Garante per la protezione dei dati personali (Italy) - 9885127

Garante per la protezione dei dati personali - 9885127
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 9(1) GDPR Article 9(2) GDPR Article 9(2)(e) GDPR Article 5(1)(c) GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:
Fine:	2000 EUR
Parties:	n/a
National Case Number/Name:	9885127
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	GPDP (in IT)
Initial Contributor:	n/a

The manager of a condominium disclosed the Covid status of a family in the building to other residents. The Italian DPA issued €2,000 fine for violation of Article 9(1) and (2) GDPR.

English Summary

Facts

On 5 August 2021, a condominium manager, acting as the controller, sent an email to all condominium members to let them know that a family of residents, the data subjects, had tested positive for Covid-19 and therefore sanitary measures were being taken. On 10 September 2021, the data subjects filed a complaint with the Italian DPA, claiming that the controller violated their right to data protection. In defense, the controller claimed to have learned about the family's health status from the person who cleans the condominium who, in turn, learned from other residents. He argued that the exception to the general prohibition to the processing of health data under Article 9(2)(e) GDPR was applicable as the information had been manifestly made public. In the controller's view, it was the data subjects themselves who disclosed the information to the person who worked inside the building. Therefore, the controller considered that a valid consent was given to the further processing of the data subjects' personal data. In addition, the controller stated that the purpose of the email was to prevent contagion between neighbors, which is a legitimate interest.

Holding

First, the DPA acknowledged that the controller had processed a special category of personal data by disclosing the data subjects' health status to the condominuim members. According to the DPA, the derogation provided for by Article 9 (2) GDPR was not affected by the emergency legislation related to the Covid-19 pandemic. Therefore, the general prohibition to disclose health data remained intact.

Second, as for the claim that the data had already been made public, it stated that the fact that the data subjects have decided to confide their state of health to third parties (a circumstance only declared, but not demonstrated), does not amount to making the data public or consenting to its further processing.

Third, the DPA emphasized that, according to the principle of data minimization, the purpose of preventing contagion could have been achieved by less invasive means to the privacy of data subjects. For instance, their name could have been suppressed from the email.

For the above reasons, the DPA imposed a €2,000 fine on the controller for violating Article 9(1) and (2) GDPR.

Comment

The controller claimed to be covered by the Article 9(2)(e) exception, but the DPA rejected the argument. Therefore, there was a violation of Article 9(1) only, as the general prohibition (and no exemption) applied.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9885127]

Provision of 23 March 2023

Register of measures
no. 91 of 23 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented by Ms XX and Mr. XX on 09/10/2021, pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by the Administrator of the Condominium XX, Rag. Paolo Meloni;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The initiation of proceedings.

With the complaint presented to this Authority on 09/10/2021, Ms XX and Mr. XX complained of a violation of the regulations on the protection of personal data by Mr. Paolo Meloni, Administrator of the XX Condominium, located in XX.

In particular, it was represented that the Administrator, having become aware of the Covid-19 infection of the XX family, sent an e-mail to all the condominiums in which it was clearly indicated that "the family XX is positive for Covid" and which, therefore, had prepared the disinfestation measures provided for by the health protocols.

With the note of 05/10/2021 (prot. n. 49763), the Office invited Mr. Paolo Meloni to provide observations on what is represented in the complaint, indicating the conditions of legitimacy at the basis of the treatment carried out.

With the note dated 02/11/2021, the party provided feedback to the aforementioned request for clarification, declaring, in particular, that he had learned of the state of health of the XX family from the condominiums themselves who, therefore, already knew of the health conditions of the complainants.

The e-mail, the subject of the complaint, had been sent to all condominiums for the sole purpose of protecting health and preventing them from coming into contact with the family who tested positive for Covid-19.

For the above, the Office proceeded to notify Mr. Paolo Meloni, Administrator of Condominium XX, the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 9, par. 1 and 2, of the Regulation (prot. n. 3633 of 01/18/2022).

Mr. Paolo Meloni, on 02/17/2022, sent his own defensive writings, pursuant to art. 18 of the law n. 689/1981, in which he declared that he had learned of the health conditions of the two complainants from the cleaner of the Condominium who, in turn, had learned it directly from Ms XX.

Therefore, "The news spread among all the condominiums, not as a result of the email sent by the administrator a few days later". Specifically, the party also stated that:

- "Although in abstract the email of 08/05/2021 could constitute a case of processing of sensitive data and that said processing could certainly have been carried out by the administrator, who had "informal" knowledge of it, with equally effective but less invasive methods (for example, using a notice without references to identify the interested parties), (…), the unlawful conduct indicated by the Department deriving from art. 2-septies, paragraph 8, and art. 166, paragraph 2, of the Code (dissemination of data suitable for revealing the state of health of the interested parties without their consent) by virtue of the exception to the general principle of absolute prohibition of the processing of personal data referred to in letter e) of paragraph 2 of the art. 9 of the GDPR, which contemplates the possibility that the data - if made manifestly public by the data subject - may be processed";

- "the specific information on the health conditions of the complainants (i.e. having contracted the virus) were provided by themselves to people who worked inside the building: which, in the absence of a case study, is considered equivalent to a valid consent to their treatment".

2. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Administrator carried out a treatment of particular categories of personal data referring to the two complainants, consisting in the communication of their health condition to the other condominiums, in the absence of suitable legitimacy conditions, in violation of the art. . 9, par. 1 and 2 of the Regulation.

It is stated that the art. 5 of the Regulation, in identifying the fundamental principles applicable to the processing of personal data, prescribes, among other things, the principle of minimization, according to which "personal data are adequate, pertinent and limited to what is necessary with respect to the purposes for which are treated".

In the present case, it is clear that the purpose pursued by the Administrator in the particular epidemiological context due to the Covid-19 emergency could well have been achieved by failing to communicate to the condominiums the names of people affected by the Coronavirus, in compliance with the aforementioned principle of data minimization.

That said, it is noted that the art. 9 of the Regulation establishes, in the first paragraph, the prohibition of carrying out the processing of particular categories of personal data, which includes data relating to health.

It is also recalled that pursuant to art. 4, par. 1, no. 2, of the Regulation, treatment is "any operation or set of operations (...) such as collection, registration, organization, (...), communication by transmission, dissemination or any other form of making available (...)" .

The derogation from the processing of particular categories of personal data occurs only in the cases, strictly provided for by art. 9, par. 2, of the Regulation itself, and has not been affected by the emergency legislation resulting from the epidemiological emergency from Covid-19, so that the prohibition, by any public or private entity, to disseminate, through websites or other channels, and to communicate (as in the present case) the names of the confirmed cases of Covid-19 or of the subjects subjected to the isolation measure for the purpose of containing the spread of the epidemic to unauthorized subjects (on this point see the " Faq on Covid-19 and Data Protection" published on the Authority's website).

The party considered the hypothesis provided for by art. 9, par. 2, letter e) according to which the prohibition does not apply where "the processing concerns personal data manifestly made public by the interested party".

However, this hypothesis does not apply as no index of the publicity of the data relating to the contagion can be found, in the present case, and the fact that the interested parties have decided to confide their state of health to third parties (people who work in the building), a circumstance moreover only declared and not demonstrated, it does not in any case realize the invoked assumption.

3. Conclusions: illegality of the treatments carried out.

In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗  do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance.

For the above reasons, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83. para. 5, of the Regulation.

4. Injunction order.

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainants, whose illegality has been ascertained, in the terms exposed above.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which involved the communication to third parties of data falling within the so-called particular categories;

- the absence of previous relevant violations committed by the data controller;

- the circumstance that the interested parties involved are two, belonging to the same family nucleus.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the tax return for the year 2021.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 2,000.00 (two thousand) euros for the violation of articles 12 and 15 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the treatment carried out by Mr. Paolo Meloni, Administrator of Condominium XX, Tax Code XX, residing in XX in via XX, in the terms set out in the justification, for the violation of art. 9, par. 1 and 2, of the Regulation;

ORDER

to mr. Paolo Meloni, pursuant to art. 58, par. 2, lit. i), of the Regulation, to pay the sum of 2,000.00 (two thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

to the same to pay the sum of Euro 2,000.00 (two thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within 30 days from the date of communication of the provision itself, or 60 days if the appellant resides abroad.

Rome, 23 March 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew

[doc. web no. 9885127]

Provision of 23 March 2023

Register of measures
no. 91 of 23 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";

CONSIDERING the complaint presented by Ms XX and Mr. XX on 09/10/2021, pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by the Administrator of the Condominium XX, Rag. Paolo Meloni;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The initiation of proceedings.

With the complaint presented to this Authority on 09/10/2021, Ms XX and Mr. XX complained of a violation of the regulations on the protection of personal data by Mr. Paolo Meloni, Administrator of the XX Condominium, located in XX.

In particular, it was represented that the Administrator, having become aware of the Covid-19 infection of the XX family, sent an e-mail to all the condominiums in which it was clearly indicated that "the family XX is positive for Covid" and which, therefore, had prepared the disinfestation measures provided for by the health protocols.

With the note of 05/10/2021 (prot. n. 49763), the Office invited Mr. Paolo Meloni to provide observations on what is represented in the complaint, indicating the conditions of legitimacy at the basis of the treatment carried out.

With the note dated 02/11/2021, the party provided feedback to the aforementioned request for clarification, declaring, in particular, that he had learned of the state of health of the XX family from the condominiums themselves who, therefore, already knew of the health conditions of the complainants.

The e-mail, the subject of the complaint, had been sent to all condominiums for the sole purpose of protecting health and preventing them from coming into contact with the family who tested positive for Covid-19.

For the above, the Office proceeded to notify Mr. Paolo Meloni, Administrator of Condominium XX, the deed of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 9, par. 1 and 2, of the Regulation (prot. n. 3633 of 01/18/2022).

Mr. Paolo Meloni, on 02/17/2022, sent his own defensive writings, pursuant to art. 18 of the law n. 689/1981, in which he declared that he had learned of the health conditions of the two complainants from the cleaner of the Condominium who, in turn, had learned it directly from Ms XX.

Therefore, "The news spread among all the condominiums, not as a result of the email sent by the administrator a few days later". Specifically, the party also stated that:

- "Although in abstract the email of 08/05/2021 could constitute a case of processing of sensitive data and that said processing could certainly have been carried out by the administrator, who had "informal" knowledge of it, with equally effective but less invasive methods (for example, using a notice without references to identify the interested parties), (…), the unlawful conduct indicated by the Department deriving from art. 2-septies, paragraph 8, and art. 166, paragraph 2, of the Code (dissemination of data suitable for revealing the state of health of the interested parties without their consent) by virtue of the exception to the general principle of absolute prohibition of the processing of personal data referred to in letter e) of paragraph 2 of the art. 9 of the GDPR, which contemplates the possibility that the data - if made manifestly public by the data subject - may be processed";

- "the specific information on the health conditions of the complainants (i.e. having contracted the virus) were provided by themselves to people who worked inside the building: which, in the absence of a case study, is considered equivalent to a valid consent to their treatment”.

2. The outcome of the investigation.

Following the examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Administrator carried out a treatment of particular categories of personal data referring to the two complainants, consisting in the communication of their health condition to the other condominiums, in the absence of suitable legitimacy conditions, in violation of the art. . 9, par. 1 and 2 of the Regulation.

It is stated that the art. 5 of the Regulation, in identifying the fundamental principles applicable to the processing of personal data, prescribes, among other things, the principle of minimization, according to which "personal data are adequate, pertinent and limited to what is necessary with respect to the purposes for which are treated".

In the present case, it is clear that the purpose pursued by the Administrator in the particular epidemiological context due to the Covid-19 emergency could well have been achieved by failing to communicate to the condominiums the names of people affected by the Coronavirus, in compliance with the aforementioned principle of data minimization.

That said, it is noted that the art. 9 of the Regulation establishes, in the first paragraph, the prohibition of carrying out the processing of particular categories of personal data, which includes data relating to health.

It is also recalled that pursuant to art. 4, par. 1, no. 2, of the Regulation, treatment is "any operation or set of operations (...) such as collection, registration, organization, (...), communication by transmission, dissemination or any other form of making available (...)" .

The derogation from the processing of particular categories of personal data occurs only in the cases, strictly provided for by art. 9, par. 2, of the Regulation itself, and has not been affected by the emergency legislation resulting from the epidemiological emergency from Covid-19, so that the prohibition, by any public or private entity, to disseminate, through websites or other channels, and to communicate (as in the present case) the names of the confirmed cases of Covid-19 or of the subjects subjected to the isolation measure for the purpose of containing the spread of the epidemic to unauthorized subjects (on this point see the " Faq on Covid-19 and Data Protection" published on the Authority's website).

The party considered the hypothesis provided for by art. 9, par. 2, letter e) according to which the prohibition does not apply where "the processing concerns personal data manifestly made public by the interested party".

However, this hypothesis does not apply as no index of the publicity of the data relating to the contagion can be found, in the present case, and the fact that the interested parties have decided to confide their state of health to third parties (people who work in the building), a circumstance moreover only declared and not demonstrated, it does not in any case realize the invoked assumption.

3. Conclusions: illegality of the treatments carried out.

In the light of the foregoing assessments, it should be noted that the statements made by the data controller in the defense writings ˗ for the truthfulness of which one may be called upon to answer pursuant to art. 168 of the Code ˗  do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow it to be dismissed, since none of the cases envisaged by art. 11 of the Guarantor's regulation n. 1/2019, concerning the internal procedures of the Authority with external relevance.

For the above reasons, the complaint presented pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83. para. 5, of the Regulation.

4. Injunction order.

The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainants, whose illegality has been ascertained, in the terms exposed above.

With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the administrative fine and the related quantification, taking into account that the fine must be "in each individual case effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that, in the present case, the following circumstances were taken into consideration:

- with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which involved the communication to third parties of data falling within the so-called particular categories;

- the absence of previous relevant violations committed by the data controller;

- the circumstance that the interested parties involved are two, belonging to the same family nucleus.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) with which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the tax return for the year 2021.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 2,000.00 (two thousand) euros for the violation of articles 12 and 15 of the Regulation.

In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, this provision must be published on the Guarantor's website.

Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THAT BEING CONSIDERED, THE GUARANTOR

declares, pursuant to articles 57, par. 1, lit. f) and 83 of the Regulation, the illegality of the treatment carried out by Mr. Paolo Meloni, Administrator of Condominium XX, Tax Code XX, residing in XX in via XX, in the terms set out in the justification, for the violation of art. 9, par. 1 and 2, of the Regulation;

ORDER

to mr. Paolo Meloni, pursuant to art. 58, par. 2, lit. i), of the Regulation, to pay the sum of 2,000.00 (two thousand) euros as an administrative fine for the violations indicated in this provision;

ENJOYS

to the same to pay the sum of Euro 2,000.00 (two thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within 30 days from the date of communication of the provision itself, or 60 days if the appellant resides abroad.

Rome, 23 March 2023

PRESIDENT
Station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew