communication purposes do not necessarily allow the unambiguous identification of the owner or user, since, as known, the choice of the address is absolutely free and can include, for example, fictitious or referable names to other people, acronyms or symbols. In any case, then, inclusion in the list of recipients of the communication on the pre-selective test does not certify actual participation in the test itself, as shown by the statistics on participation";

- "after receiving the request for information in response, an email was sent to all interested parties [...] in which those who had not already done so were asked to cancel the communication of 22 April containing the addresses unencrypted and, in any case, not to disclose it to third parties and not to use the addresses of other erroneously visible recipients;

- "we then proceeded to call all operators once again to pay the utmost attention in the execution of this specific processing activity (and, more generally, of all personal data processing activities), also recalling the importance of duly reporting to the head of the office in a timely and complete manner any episode that could lead to a violation of personal data, in line with what is established by internal provisions".

With a note of the XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Institute, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, 6 of the Regulation, as well as 2-ter of the Code, inviting the aforementioned Institute to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law No. 689 of 24 November 1981).

With note of the XX (prot. n. XX) the Institute presented a defense brief, declaring, in particular, that:

- "from an organizational point of view, it should be noted that the Bank of Italy has a robust and structured data protection apparatus. The Institute has issued internal provisions [...] which govern the methods with which the Bank, in compliance with the GDPR and the relevant national legislation, manages personal data";

- “in particular, the internal provisions lay down rules which: require the census of all personal data processing carried out by the Bank in a special register (the so-called "Register of processing"); (ii) require, before starting a new treatment or in the event of significant changes to an existing treatment, to carry out a preliminary assessment, as well as identify the cases in which to carry out an impact assessment on personal data (so-called "DPIA"); (iii) define the roles and responsibilities in the internal organization regarding the processing of personal data; (iv) outline the process for reporting any violations of personal data (so-called "data breach"). Furthermore, the structure that performs the duties of the data controller maintains constant communication with the Data Protection Officer (DPO), to support whom a dedicated organizational unit was set up in the 20th century";

- "with reference to the processing of personal data carried out in the context of the management of public tenders, [...] the related processing of personal data was recorded in the Treatment Register. On the XX date a DPIA was carried out), also collecting the opinion of the DPO [...], concerning the processing of personal data carried out in the context of the more general activity of organizing and managing public tenders, which indicates inter alia the purposes of the processing, the legal basis, the categories of interested parties and data processed, the expected retention times and the existing security measures”;

- "data processing activities are carried out only by authorized personnel, [...], in compliance with the provisions of articles 4, point 10), 29, and 32, par. 4 of the GDPR who, as required by the same internal provisions, are required to take the appropriate online training course [...], in order to provide them with specific expertise in the matter. Persons authorized within the personnel selection unit are also required to comply with the service communication on the processing of personal data [...], which draws the attention of employees to the importance of complying with the legislation on privacy and apply all the necessary measures to protect the data processed in the work processes";

- "in particular, in relation to e-mail communications addressed to participants in competitions organized by the Bank, the following indications were recalled: (i) the recipients' e-mail addresses are extracted directly from the IT database of the competition, thus limiting possible errors in identifying the recipients themselves; (ii) these addresses are shown in the "knowledge by blind copy" field (hereinafter also "Bcc") of the e-mail; (iii) the text of the e-mail must contain, in any case, only information of a general nature and of common interest relating to the competition, previously examined by the unit manager or his deputy, with the exclusion of individual information or communications and of personal data”;

- “the correct use of e-mails is also the subject of various communications addressed to all Bank personnel. In particular, on 2 August 2019, a message was sent to all employees in which, with reference to the recipients of the e-mails, they are invited to use the Bcc field where it is necessary to protect their privacy [...]; a similar policy is also contained in Circular 184/93 [...] adopted by the Bank of Italy on information security, which in Annex II deals with the use of e-mail and specifically prohibits the sending of e-mail messages to recipients not interested in the content or unknown, to this end recommending that the correctness of the addresses be checked before sending and not to include information of a private and personal nature, confidential or that may have legal repercussions for the Institute in the messages”;

- "moreover, in the e-mails sent by the Bank of Italy there is a special disclaimer which highlights that they are of a confidential nature, informing the recipient that, if he receives them by mistake, he is requested to communicate via e-mail the receipt to the sender and to destroy the content”;

- "the Guidelines for the management of data breaches have been adopted and disseminated throughout the Bank [...] which implement the provisions of the Guidelines of the European Data Protection Board (EDPB) [... which] explicitly identify among the examples of data breaches the sending to mailing lists of one or more messages with the e-mail addresses of the recipients in clear text in the 'To' field or in the 'CC' field, and identify, among the recommended measures to prevent violations, the use of the Bcc field for emails intended for multiple external natural persons where it is not necessary to make the email addresses visible to all”;

- "the provisions indicated above were communicated to all employees, including employees of the unit dedicated to personnel selection, through the internal correspondence system and made accessible through the portal where the Bank's internal regulations are published";

- "after receiving the request for information of 20 July last, forwarded [by] the Authority, further organizational and technical measures have been adopted, functional to the correct processing of the e-mails in question and, in general, of the information and measures transmitted externally”;

- “within the personnel selection unit, the operating instructions for the transmission of communications via e-mail to the participants in the aforementioned competitions were also reaffirmed, through a specific guide for the management of the noreply.Concorsi@bancaditalia functional box. it”;

- "from a technical point of view, we then intervened on the authorization system for the use of the "noreply.Concorsi@bancaditalia.it" mailbox, preventing those in charge of preparing the e-mails from being able to send them autonomously. In addition to the ordinary "four eyes" control, by the unit manager or his deputy, on the content of the e-mail to be sent, a similar control has been introduced on the material operation of sending the same: now only three authorized employees, distinct from those who take care of the e-mail preparation phase";

- "we then proceeded, with a specific internal communication intended for all the Bank's structures [...], to remind all personnel again to pay specific attention in the management of personal data, with particular reference to the external transmission of information and of provisions of the Bank which contain data of natural persons”;

- "as highlighted above, it is clear that the disputed event is the consequence of a mere material error, completely isolated, which concerned, among other things, exclusively one of the 8 massive e-mails sent in relation to the same pre-selection test . In other words, it is a single episode determined by behavior attributable to a single employee of the Institute, which appears to be discordant with the directives issued within the personnel selection unit and with the organizational process applied by the Bank in on the protection of personal data”;

- "the circumstance that the aforementioned employee correctly sent the other 7 e-mails and, with reference to the incorrectly addressed one, proceeded, after a few minutes, to send a massive e-mail compliant with the instructions received - i.e. by entering the e-mail addresses in Bcc - demonstrates his knowledge of these instructions, given with the aim of ensuring the protection of the personal data of the participants in the competitions, and that the sending of the only previous communication with the addresses in clear text it can be traced back to mere inattention”;

- "the measures adopted by the Bank of Italy and the factual circumstances referred to above, in particular the significant number of insolvency proceedings carried out by the Bank of Italy and massive communications sent correctly, also in relation to the pre-selection test itself, demonstrate that the organizational process applied by the Institute is suitable for preventing the occurrence of events of this kind, without prejudice to the risk related to the material error exceptionally incurred by the individual operator”;

- "the Bank is aware of the interpretation provided over time [by the Authority], according to which e-mail addresses are attributable to the notion of personal data [...]. For this reason, in carrying out insolvency procedures prodromal to the establishment of the employment relationship, the e-mail address - used exclusively for sending communications strictly connected to the organizational and management profiles of the test, in compliance with the principles set out in 'art. 5 of the GDPR – is provided by the candidate when submitting the application to participate through the related online procedure, in which context the consent to the processing of personal data is collected and the related information is released to the interested parties, in compliance with the principles of lawfulness, correctness and transparency of the treatment”.

3. Outcome of the preliminary investigation.

3.1 The communication of personal data of the participants in the competition.

The personal data protection regulations provide that public bodies, even when they operate in the performance of bankruptcy, selection or in any case evaluation procedures, prodromal to the establishment of the employment relationship, can process the personal data of the interested parties (Article 4, no. 1, of the Regulation) if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" (think of specific obligations established by national legislation "for recruitment purposes", articles 6, paragraph 1, letter c), 9, par. 2, lit. b) and 4; 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letters c) and e) of the Regulation and art. 2-ter of the Code). The data controller is required, in any case, to respect the principles of data protection (Article 5, paragraph 1 of the Regulation).

On the basis of the elements acquired and the facts that emerged following the preliminary investigation, it is ascertained that the Institute sent on the XX date in rapid succession, from the address noreply.Concorsi@bancaditalia.it, attributable to the e-mail domain "Team Selezioni and recruitment", eight massive e-mails dividing the over five thousand participants in the public competition "for 19 Experts with orientation in legal disciplines" into groups of recipients, announced by the same Institute.

The content of the messages contained information on how to carry out the competition test and was aimed at providing detailed indications for the safe conduct of the procedure through measures to contain the contagion from Covid-19 in compliance with the emergency regulations in force at the time (Articles 5 and 6 of Legislative Decree No. 24 of 24 March 2022; see also the protocol for the conduct of public competitions issued by the Department of Public Administration on 15 April 2021) due to the persistent circulation of the virus, despite the cessation of the state of emergency by law .

It is also ascertained that only one of these e-mails addressed to a group of participants would have mistakenly reported the addresses of the other recipients as a "cc" copy instead of a "ccn" blind copy.

In acknowledging the fact that the operator who had materially committed the error did not notify the managers of the relevant office of what happened, did not allow the Institute to promptly activate "the procedure provided for by the internal provisions [...] for the management of data breach episodes", the following is however noted.

The sending of the e-mail message in question with the aforementioned methods - which, as confirmed by the Institute, was carried out as a result of an error committed by an employee - resulted in the e-mail addresses of each of the recipients in favor of the others, i.e. specific subjects who - also taking into account the definition of "third party" contained in art. 4, par. 1, no. 10 of the Regulation - they were not entitled to know the aforementioned contact details. The transmission of the message with the described methods also made all the interested parties, to whom the aforesaid e-mail was addressed, mutually aware of the participation in the competition (a circumstance also highlighted by the whistleblower who would have learned of the participation of one of his acquaintances in the same procedure).

What accidentally occurred constitutes, for data protection profiles, a communication of personal data in the absence of a specific legal prerequisite, since a valid consent given in this regard by the candidate cannot, however, be considered configurable when submitting the application to participate to the selective procedure (cons. 43 of the Regulation and, among others, provision n. 160 of 17 September 2020 web doc. n. 9461168 which specifies that the processing of data related to the carrying out of bankruptcy procedures find "their legal basis in the specific sector discipline that regulates access to jobs in public administrations and the procedures for carrying out public competitions [...] not with the consent of the interested parties").

Notwithstanding what has been declared regarding the fact that "email addresses used for communication purposes do not necessarily allow the unambiguous identification of the owner or user" and that "inclusion in the list of recipients of the communication on the pre-selection test does not certify the effective participation in the test itself", it should be noted that in numerous cases, among those covered by the report, the e-mail addresses bear the personal data of the interested parties, clearly reporting the name and/or surname of the interested parties, or the initials, acronyms or acronyms suitable for making the interested parties identifiable in any case, even in the presence of other information that may be available.

Furthermore, as also occurred in similar cases, as a result of the aforesaid communication, each of the recipients of the aforesaid communication was made aware (as in the case covered by the report), in addition to the e-mail address of the other candidates, also of the intention of everyone to participate in the insolvency procedure itself (see definitions of "personal data" and "interested party", art. 4, paragraph 1, no. 1, of the Regulation; see provision 15 December 2022, no. 419, doc web no. 9843741).

While acknowledging the measures implemented on a technical and organizational level to prevent the risk of errors in such circumstances of sending mass emails and the measures further introduced in order to improve existing processes, the communication of personal data to third parties, even by mere error in this isolated circumstance, it still appears to have occurred in violation of articles 5, par. 1, lit. a), and 6 of the Regulation, as well as 2-ter of the Code.

4. Conclusions.

In the light of the assessments referred to above, it should be noted that the statements made by the Bank of Italy during the investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow the findings notified by the Office to be overcome with the act of initiation of the proceeding and are insufficient to allow the dismissal of the present proceeding, since none of the cases envisaged by the art. 11 of the Regulation of the Guarantor n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Institute is noted, for having communicated the personal data of participants in the aforementioned competition procedure to third parties, in violation of articles 5 and 6 of the Regulation, as well as 2-ter of the Code.

That said, taking into account that:

- the episode, although it involved numerous interested parties, appears to have been isolated and determined by a mere human error, committed by an employee who physically proceeded to send the e-mail message in question;

- the message consisted of a communication of a general nature addressed without distinction to a plurality of candidates;

- the processing did not concern particular categories of data (see art. 9 of the Regulation) and did not involve knowledge of other specific circumstances relating to the family or personal conditions of the interested parties;

- the conduct was implemented in the context of the restart of bankruptcy proceedings in a period still characterized by a wide circulation of the SARS-CoV-2 virus, and in any case in a phase that is still particularly agitated and critical also in terms of organization and management of institutional activities;

- the Institute has taken steps to mitigate the effects of the communication by inviting the recipients of the communication to cancel, if not already done, the message in question, or not to disclose it or not to use the addresses of the other erroneously visible recipients;

- the Institute, as a result of the episode that occurred, further strengthened the existing procedures ("four eyes" check, by the unit manager or his deputy, on the content of the e-mail to be sent");

- the Institute has taken steps to introduce further technical and organizational measures to prevent the occurrence of similar events in the future (in particular, inhibition of the independent sending function for those in charge of preparing the e-mails; delayed sending of the message after further checking; internal awareness campaign to ensure greater attention in the phase of external transmission of information and provisions of the Bank which contain data of natural persons...);

- the number of interested parties involved (about 500) must be considered in relation to the total number of participants in the competition in question (over 5,000 candidates);

- there are no previous violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

- the circumstances of the concrete case lead to qualifying the same as a "minor violation", pursuant to cons. 148 of the Regulation and the “Guidelines concerning the application and provision of administrative fines for the purposes of regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018.

In the light of all of the above, and of the overall terms of the matter in question, it is therefore considered sufficient to admonish the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lit. b), of the Regulation (see also cons. 148 of the Regulation).

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

a) declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the illegality of the processing of personal data carried out by the Bank of Italy in the person of its pro tempore legal representative, with registered office in Via Nazionale, 91 - 00184 Rome (RM) Tax Code: 00997670583, for violation of articles 5, par. 1, lit. a) and 6 of the Regulation, as well as 2-ter of the Code in the terms referred to in the justification;

b) pursuant to art. 58, par. 2, lit. b) of the Regulation, admonishes the Bank of Italy, as data controller in question, for having violated the articles 5, par. 1, lit. a) and 6 of the Regulations, as well as 2-ter of the Code, as described above;

c) believes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 23 February 2023

PRESIDENT
Station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew



[doc. web no. 9868646]

Provision of February 23, 2023

Register of measures
no. 47 of 23 February 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. Introduction.

With notification of the XX it was represented that by the Selection and Recruitment Team of the Bank of Italy (hereinafter the "Institute"), in the context of the completion of the public competition announced by the Institute "for 19 Experts with orientation in the legal disciplines (call of the XX)", an e-mail was sent to the e-mail addresses of about "500 participants", reminding the candidates at the address of the date and time for carrying out the pre-selective test, at the premises of the Fiera di Roma, and that the competition would be held in compliance with the measures to contain the contagion from COVID-19, also providing detailed indications to ensure the correctness and safe conduct of the test.

The e-mail in question appears to have been sent from the address noreply.Concorsi@bancaditalia.it, attributable to the e-mail domain of the Institute ("Selection and recruitment team").

2. The preliminary investigation.

In response to a request for information (note prot. n. XX of XX) the Institute, with note prot. no. XX, of the XX declared, in particular, that:

- "the XX, in carrying out the preliminary activities for carrying out a pre-selection test of a public competition, an email was sent from the address noreply.concorsi@bancaditalia.it, belonging to the unit dedicated to personnel selection, containing the operational plan on the measures to prevent infections from Covid-19 adopted during the test and containing the unencrypted e-mail addresses of the recipients";

- “in particular, for the purpose of transmitting the aforementioned plan, 8 massive emails were sent in rapid sequence, dividing the total 5,528 participants in the selection into groups of recipients. In only one of the aforementioned massive emails, due to a mere clerical error, the relative addresses were entered clearly visible in the "recipients" field rather than in the "blind copy" field, as is currently done by employees for sending emails general nature sent to candidates on the basis of the information provided within the unit dedicated to personnel selection";

- "on the basis of the aforementioned indications, in fact, the process of managing communications sent by email to competitors is organized as follows: (i) the addresses of the recipients of the emails are extracted directly from the IT database of the competition, thus limiting possible errors in identification of recipients; (ii) these addresses are reported in the "knowledge by blind copy" field of the email; (iii) the text of the email must contain, in any case, only information of a general nature and of common interest relating to the competition, previously examined by the unit manager, with the exclusion of individual information or communications”;

- "in the present case, the operator in charge of transmitting the e-mail object of the request in reply sent the same communication twice, incorrectly inserting in the first sending the addresses extracted from the computer database of the competition in the recipients field rather than in the knowledge field for hidden copying, without reporting the incident to the managers of the relevant office [...]. Consequently, in the immediate aftermath of the event, the Bank was unable to proceed with the activation of the procedure envisaged by the internal provisions (circular no. 257/04 and subsequent amendments) for the management of data breach episodes in accordance with the legislation on data protection personal data, which provide for the involvement of the Organization Service - in charge of taking care of the tasks of the Data Controller - and of the DPO";

- "it should be noted that the aforesaid clerical error concerned exclusively the email subject of the request for feedback and not also the equivalent communications intended for the other groups of participants in the same selective test. It should also be noted that no news or complaint regarding the incident has been received directly by the Bank of Italy. Therefore, only following the request for information from this Authority was it possible to activate the envisaged procedure for the management and analysis of data breaches";

- "it should be noted that the Bank of Italy, in carrying out bankruptcy procedures preliminary to the establishment of the employment relationship, collects a series of data necessary for the purpose of carrying out the competition, which includes the candidate's email address , used exclusively for sending communications strictly connected to the organizational and management profiles of the test, in compliance with the principles set forth in art. 5 of the GDPR";

- "following the request for information from this Authority, the Bank became aware of the facts reported in the acknowledgment note and acquired the elements useful for making an assessment of the relevance of the event and the possible negative effects on the recipients of the email. Pursuant to the Circ. 257/04, the RPD then issued the expected opinion on the level of risk of violations for the rights and freedoms of the interested parties”;

- "as highlighted above, the event object of the request in reply represents the consequence of a material error, of a completely occasional and sporadic nature, which exclusively concerned one of the 8 massive emails sent in relation to the aforementioned pre-selection test";

- "taking into account the significant number of bankruptcy procedures carried out by the Bank of Italy, the indications provided to the employees for the management of communications to candidates, except in the only case covered by the request in reply, were found to be suitable for avoiding the occurrence of events of the kind. In any case, in the light of what happened, significant organizational measures were taken to further strengthen the aforementioned operating process";

- "for the purposes of assessing the level of risk related to the event, it is worth highlighting that the email subject of the request for information contained exclusively a communication of a general nature addressed to a plurality of candidates without distinction, concerning only the organizational profiles of the pre-selective test and not also indications or information of an individual nature”;

- it should also be kept in mind that the email addresses used for communication purposes do not necessarily allow the unambiguous identification of the owner or user, since, as known, the choice of the address is absolutely free and can include, for example, fictitious or referable names to other people, acronyms or symbols. In any case, then, inclusion in the list of recipients of the communication on the pre-selective test does not certify actual participation in the test itself, as shown by the statistics on participation";

- "after receiving the request for information in response, an email was sent to all interested parties [...] in which those who had not already done so were asked to cancel the communication of 22 April containing the addresses unencrypted and, in any case, not to disclose it to third parties and not to use the addresses of other erroneously visible recipients;

- "we then proceeded to call all operators once again to pay the utmost attention in the execution of this specific processing activity (and, more generally, of all personal data processing activities), also recalling the importance of duly reporting to the head of the office in a timely and complete manner any episode that could lead to a violation of personal data, in line with what is established by internal provisions".

With a note of the XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Institute, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, 6 of the Regulation, as well as 2-ter of the Code, inviting the aforementioned Institute to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law No. 689 of 24 November 1981).

With note of the XX (prot. n. XX) the Institute presented a defense brief, declaring, in particular, that:

- "from an organizational point of view, it should be noted that the Bank of Italy has a robust and structured data protection apparatus. The Institute has issued internal provisions [...] which govern the methods with which the Bank, in compliance with the GDPR and the relevant national legislation, manages personal data";

- “in particular, the internal provisions lay down rules which: require the census of all personal data processing carried out by the Bank in a special register (the so-called "Register of processing"); (ii) require, before starting a new treatment or in the event of significant changes to an existing treatment, to carry out a preliminary assessment, as well as identify the cases in which to carry out an impact assessment on personal data (so-called "DPIA"); (iii) define the roles and responsibilities in the internal organization regarding the processing of personal data; (iv) outline the process for reporting any violations of personal data (so-called "data breach"). Furthermore, the structure that performs the duties of the data controller maintains constant communication with the Data Protection Officer (DPO), to support whom a dedicated organizational unit was set up in the 20th century";

- "with reference to the processing of personal data carried out in the context of the management of public tenders, [...] the related processing of personal data was recorded in the Treatment Register. On the XX date a DPIA was carried out), also collecting the opinion of the DPO [...], concerning the processing of personal data carried out in the context of the more general activity of organizing and managing public tenders, which indicates inter alia the purposes of the processing, the legal basis, the categories of interested parties and data processed, the expected retention times and the existing security measures”;

- "data processing activities are carried out only by authorized personnel, [...], in compliance with the provisions of articles 4, point 10), 29, and 32, par. 4 of the GDPR who, as required by the same internal provisions, are required to take the appropriate online training course [...], in order to provide them with specific expertise in the matter. Persons authorized within the personnel selection unit are also required to comply with the service communication on the processing of personal data [...], which draws the attention of employees to the importance of complying with the legislation on privacy and apply all the necessary measures to protect the data processed in the work processes”;

- "in particular, in relation to e-mail communications addressed to participants in competitions organized by the Bank, the following indications were recalled: (i) the recipients' e-mail addresses are extracted directly from the IT database of the competition, thus limiting possible errors in identifying the recipients themselves; (ii) these addresses are shown in the "knowledge by blind copy" field (hereinafter also "Bcc") of the e-mail; (iii) the text of the e-mail must contain, in any case, only information of a general nature and of common interest relating to the competition, previously examined by the unit manager or his deputy, with the exclusion of individual information or communications and of personal data”;

- “the correct use of e-mails is also the subject of various communications addressed to all Bank personnel. In particular, on 2 August 2019, a message was sent to all employees in which, with reference to the recipients of the e-mails, they are invited to use the Bcc field where it is necessary to protect their privacy [...]; a similar policy is also contained in Circular 184/93 [...] adopted by the Bank of Italy on information security, which in Annex II deals with the use of e-mail and specifically prohibits the sending of e-mail messages to recipients not interested in the content or unknown, to this end recommending that the correctness of the addresses be checked before sending and not to include information of a private and personal nature, confidential or that may have legal repercussions for the Institute in the messages”;

- "moreover, in the e-mails sent by the Bank of Italy there is a special disclaimer which highlights that they are of a confidential nature, informing the recipient that, if he receives them by mistake, he is requested to communicate via e-mail the receipt to the sender and to destroy the content”;

- "the Guidelines for the management of data breaches have been adopted and disseminated throughout the Bank [...] which implement the provisions of the Guidelines of the European Data Protection Board (EDPB) [... which] explicitly identify among the examples of data breaches the sending to mailing lists of one or more messages with the e-mail addresses of the recipients in clear text in the 'To' field or in the 'CC' field, and identify, among the recommended measures to prevent violations, the use of the Bcc field for emails intended for multiple external natural persons where it is not necessary to make the email addresses visible to all”;

- "the provisions indicated above were communicated to all employees, including employees of the unit dedicated to personnel selection, through the internal correspondence system and made accessible through the portal where the Bank's internal regulations are published";

- "after receiving the request for information of 20 July last, forwarded [by] the Authority, further organizational and technical measures have been adopted, functional to the correct processing of the e-mails in question and, in general, of the information and measures transmitted externally”;

- “within the personnel selection unit, the operating instructions for the transmission of communications via e-mail to the participants in the aforementioned competitions were also reaffirmed, through a specific guide for the management of the noreply.Concorsi@bancaditalia functional mailbox. it”;

- "from a technical point of view, we then intervened on the authorization system for the use of the "noreply.Concorsi@bancaditalia.it" mailbox, preventing those in charge of preparing the e-mails from being able to send them autonomously. In addition to the ordinary "four eyes" control, by the unit manager or his deputy, on the content of the e-mail to be sent, a similar control has been introduced on the material operation of sending the same: now only three authorized employees, distinct from those who take care of the e-mail preparation phase";

- "we then proceeded, with a specific internal communication intended for all the Bank's structures [...], to remind all personnel again to pay specific attention in the management of personal data, with particular reference to the external transmission of information and of provisions of the Bank which contain data of natural persons”;

- "as highlighted above, it is clear that the disputed event is the consequence of a mere material error, completely isolated, which concerned, among other things, exclusively one of the 8 massive e-mails sent in relation to the same pre-selection test . In other words, it is a single episode determined by behavior attributable to a single employee of the Institute, which appears to be discordant with the directives issued within the personnel selection unit and with the organizational process applied by the Bank in on the protection of personal data”;

