Garante per la protezione dei dati personali (Italy) - 9917728

From GDPRhub
Revision as of 08:00, 23 August 2023 by 84.113.103.211 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9917728
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 9 GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 01.06.2023
Fine: 25,000 EUR
Parties: Azienda Usl Toscana Sud Est
National Case Number/Name: 9917728
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: Sophia Hassel

The Italian DPA fined the a local health authority for showing the complainant's first and last names on an advertisement. The DPA found violations of Articles 5(1)(a)(c)(f), 9, 25(1)(2) and issued a fine of 25,000 euros under Article 83.

English Summary[edit | edit source]

Facts[edit | edit source]

An advertising billboard depicted a first aid care setting with a first aid card visible in the scene. This contained the name of the data subject along with the name of their healthcare provider. The billboard was placed in the main entrance in the emergency room of an Italian hospital and was therefore, accessible to the public. The controller removed the billboard once notified of the data breach by the data subject. The controller also self-reported the breach to the DPA under Article 33. Criminal proceedings were also launched against the controller’s data protection officer, which were later dismissed by a judge.

Holding[edit | edit source]

The personal data (first and last name) was deemed health data under Article 4(15) as the data subjects name was combined with the name of their healthcare provider.

Therefore, the controller's dissemination of the health data to the public was found to violate Articles 5(1)(a), (c) and (f) as the processing was unlawful, excessive for its intended purpose and failed to ensure the security of the personal data. Article 9 was also violated as processing of health data is prohibited and the health authority failed to ensure privacy by design in its advertisement infringing Articles 25(1) and (2).

The DPA considered the corrective measure under Article 58(2) to be the removal of the billboard. While the controller had removed the billboard without instruction, given that the breach had already occurred, the DPA nonetheless imposed a fine. The DPA found violations of Articles 5(1)(a)(c)(f), 9, 25(1) and (2) and issued a fine of 25,000 euros under Article 83.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of August 4, 2023

[doc. web no. 9917728]

Provision of 1 June 2023

Register of measures
no. 227 of 1 June 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, member, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor n. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation.

In the month of XX, this Authority received a complaint relating to the creation by the Local Health Authority of South East Tuscany (hereinafter Local Health Authority) of advertising messages depicting a health worker sitting at a workstation, in which, according to what is documented in , the complainant's "name, surname, date of birth, place of birth, residence, health card number, first aid card, entry date, time, exit date, severity of discharge, prognosis, treatment and prescribed medicines" were visible.

On the 20th date, the AUSL presented a notification of infringement pursuant to art. 33 of the Regulation in relation to the facts of the complaint, in which he highlighted that he had communicated the aforementioned violation to the interested party pursuant to art. 34 of the Regulation.

On the XX this Office requested information from the aforementioned AUSL also in order to know the technical and organizational measures adopted or which it intended to adopt in order to prevent episodes like the one reported from happening again.

With a note dated XX, the AUSL responded to the aforementioned request for information, stating, in particular, that:

• "in the billboard in question depicting a first aid care setting, visibility is limited only to the name and surname of the person concerned, resulting in a generic correlation between the subject and a first aid service (in this sense qualifying as data relating to health at light of the broad concept offered by the Regulation) but certainly characterized by a scarce specificity of the information content, given that no further and/or specific data relating to the health referring to the data subject is visible";

• "the positioning of the billboard with the above characteristics in the triage of the Emergency Department is attributable to an accidental internal action, to mere inattention in an exceptional temporal context given the persistence of an emergency state of health emergency (with the consequent load of organizational and human stress) and close to the planning and resumption of ordinary activities in anticipation of the cessation of the state of emergency";

• “Dated XX u.s., with PEC prot. no. XX was received from the interested party, by means of the lawyer (…), note containing "Warning of violation of personal data pursuant to article 33 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data"" in which "a request for compensation for damages, patrimonial and non-patrimonial, was made to this Company, in relation to the presence of the billboard in the Emergency Department of the Arezzo Hospital" (currently under examination) warning the same Company " to the immediate cancellation of the data”;

• in relation to the request for cancellation, the AUSL communicated to the interested party to "use pursuant to art. 12, par. 3 of the GDPR, of the right to extend the deadline by two months for providing feedback on the actions taken regarding the request formulated” also in consideration of the need to involve the “competent structures with reference to the entire territorial area of the Company”; from whose findings it emerged that: o "in the offices/territorial offices pertaining to the district areas of the Company and in the offices/premises of the Hospitals and related Company establishments there are no other examples of the billboard located in the Accident and Emergency Department of the 'San Donato Hospital of Arezzo”; o "on the Company's Facebook page, on the website and on the company intranet there are no images of the billboard with the characteristics described"; o "the copy of the billboard located in the Emergency Department of the San Donato Hospital in Arezzo has been removed and placed under custody in a locked room with no possibility of access, except by specifically authorized personnel, as evidence in the compensation dispute in place with the Company”;

• the "XX u.s., formal feedback was provided to the interested party (...) regarding the outcomes as represented above of the actions undertaken by the Company following the request received";

• “in the month of August of this year, the Data Protection Manager of the Company who jointly signs this response, was notified of the status of suspect under the proc. pen no. (…) following a complaint/complaint presented by the interested party through the lawyer Elisa Fornaciari, for the crime pursuant to art. 167 Legislative Decree 196/2003 in relation to the presence of the billboard at the Emergency Department of Arezzo”;

• "As regards organizational and procedural measures, including of a general nature, and staff awareness, to prevent similar episodes in the future, it should be noted that:

o the Company systematically proceeds with a training course for new hires in correspondence with new entries on permanent contracts, scheduled on the first and sixteenth of the month; among the topics of a general nature covered, "General Data Protection Regulation-GDPR and data protection company model" with training material prepared by the Data Protection Officer";

o "a company procedure is being prepared which obliges the managers of the structures who intend to create on any support (signs, brochures, elce videos.) material relating to communication, information, education/health promotion initiatives, to liaise with the corporate structure responsible for communication, also for the purpose of acquiring a prior assessment by the Company's Data Protection Manager. This procedure will supplement the provisions of the General Manager's Circular sent by email to all Company operators on the XX date Video shooting in the company environment and their dissemination via social networks, directives to operators" (..) and the provisions of referred to in the Company Regulations on the use of social media Social Media Policy referred to in resolution no. XX of XX".

In relation to what emerged from the documentation in the records, the Office notified the aforementioned AUSL, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforesaid owner to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981) (note of the XX, prot. n. XX whose terms were extended with a note of the XX prot. n. XX).

In this deed, the Office noted that the AUSL disclosed data on the complainant's health since the aforementioned billboard showed his personal data associated with the fact that an emergency medical service had been provided in violation of the art. 2 septies, paragraph 8, of the Code and of the basic principles of the treatment pursuant to articles 5, 25 and 9 of the Regulation.

With the same note, the Office asked the aforementioned AUSL to acquire a photographic image of the aforementioned billboard, in order to ascertain whether other information relating to the service provided and the state of health of the complainant as claimed by the same were also visible on it ( "health card number, first aid card, entry date, time of entry, exit date, severity of discharge, prognosis, treatment and prescribed medicines).

With the XX and XX notes, the AUSL transmitted three images of the aforementioned billboard (1 image of the entire billboard and 2 detailed images, acquired in the documents) and sent its own defense briefs, renouncing the right to be heard in audition.

In the note of the XX, the AUSL represented, in particular, that:

- with reference to the criminal proceeding initiated against the data protection officer of the AUSL indicated above, "on the XX date, the Judge for preliminary investigations adopted an order for the dismissal of the proceeding" in relation to "the request for dismissal by of the Public Prosecutor" and to the related opposition of the claimant's lawyer. In this ordinance it is reported that "no other sensitive data of the P.O. can be identified on the billboard. and also his name is visible only following a significant enlargement”;

- the period of exposure to the public of the aforesaid billboard cannot be "specified but not longer than a few weeks" as also confirmed by the report of the UOC Director of Emergency Medicine and Emergency Department of the San Donato Hospital in the file;

- the aforementioned billboard "was not placed in a waiting room but was posted in the main entrance corridor for patients in the Emergency Room, at the time of the events used only by negative Covid patients entering and an environment where normally there were no stops of patients or other users”. Furthermore, at the material time, "the specific Company procedure was in force (Annex F.l) which forbade the access of carers or visitors to hospital facilities, including the Emergency Department, in order to limit the number of people present inside them due to the 'need to contain the potential Covid contagion";

- the positioning of the billboard in the emergency room "is attributable to an accidental internal action, to mere inattention in an exceptional temporal context given the persistence of a state of health emergency for two years (with the consequent load of stress organizational and human) and close to the planning and resumption of ordinary activities in anticipation of the cessation of the state of emergency on 31 March 2022";

- "The billboard was immediately removed from the entrance corridor of the Emergency Department and placed under custody in a locked room with no possibility of access, except by specifically authorized personnel". "The copy has been kept and is still in custody in the manner indicated above as a probative element in the ongoing compensation dispute with the Company";

- "From the formal findings received from the structures, and in the documents, it emerged that in the territorial offices/offices pertaining to the Company's district areas and in the offices/premises of the Hospitals and related Company establishments, there were no other examples of the billboard present advertisement located in the Emergency Department of the San Donato Hospital in Arezzo”;

- "it emerged that on the Company's Facebook page, on the website and on the company intranet there were no images of the billboard with the characteristics described";

- “Pursuant to art. 17, par. 2, RGPD, the Company has taken steps to notify the receipt of the note from the lawyer (...) containing warning to the deletion of his client's data shown on a company billboard posted at the Arezzo Hospital as well as on any other supports, of whatever nature, bearing the aforesaid image, the following subjects: Studio (XX), Typography (XX)";

- "During 2022 all the Directors of Complex, Simple Departmental and Functional Units, as well as the Data Protection Representatives dj Macrostructure were enrolled in mandatory individual training in the "Data protection in healthcare" course, lasting 7 hours" and that the 2023 Annual Training Plan provided for the re-proposition of the aforementioned course;

- "At XX the Training Course "The processing of data - with particular reference to images - in the Healthcare Company" was held in the Company", which was attended by 192 operators of various profiles (technical, administrative, healthcare) and of which an edition is also planned for 2023”;

- "A company procedure has been prepared" (in deeds) "which governs the provision of a centralized supervision at company level in order to create materials with the use of images on any medium (signs, brochures, videos, photos, posts, etc. .) aimed at publication/dissemination as part of the Company's institutional initiatives of information, communication, education/health promotion. This procedure recalls and integrates the provisions of the General Manager's Circular sent by email to all Company operators on the XX date 'Photo and video shooting in the company environment and their dissemination via social networks, directives to operators"" (in deeds) "and the provisions of the Company Regulations on the use of social media - Social Media Policy pursuant to resolution no. XX of XX";

- “With Resolution of the General Manager n. 20th of the 20th century, the Code of Conduct of the USL Toscana Sud Est Company was updated, which contains specific provisions relating to the protection of personal data and the use of social networks.

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the AUSL Toscana Sud Est in the documentation in the deeds and in the defense briefs, it is noted that:

pursuant to the Regulation, "data relating to health" are considered personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health (art. 4, par. 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration in order to receive health care services";

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party ("lawfulness, correctness and transparency")" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which are processed ("minimization of data")" (Article 5, paragraph 1, letter a) and c) of the Regulation);

the data must also be processed "in such a way as to guarantee adequate security (...), including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage (principle of " integrity and confidentiality")" (Article 5, paragraph 1, letter f), of the Regulation);

the data controller is required to implement "from the planning stage", i.e. both when determining the means of processing and at the time of the processing itself, "adequate technical and organizational measures, [...] aimed at effectively implementing the principles of data protection, such as minimisation, and to integrate the necessary guarantees in the processing in order to meet the requirements of this regulation and protect the rights of data subjects" (privacy by design), ensuring "that they are processed, by default" (privacy by default) «only the personal data necessary for each specific purpose of the processing» (art. 25, par. 1 and 2, of the Regulation);

the regulation on the protection of personal data provides that information on the state of health cannot be disseminated and can be communicated to a person other than the interested party only on the basis of a suitable legal prerequisite or on the indication of the interested party subject to written authorization of the latter (Articles 2 septies, paragraph 8 and Article 166, paragraph 2, of the Code and Article 9 of the Regulation);

the Authority since 2014, in accordance with art. 22, ch. 8 of the Code then in force, represented that "the publication of any information from which it is possible to infer the state of illness or the existence of pathologies of the subjects concerned is prohibited, including any reference to the conditions of invalidity, disability or physical handicap and /or psychic. To this end, from the stage of drafting the deeds and documents to be published, in compliance with the principle of adequate motivation, "excess", "irrelevant", "non-essential" (and, even less, "forbidden"). Otherwise, it is necessary to provide for the relative obscuration" (see Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for purposes of advertising and transparency on the web by public subjects and other bodies obliged, part II, paragraph 1, of 15.5.2014, web doc. n. 3488002);

from the documentation produced in the deeds and also in the light of what is indicated in the order to dismiss the criminal proceedings initiated on the facts of the appeal adopted by the Judge for preliminary investigations of Arezzo on the XX, it is noted that the name and surname were recognizable on the aforementioned billboard of the complainant present in the first aid operator screen shot on the billboard;

the presence on the aforementioned billboard of the complainant's personal data associated with the health service provided to him in an emergency integrates a dissemination of data on his health since, according to what was declared in the documents, the aforementioned billboard had been located in the main patient entrance corridor in the emergency room, or in an area accessible to anyone;

from the documentation in the documents, it is therefore ascertained that the AUSL Toscana Sud Est has disseminated information on the state of health of an interested party since in the aforementioned advertising billboard, located in a place accessible to anyone, the name and surname of the complainant was recognizable on a first aid card displayed on the operator's screen shown on the aforementioned billboard.

3. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the owner during the preliminary investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed of initiation of the proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by AUSL Toscana Sud Est, in the terms set out in the justification, in violation of articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code.

In this context, it being understood that the AUSL Toscana Sud Est has declared that it has removed the aforementioned advertising billboard, the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code, caused by the conduct implemented by the AUSL Toscana Sud Est, is subject to the application of the administrative fine pursuant to art. 83, par. 4 and 5, of the Regulation and of the art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is observed that:

the Authority became aware of the event following the violation notification presented by the AUSL on XX pursuant to art. 33 of the Regulation and of the complaint presented by the interested party to XX (art. 83, paragraph 2, letter h), of the Regulation);

the dissemination concerns the personal data related to the provision of a first aid service of a data subject present on a single billboard placed in a place accessible to the public (Article 83, paragraph 2, letters a) and g), of the Regulation) ;

the aforesaid billboard was posted for a few weeks in a room which, although it was open to the public (main entrance corridor for patients to the Emergency Department), given the concomitance of the pandemic period, was intended for the transit of only Covid-negative patients 19 and precluded to their companions (article 83, paragraph 2, letter a) and g), of the Regulation);

the facts under examination occurred during the ongoing state of health emergency from Covid-19 (Article 83, paragraph 2, letters a) and g), of the Regulation);

the AUSL promptly cooperated in order to remedy the violation by removing the aforementioned billboard and warning the companies involved in the creation of the same to cancel the complainant's personal data, promptly reporting it to the same (Article 83, paragraph 2, letter f ) of the Regulation);

the AUSL has carried out mandatory training courses for staff for the year 2022 and planned a new training cycle for the year 2023, and carried out the training course in December 2022 "Data processing - with particular reference to images - in the Healthcare Company", which was attended by numerous operators of various profiles (technical, administrative, healthcare), of which a new edition is expected in 2023 (Article 83, paragraph 2, letter c), of the Regulation );

following the facts subject to the investigation, the AUSL has prepared a company procedure which governs the provision of a centralized supervision at company level in order to create materials with the use of images on any medium (signs, brochures, videos, photos, posts , etc.) aimed at publication/dissemination as part of the Company's institutional information, communication, education/health promotion initiatives (Article 83, paragraph 2, letter c), of the Regulation);

although the AUSL has been sanctioned for previous violations of the regulation on the processing of personal data, these do not concern the dissemination of health data (Article 83, paragraph 2, letter e) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, letter. a), of the Regulation, to the extent of 20,000 (twenty thousand) euros for the violation of articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Local Health Unit of South East Tuscany for the violation of the articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code in the terms set out in the justification.

ORDER

pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, to the South East Tuscany Local Health Authority, P.I. and tax code 02236310518, in the person of the pro-tempore legal representative, to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000 (twenty thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision in full on the website of the Guarantor and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 1st June 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew





SEE ALSO Newsletter of August 4, 2023

[doc. web no. 9917728]

Provision of 1 June 2023

Register of measures
no. 227 of 1 June 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia, member, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor n. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

WHEREAS

1. The preliminary investigation.

In the month of XX, this Authority received a complaint relating to the creation by the Local Health Authority of South East Tuscany (hereinafter Local Health Authority) of advertising messages depicting a health worker sitting at a workstation, in which, according to what is documented in , the complainant's "name, surname, date of birth, place of birth, residence, health card number, first aid card, entry date, time, exit date, severity of discharge, prognosis, treatment and prescribed medicines" were visible.

On the 20th date, the AUSL presented a notification of infringement pursuant to art. 33 of the Regulation in relation to the facts of the complaint, in which he highlighted that he had communicated the aforementioned violation to the interested party pursuant to art. 34 of the Regulation.

On the XX this Office requested information from the aforementioned AUSL also in order to know the technical and organizational measures adopted or which it intended to adopt in order to prevent episodes like the one reported from happening again.

With a note dated XX, the AUSL responded to the aforementioned request for information, stating, in particular, that:

• "in the billboard in question depicting a first aid care setting, visibility is limited only to the name and surname of the person concerned, resulting in a generic correlation between the subject and a first aid service (in this sense qualifying as data relating to health at light of the broad concept offered by the Regulation) but certainly characterized by a scarce specificity of the information content, given that no further and/or specific data relating to the health referring to the data subject is visible";

• "the positioning of the billboard with the above characteristics in the triage of the Emergency Department is attributable to an accidental internal action, to mere inattention in an exceptional temporal context given the persistence of an emergency state of health emergency (with the consequent load of organizational and human stress) and close to the planning and resumption of ordinary activities in anticipation of the cessation of the state of emergency";

• “Dated XX u.s., with PEC prot. no. XX was received from the interested party, by means of the lawyer (…), note containing "Warning of violation of personal data pursuant to article 33 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data"" in which "a request for compensation for damages, patrimonial and non-patrimonial, was made to this Company, in relation to the presence of the billboard in the Emergency Department of the Arezzo Hospital" (currently under examination) warning the same Company " to the immediate cancellation of the data”;

• in relation to the request for cancellation, the AUSL communicated to the interested party to "use pursuant to art. 12, par. 3 of the GDPR, of the right to extend the deadline by two months for providing feedback on the actions taken regarding the request formulated” also in consideration of the need to involve the “competent structures with reference to the entire territorial area of the Company”; from whose findings it emerged that: o "in the offices/territorial offices pertaining to the district areas of the Company and in the offices/premises of the Hospitals and related Company establishments there are no other examples of the billboard located in the Accident and Emergency Department of the 'San Donato Hospital of Arezzo”; o "on the Company's Facebook page, on the website and on the company intranet there are no images of the billboard with the characteristics described"; o "the copy of the billboard located in the Emergency Department of the San Donato Hospital in Arezzo has been removed and placed under custody in a locked room with no possibility of access, except by specifically authorized personnel, as evidence in the compensation dispute in place with the Company”;

• the "XX u.s., formal feedback was provided to the interested party (...) regarding the outcomes as represented above of the actions undertaken by the Company following the request received";

• “in the month of August of this year, the Data Protection Manager of the Company who jointly signs this response, was notified of the status of suspect under the proc. pen no. (…) following a complaint/complaint presented by the interested party through the lawyer Elisa Fornaciari, for the crime pursuant to art. 167 Legislative Decree 196/2003 in relation to the presence of the billboard at the Emergency Department of Arezzo”;

• "As regards organizational and procedural measures, including of a general nature, and staff awareness, to prevent similar episodes in the future, it should be noted that:

o the Company systematically proceeds with a training course for new hires in correspondence with new entries on permanent contracts, scheduled on the first and sixteenth of the month; among the topics of a general nature covered, "General Data Protection Regulation-GDPR and data protection company model" with training material prepared by the Data Protection Officer";

o "a company procedure is being prepared which obliges the managers of the structures who intend to create on any support (signs, brochures, elce videos.) material relating to communication, information, education/health promotion initiatives, to liaise with the corporate structure responsible for communication, also for the purpose of acquiring a prior assessment by the Company's Data Protection Manager. This procedure will supplement the provisions of the General Manager's Circular sent by email to all Company operators on the XX date Video shooting in the company environment and their dissemination via social networks, directives to operators" (..) and the provisions of referred to in the Company Regulations on the use of social media Social Media Policy referred to in resolution no. XX of XX".

In relation to what emerged from the documentation in the records, the Office notified the aforementioned AUSL, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforesaid owner to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981) (note of the XX, prot. n. XX whose terms were extended with a note of the XX prot. n. XX).

In this deed, the Office noted that the AUSL disclosed data on the complainant's health since the aforementioned billboard displayed his personal data associated with the fact that an emergency medical service had been provided in violation of the art. 2 septies, paragraph 8, of the Code and of the basic principles of the treatment pursuant to articles 5, 25 and 9 of the Regulation.

With the same note, the Office asked the aforementioned AUSL to acquire a photographic image of the aforementioned billboard, in order to ascertain whether other information relating to the service provided and the state of health of the complainant as claimed by the same were also visible on it ( "health card number, first aid card, entry date, time of entry, exit date, severity of discharge, prognosis, treatment and prescribed medicines).

With the XX and XX notes, the AUSL transmitted three images of the aforementioned billboard (1 image of the entire billboard and 2 detailed images, acquired in the documents) and sent its own defense briefs, renouncing the right to be heard in audition.

In the note of the XX, the AUSL represented, in particular, that:

- with reference to the criminal proceedings brought against the data protection officer of the AUSL indicated above, "on the XX date, the Judge for preliminary investigations adopted an order for the dismissal of the proceeding" in relation to "the request for dismissal by of the Public Prosecutor" and to the related opposition of the claimant's lawyer. In this ordinance it is reported that "no other sensitive data of the P.O. can be identified on the billboard. and also his name is visible only following a significant enlargement”;

- the period of exposure to the public of the aforesaid billboard cannot be "specified but not longer than a few weeks" as also confirmed by the report of the UOC Director of Emergency Medicine and Emergency Department of the San Donato Hospital in the file;

- the aforementioned billboard "was not placed in a waiting room but was posted in the main entrance corridor for patients in the Emergency Room, at the time of the events used only by negative Covid patients entering and an environment where normally there were no stops of patients or other users”. Furthermore, at the material time, "the specific Company procedure was in force (Annex F.l) which forbade the access of carers or visitors to hospital facilities, including the Emergency Department, in order to limit the number of people present inside them due to the 'need to contain the potential Covid contagion";

- the positioning of the billboard in the emergency room "is attributable to an accidental internal action, to mere inattention in an exceptional temporal context given the persistence of a state of health emergency for two years (with the consequent load of stress organizational and human) and close to the planning and resumption of ordinary activities in anticipation of the cessation of the state of emergency on 31 March 2022";

- "The billboard was immediately removed from the entrance corridor of the Emergency Department and placed under custody in a locked room with no possibility of access, except by specifically authorized personnel". "The copy has been kept and is still in custody in the manner indicated above as a probative element in the ongoing compensation dispute with the Company";

- "From the formal findings received from the structures, and in the documents, it emerged that in the territorial offices/offices pertaining to the Company's district areas and in the offices/premises of the Hospitals and related Company establishments, there were no other examples of the billboard present advertisement located in the Emergency Department of the San Donato Hospital in Arezzo”;

- "it emerged that on the Company's Facebook page, on the website and on the company intranet there were no images of the billboard with the characteristics described";

- “Pursuant to art. 17, par. 2, RGPD, the Company has taken steps to notify the receipt of the note from the lawyer (...) containing warning to the deletion of his client's data shown on a company billboard posted at the Arezzo Hospital as well as on any other supports, of whatever nature, bearing the aforesaid image, the following subjects: Studio (XX), Typography (XX)";

- "During 2022 all the Directors of Complex, Simple Departmental and Functional Units, as well as the Data Protection Representatives dj Macrostructure were enrolled in mandatory individual training in the "Data protection in healthcare" course, lasting 7 hours" and that the 2023 Annual Training Plan provided for the re-proposition of the aforementioned course;

- "At XX the Training Course "The processing of data - with particular reference to images - in the Healthcare Company" was held in the Company", which was attended by 192 operators of various profiles (technical, administrative, healthcare) and of which an edition is also planned for 2023”;

- "A company procedure has been prepared" (in deeds) "which governs the provision of a centralized supervision at company level in order to create materials with the use of images on any medium (signs, brochures, videos, photos, posts, etc. .) aimed at publication/dissemination as part of the Company's institutional initiatives of information, communication, education/health promotion. This procedure recalls and integrates the provisions of the General Manager's Circular sent by email to all Company operators on the XX date 'Photo and video shooting in the company environment and their dissemination via social networks, directives to operators"" (in deeds) "and the provisions of the Company Regulations on the use of social media - Social Media Policy pursuant to resolution no. XX of XX";

- “With Resolution of the General Manager n. 20th of the 20th century, the Code of Conduct of the USL Toscana Sud Est Company was updated, which contains specific provisions relating to the protection of personal data and the use of social networks.

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the AUSL Toscana Sud Est in the documentation in the deeds and in the defense briefs, it is noted that:

pursuant to the Regulation, "data relating to health" are considered personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health (art. 4, par. 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration in order to receive health care services";

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party ("lawfulness, correctness and transparency")" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which are processed ("minimization of data")" (Article 5, paragraph 1, letter a) and c) of the Regulation);

the data must also be processed "in such a way as to guarantee adequate security (...), including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage (principle of " integrity and confidentiality")" (Article 5, paragraph 1, letter f), of the Regulation);

the data controller is required to implement "from the planning stage", i.e. both when determining the means of processing and at the time of the processing itself, "adequate technical and organizational measures, [...] aimed at effectively implementing the principles of data protection, such as minimisation, and to integrate the necessary guarantees in the processing in order to meet the requirements of this regulation and protect the rights of data subjects" (privacy by design), ensuring "that they are processed, by default" (privacy by default) «only the personal data necessary for each specific purpose of the processing» (art. 25, par. 1 and 2, of the Regulation);

the regulation on the protection of personal data provides that information on the state of health cannot be disseminated and can be communicated to a person other than the interested party only on the basis of a suitable legal prerequisite or on the indication of the interested party subject to written authorization of the latter (Articles 2 septies, paragraph 8 and Article 166, paragraph 2, of the Code and Article 9 of the Regulation);

the Authority since 2014, in accordance with art. 22, ch. 8 of the Code then in force, represented that "the publication of any information from which it is possible to infer the state of illness or the existence of pathologies of the subjects concerned is prohibited, including any reference to the conditions of invalidity, disability or physical handicap and /or psychic. To this end, from the stage of drafting the deeds and documents to be published, in compliance with the principle of adequate motivation, "excess", "irrelevant", "non-essential" (and, even less, "forbidden"). Otherwise, it is necessary to provide for the relative obscuration" (see Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for purposes of advertising and transparency on the web by public subjects and other bodies obliged, part II, paragraph 1, of 15.5.2014, web doc. n. 3488002);

from the documentation produced in the deeds and also in the light of what is indicated in the order to dismiss the criminal proceedings initiated on the facts of the appeal adopted by the Judge for preliminary investigations of Arezzo on the XX, it is noted that the name and surname were recognizable on the aforementioned billboard of the complainant present in the first aid operator screen shot on the billboard;

the presence on the aforementioned billboard of the complainant's personal data associated with the health service provided to him in an emergency integrates a dissemination of data on his health since, according to what was declared in the documents, the aforementioned billboard had been located in the main patient entrance corridor in the emergency room, or in an area accessible to anyone;

from the documentation in the documents, it is therefore ascertained that the AUSL Toscana Sud Est has disseminated information on the state of health of an interested party since the name and surname of the complainant was recognizable on the aforementioned billboard, located in a place accessible to anyone a first aid card displayed on the operator's screen shown on the aforementioned billboard.

3. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ and considering that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed of initiation of the proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by AUSL Toscana Sud Est, in the terms set out in the justification, in violation of articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code.

In this context, it being understood that the AUSL Toscana Sud Est has declared that it has removed the aforementioned advertising billboard, the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code, caused by the conduct implemented by the AUSL Toscana Sud Est, is subject to the application of the administrative fine pursuant to art. 83, par. 4 and 5, of the Regulation and of the art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is observed that:

the Authority became aware of the event following the violation notification presented by the AUSL on XX pursuant to art. 33 of the Regulation and of the complaint presented by the interested party to XX (art. 83, paragraph 2, letter h), of the Regulation);

the dissemination concerns the personal data related to the provision of a first aid service of a data subject present on a single billboard placed in a place accessible to the public (Article 83, paragraph 2, letters a) and g), of the Regulation) ;

the aforesaid billboard was posted for a few weeks in a room which, although it was open to the public (main entrance corridor for patients to the Emergency Department), given the concomitance of the pandemic period, was intended for the transit of only Covid-negative patients 19 and precluded to their companions (article 83, paragraph 2, letter a) and g), of the Regulation);

the facts under examination occurred during the ongoing state of health emergency from Covid-19 (Article 83, paragraph 2, letters a) and g), of the Regulation);

the AUSL promptly cooperated in order to remedy the violation by removing the aforementioned billboard and warning the companies involved in the creation of the same to cancel the complainant's personal data, promptly reporting it to the same (Article 83, paragraph 2, letter f ) of the Regulation);

the AUSL has carried out mandatory training courses for staff for the year 2022 and planned a new training cycle for the year 2023, and carried out the training course in December 2022 "Data processing - with particular reference to images - in the Healthcare Company", which was attended by numerous operators of various profiles (technical, administrative, healthcare), of which a new edition is expected in 2023 (Article 83, paragraph 2, letter c), of the Regulation );

following the facts subject to the investigation, the AUSL has prepared a company procedure which governs the provision of a centralized supervision at company level in order to create materials with the use of images on any medium (signs, brochures, videos, photos, posts , etc.) aimed at publication/dissemination as part of the Company's institutional information, communication, education/health promotion initiatives (Article 83, paragraph 2, letter c), of the Regulation);

although the AUSL has been sanctioned for previous violations of the regulation on the processing of personal data, these do not concern the dissemination of health data (Article 83, paragraph 2, letter e) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, letter. a), of the Regulation, to the extent of 20,000 (twenty thousand) euros for the violation of articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Local Health Unit of South East Tuscany for the violation of the articles 5, par.1, lett. a), c) and f), 9 and 25, paras. 1 and 2, of the Regulation, of the art. 2 septies, paragraph 8 of the Code in the terms set out in the justification.

ORDER

pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, to the South East Tuscany Local Health Authority, P.I. and tax code 02236310518, in the person of the pro-tempore legal representative, to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000 (twenty thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision in full on the website of the Guarantor and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 1st June 2023

PRESIDENT
station

THE SPEAKER
guille

THE SECRETARY GENERAL
Matthew