- "the circumstance that the aforementioned employee correctly sent the other 7 e-mails and, with reference to the incorrectly addressed one, proceeded, after a few minutes, to send a massive e-mail compliant with the instructions received - i.e. by entering the e-mail addresses in Bcc - demonstrates his knowledge of these instructions, given with the aim of ensuring the protection of the personal data of the participants in the competitions, and that the sending of the only previous communication with the addresses in clear text it can be traced back to mere inattention”;

- "the measures adopted by the Bank of Italy and the factual circumstances referred to above, in particular the significant number of insolvency proceedings carried out by the Bank of Italy and massive communications sent correctly, also in relation to the pre-selection test itself, demonstrate that the organizational process applied by the Institute is suitable for preventing the occurrence of events of this kind, without prejudice to the risk related to the material error exceptionally incurred by the individual operator”;

- "the Bank is aware of the interpretation provided over time [by the Authority], according to which e-mail addresses are attributable to the notion of personal data [...]. For this reason, in carrying out insolvency procedures prodromal to the establishment of the employment relationship, the e-mail address - used exclusively for sending communications strictly connected to the organizational and management profiles of the test, in compliance with the principles referred to in 'art. 5 of the GDPR – is provided by the candidate when submitting the application to participate through the related online procedure, in which context the consent to the processing of personal data is collected and the related information is released to the interested parties, in compliance with the principles of lawfulness, correctness and transparency of the treatment”.

3. Outcome of the preliminary investigation.

3.1 The communication of personal data of the participants in the competition.

The regulation of personal data protection provides that public subjects, even when they operate in the performance of bankruptcy, selection or in any case evaluation procedures, prodromal to the establishment of the employment relationship, can process the personal data of the interested parties (art. 4, n. 1, of the Regulation) if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" (think of specific obligations established by national legislation "for recruitment purposes", articles 6, paragraph 1, letter c), 9, par. 2, lit. b) and 4; 88 of the Regulation) or "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letters c) and e) of the Regulation and art. 2-ter of the Code). The data controller is required, in any case, to respect the principles of data protection (Article 5, paragraph 1 of the Regulation).

On the basis of the elements acquired and the facts that emerged following the preliminary investigation, it is ascertained that the Institute sent on the XX date in rapid succession, from the address noreply.Concorsi@bancaditalia.it, attributable to the e-mail domain "Team Selezioni and recruitment", eight massive e-mails dividing the over five thousand participants in the public competition "for 19 Experts with orientation in legal disciplines" into groups of recipients, announced by the same Institute.

The content of the messages contained information on how to carry out the competition test and was aimed at providing detailed indications for the safe conduct of the procedure through measures to contain the contagion from Covid-19 in compliance with the emergency regulations in force at the time (Articles 5 and 6 of Legislative Decree No. 24 of 24 March 2022; see also the protocol for the conduct of public competitions issued by the Department of Public Administration on 15 April 2021) due to the persistent circulation of the virus, despite the cessation of the state of emergency by law .

It is also ascertained that only one of these e-mails addressed to a group of participants would have mistakenly reported the addresses of the other recipients as a "cc" copy instead of a "ccn" blind copy.

In acknowledging the fact that the operator who had materially committed the error did not notify the managers of the relevant office of what happened, did not allow the Institute to promptly activate "the procedure provided for by the internal provisions [...] for the management of data breach episodes", the following is however noted.

The sending of the e-mail message in question with the aforementioned methods - which, as confirmed by the Institute, was carried out as a result of an error committed by an employee - resulted in the e-mail addresses of each of the recipients in favor of the others, i.e. specific subjects who - also taking into account the definition of "third party" contained in art. 4, par. 1, no. 10 of the Regulation - they were not entitled to know the aforementioned contact details. The transmission of the message with the described methods also made all the interested parties, to whom the aforesaid e-mail was addressed, mutually aware of the participation in the competition (a circumstance also highlighted by the whistleblower who would have learned of the participation of one of his acquaintances in the same procedure).

What accidentally occurred constitutes, for data protection profiles, a communication of personal data in the absence of a specific legal prerequisite, since a valid consent given in this regard by the candidate cannot, however, be considered configurable when submitting the application to participate to the selective procedure (cons. 43 of the Regulation and, among others, provision n. 160 of 17 September 2020 web doc. n. 9461168 which specifies that the processing of data related to the carrying out of bankruptcy procedures find "their legal basis in the specific sector discipline that regulates access to jobs in public administrations and the procedures for carrying out public competitions [...] not with the consent of the interested parties").

Notwithstanding what has been declared regarding the fact that "email addresses used for communication purposes do not necessarily allow the unambiguous identification of the owner or user" and that "inclusion in the list of recipients of the communication on the pre-selection test does not certify the effective participation in the test itself", it should be noted that in numerous cases, among those covered by the report, the e-mail addresses bear the personal data of the interested parties, clearly reporting the name and/or surname of the interested parties, or the initials, acronyms or acronyms suitable for making the interested parties identifiable in any case, even in the presence of other information that may be available.

Furthermore, as also occurred in similar cases, as a result of the aforesaid communication, each of the recipients of the aforesaid communication was made aware (as in the case covered by the report), in addition to the e-mail address of the other candidates, also of the intention of everyone to participate in the insolvency procedure itself (see definitions of "personal data" and "interested party", art. 4, paragraph 1, no. 1, of the Regulation; see provision 15 December 2022, no. 419, doc web no. 9843741).

While acknowledging the measures implemented on a technical and organizational level to prevent the risk of errors in such circumstances of sending mass emails and the measures further introduced in order to improve existing processes, the communication of personal data to third parties, even by mere error in this isolated circumstance, it still appears to have occurred in violation of articles 5, par. 1, lit. a), and 6 of the Regulation, as well as 2-ter of the Code.

4. Conclusions.

In the light of the assessments referred to above, it should be noted that the statements made by the Bank of Italy during the investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow the findings notified by the Office to be overcome with the act of initiation of the proceeding and are insufficient to allow the dismissal of the present proceeding, since none of the cases envisaged by the art. 11 of the Regulation of the Guarantor n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Institute is noted, for having communicated the personal data of participants in the aforementioned competition procedure to third parties, in violation of articles 5 and 6 of the Regulation, as well as 2-ter of the Code.

That said, taking into account that:

- the episode, although it involved numerous interested parties, appears to have been isolated and determined by a mere human error, committed by an employee who physically proceeded to send the e-mail message in question;

- the message consisted of a communication of a general nature addressed without distinction to a plurality of candidates;

- the processing did not concern particular categories of data (see art. 9 of the Regulation) and did not involve knowledge of other specific circumstances relating to the family or personal conditions of the interested parties;

- the conduct was implemented in the context of the restart of bankruptcy proceedings in a period still characterized by a wide circulation of the SARS-CoV-2 virus, and in any case in a phase that is still particularly agitated and critical also in terms of organization and management of institutional activities;

- the Institute has taken steps to mitigate the effects of the communication by inviting the recipients of the communication to cancel, if not already done, the message in question, or not to disclose it or not to use the addresses of the other erroneously visible recipients;

- the Institute, as a result of the episode that occurred, further strengthened the existing procedures ("four eyes" check, by the unit manager or his deputy, on the content of the e-mail to be sent");

- the Institute has taken steps to introduce further technical and organizational measures to prevent the occurrence of similar events in the future (in particular, inhibition of the independent sending function for those in charge of preparing the e-mails; delayed sending of the message after further checking; internal awareness campaign to ensure greater attention in the phase of external transmission of information and provisions of the Bank which contain data of natural persons...);

- the number of interested parties involved (about 500) must be considered in relation to the total number of participants in the competition in question (over 5,000 candidates);

- there are no previous violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation;

- the circumstances of the concrete case lead to qualifying the same as a "minor violation", pursuant to cons. 148 of the Regulation and the “Guidelines concerning the application and provision of administrative fines for the purposes of regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018.

In the light of all of the above, and of the overall terms of the matter in question, it is therefore considered sufficient to admonish the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lit. b), of the Regulation (see also cons. 148 of the Regulation).

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

a) declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the illegality of the processing of personal data carried out by the Bank of Italy in the person of its pro tempore legal representative, with registered office in Via Nazionale, 91 - 00184 Rome (RM) Tax Code: 00997670583, for violation of articles 5, par. 1, lit. a) and 6 of the Regulation, as well as 2-ter of the Code in the terms referred to in the justification;

b) pursuant to art. 58, par. 2, lit. b) of the Regulation, admonishes the Bank of Italy, as data controller in question, for having violated the articles 5, par. 1, lit. a) and 6 of the Regulations, as well as 2-ter of the Code, as described above;

c) believes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 23 February 2023

PRESIDENT
station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew