Garante per la protezione dei dati personali (Italy) - 9954241

From GDPRhub
Garante per la protezione dei dati personali - 9954241
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 26.10.2023
Published: 27.11.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 9954241
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: co

The Italian DPA ordered a controller to bring her processing of medical data for research purposes in compliance with GDPR requirements.

English Summary

Facts

A data subject had undergone osteopathic treatments in a clinic by an osteopathist, the controller. At that time, the controller submitted her privacy policy to the data subject and asked for her consent for processing of her data for purposes of medical treatment and for scientific research. As a matter of fact, the controller included the clinical studies relating to the condition of the data subject in her final thesis in Osteopathy at a specialized school.

The data subject claimed that the thesis included enough personal data about her, including her health status, clinical history, family composition, profession and other elements to make it possible to identify her. The data subject claimed that the data in question was unlawfully copied from the medical documents that she had shared with the controller only for purposes of medical treatment. The data subject also asked the controller information about the use of her personal health data in her final thesis and the controller denied that she wrote her thesis on the clinical case concerning the data subject. The data subject then decided to file a complaint with the Italian DPA.

The DPA started an investigation and asked the controller and the school to provide their submissions. The controller provided the DPA with information about her privacy policy and the consent she requested from the data subject, where it is stated that the clinical data will not be shared with anyone with the exception of scientific research purposes. The privacy policy further specified that the personal data included in the controller’s thesis would be anonymized and that in any case the thesis would not be published and would only be available to the thesis supervisor and the administrative office of the school. The controller asked that no charges are raised against her and that the case is dealt with taking into account all attenuating circumstances of Article 83 GDPR. The school office also brought its submissions confirming that students’ dissertations are never published and that they are not accessible by third parties.

In its preliminary conclusion, the DPA considered the processing activities carried out by the controller to be in violation of Article 5(1)(a) GDPR, Article 6 GDPR, Article 9 GDPR, Article 12 GDPR and Article 13 GDPR and started a procedure to adopt corrective measures against the controller under Article 58(2) GDPR. The DPA communicated this to the controller, who then submitted a document proving that she adopted measures to improve her privacy management system, including participation in training courses, a revised privacy policy and she also carried out a DPIA under Article 35 GDPR.

Holding

The Italian DPA considered the facts and the submissions of the parties and noted that in the privacy policy and consent form that the controller later shared with the DPA, the only purpose of processing mentioned was the correct and complete execution of the controller’s profession as an osteopathist. Further, under “sharing of personal data”, the privacy policy specified that clinical data will not be shared except for research purposes. Taking all this into account, the DPA issued its final decision on the case.

First of all, DPA held that the thesis of the controller included several medical information about the data subject and other personal information about her that make it possible, even if indirectly, to identify her. This is also due to the fact that the controller failed to properly delete the name and surname of the data subject. Hence, the DPA held that the medical information included in the thesis of the controller should be considered personal health data of the data subject.

Moreover, the DPA held that the controller unlawfully processed such data for purposes of scientific research, since, according to WP29 Opinion 05/2014, the data should have been anonymized or, where technically impossible, the controller should have sought the specific consent of the data subject. Even though it is true that in the privacy policy of the controller there is reference to the transmission of clinical data for purposes of scientific research, this is only mentioned under “sharing of personal data” and not under “purposes of processing”.

The DPA also found the privacy policy of the controller to be lacking the essential elements required by Article 13 GDPR: it did not include all purposes of processing, it indicated the wrong legal basis for processing for research purposes and it lacked information about the possibility to file a complaint with the Italian DPA.

Further, the controller unlawfully communicated the medical data of the data subject to third parties, namely the thesis supervisor and the administrative office of the school and she processed personal data in violation of the principle of fairness under Article 5(1)(a) GDPR.

In addition to this, the DPA also identified some elements that were still missing or needed to be amended in the revised version of the privacy policy submitted by the controller.

For these reasons, the DPA confirmed its preliminary finding that the controller acted contrary to Article 5(1)(a) GDPR, Article 6 GDPR, Article 9 GDPR, Article 12 GDPR and Article 13 GDPR. The DPA hence decided to order the controller to bring her processing operations into compliance with the GDPR by virtue of Article 58(2)(d) GDPR, within 30 days form the adoption of the decision. In particular, the DPA ordered the controller to integrate its privacy policy with information on the legal bases for processing, transfers of personal data to third countries and the storage of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

SEE ALSO Newsletter of November 27, 2023

[doc. web no. 9954241]

Provision of 26 October 2023

Register of measures
n. 497 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof. Ginevra Cerrina Feroni, vice-president, lawyer. Guido Scorza, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”)”;

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Pasquale Stazione;

PREMISE

1. The complaint and the investigative activity

In the month of XX, this Authority received a complaint in which it was complained about the processing of numerous data on the complainant's health in violation of the regulations on the protection of personal data by Mrs. Brambilla with particular reference to the processing of a final thesis relating to the "Diploma Course in Osteopathy" at the XX Professional Training School (hereinafter School), entitled "Osteopathic treatment for trigeminal neuralgia induced by removal of a malignant neoplasm in the Gasser ganglion", a.y. 2020/2021.

In support of what was complained of, the complainant produced a copy of the aforementioned thesis (sent to her by email from the aforementioned School on XX) in which a clinical case is described through numerous anamnestic, clinical and personal details (e.g. family composition, work activity) and documents, accompanied by precise time references, through which it is possible, even if indirectly, to identify the complainant. The aforementioned thesis also contains a clinical document (A.D.L. questionnaire - index of independence in activities of daily living) which contains numerous information on the state of health of the interested party, whose personal data have only been summarily obscured.

According to what is represented in the documents, the clinical details relating to the complainant were extracted from the copious medical documentation that the interested party had sent to Ms Brambilla on the occasion of the osteopathic treatments she had undergone, despite the fact that she had explicitly requested maximum confidentiality ( email of the 20th, in documents).

The complainant also represented that she had asked Ms Brambilla for clarification regarding the use of her health data for the purposes of drafting the aforementioned thesis and that the latter denied having created this thesis on the complainant's clinical case, declaring that the thesis discussed at the School did not concern the same but another case of which he sent a copy to the same complainant (documentation in the documents).

In relation to the aforementioned complaint, this Office has started a preliminary investigation and requested information from Mrs Brambilla (note of the XX, protocol no. XX), as well as from the aforementioned School.

In response to the aforementioned request, Ms Brambilla represented, in particular, that:

at the time of the facts "he practiced his profession independently within the "Fenice" medical practice;

“upon receipt of the request for an appointment, Mrs. Alice Brambilla […] as data controller, as per practice, submitted to Mrs. [….] her information on the processing of personal data pursuant to art. 13 of the Regulation [...] and to request consent to the processing of personal data relating to your state of health for the following purposes: i) execution of the requested professional service ii) scientific research [...] and for use in the thesis";

“Specifically, the consent is visible […] with the following wording: “acquired the aforementioned information provided to me by the Data Controller pursuant to art. 13 of the EU Reg., and aware, in particular, that the processing may concern data relating to health, I give my consent for the processing of data, including health data, necessary for carrying out the operations indicated in the information";

“Clinical data are not subject to dissemination, except for the purposes of scientific research” (point 6 of the information, entitled “Dissemination of data”);

“[…] there is a free, specific, informed and unequivocal expression of the interested party's will explicitly made through a hand-signed declaration at the bottom right of the information that the professional could process the data not only for the performance but also for scientific purposes, a definition which clearly includes the use of data for case studies and their analysis in documents of an academic nature, which is certainly Mrs Brambilla's thesis";

"the subsequent communication from the interested party of the XX [...], does not change [...] the above as the call to maintain maximum confidentiality on the data communicated is a vague and generic call and not at all capable of affecting the consensual system as from the information outlined above, indeed the sending of the data represents a further confirmation for conclusive facts of the consent to the processing and that in the absence of a specific request for limitation with respect to a specific processing it must be considered total confirmation as to the content reported in the information and the consent on all treatments provided there”;

“The data included in the thesis are totally anonymized data in the sense considered valid by this Guarantor, i.e. that which to consider anonymous data which through reasonably available means can allow the interested party to be re-identified (in fact none of the hypotheses 1-3 of page 3 of the information request is possible)”;

“This is because in the text of the thesis clinical data and other aspects of the patient are reported that are useful for understanding the origin of the pain (anamnesis), but never in the presence of personal data or other data that can trace what is reported in the thesis to the identity of the [ …] Complainant, also with reference to pages 26-33 [of the thesis work] it is clear that it is impossible to trace the name of the lady appropriately obscured”;

“In summary, the data controller, in addition to having appropriately delivered the information containing all the requested information and collected data and consent to the processing of health data for both purposes, has also taken steps to anonymize the data”;

“In any case, the thesis was not published either online or elsewhere by the data controller. It was shared only with "the thesis supervisor" and "the institute secretariat for bureaucratic discussion purposes and its conservation for legal purposes".

On the mitigation of the effects related to the treatment carried out, in the aforementioned note it was declared that:

Mrs. Brambilla, through her defenders, sent a communication to the aforementioned School in which confirmation was requested "of the subjects to whom they communicated the thesis, also asking them not to communicate it to third parties and in any case to obscure the pages containing the clinical data contained therein";

the processing took place in good faith; the data controller “has provided and provides maximum collaboration; has never received other complaints or sanctions” […] the purpose [of the processing] was that of study and research for professional training purposes”;

"there is only a complaint from an interested party, no damage has been proven or reported, there has been no dissemination but simple communication to the teachers (supervisor and commission) and to the bureaucratic apparatus of the institution (secretariat)".

Given the above, Ms Brambilla represented that no charges could be made against her and, alternatively, she asked that "all the mitigating circumstances of the case in question referred to in the art. be taken into consideration. 83 of Regulation no. 2016/679 […]”.

Attached to the aforementioned note, Ms Brambilla sent a copy of the information and consent signed by the complainant, from which it emerges that:

in point 1, entitled "Purpose of data processing", it is indicated that "the data processing is aimed solely at the correct and complete execution of my professional task connected with the massage therapy and osteopathy activities carried out to protect your health";

in point 6, entitled "dissemination of data", it is indicated that "clinical data are not subject to dissemination except for the purposes of scientific research. To carry out this assignment, the professional may also become aware of and use health data for the processing of which in compliance with the regulatory provisions referred to above (art. 6 of the EU Regulation) is hereby requesting express consent".

With a note from the XX, the School, in response to a request for information from the Office of the XX (prot. n. XX), declared that the personal data contained in the aforementioned thesis "are not published either on websites or on other channels both paper and digital information" and which "are not accessible by third parties".

On the basis of the elements acquired as part of the preliminary investigation, the Office, with deed of XX (prot. n. XX), notified on the same date by certified email, initiated, pursuant to art. 166, paragraph 5, of the Code, with reference to the specific illegal situations referred to therein, a procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, against Ms. Brambilla, inviting her to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, l. n. 689 of 24 November 1981).

In particular, with the aforementioned document the Office found that Ms Brambilla:

processed data on the complainant's health as part of the completion of a training course (final thesis) in a manner that does not comply with the regulations on the protection of personal data;

provided the complainant with information lacking the essential elements referred to in the art. 13 of the Regulation;

communicated, without a suitable legal basis, the aforementioned data on the complainant's health to third parties (specifically to the thesis supervisor and to the School) who, among other things, are not indicated among the recipients of the data in the information in the documents ;

carried out processing in violation of the principle of correctness, as following an express request from the complainant, he denied having carried out the thesis on the clinical case concerning the latter, sending her a different thesis compared to the one actually presented to the school (documentation in documents);

all this in violation of the articles. 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation;

With a note dated XX (received by certified email on XX), Mrs. Brambilla - through her lawyers - sent a document called "corrective action documentary integration" in which the actions undertaken following the opening of the procedure by the Office aimed at a "revision of its privacy management system by analyzing and intervening, from a technical and organizational point of view" also having "relevance pursuant to art. 83, par.2, letter. c) and d)”. In particular, these actions concerned various areas including:

training, through the participation of Mrs Brambilla herself in various courses on the processing of personal data in the healthcare sector;

the review of the information to be provided to interested parties:

I. "with the indications of the Guarantor regarding the inaccuracies contained therein regarding the identification of the legal basis and the missing information";

II. with the indication of the "consent referred to in the art. 9, par. 2, letter. a) […]  as the legal basis for the health data since the profession of the complainant, although processing health data, is not included in orders with the related obligation of professional secrecy, therefore, it is believed to be the most suitable to fill the regulatory coverage given by the secrecy professional dictated by law otherwise missing here. No reference to research and/or study reasons has been included as the complainant has now completed her educational path";

the adoption of "a model for the appointment of data controllers for any external collaborators (data controllers)";

the drafting of an impact assessment pursuant to art. 35 of the Regulation;

the adoption of specific technical and organizational measures;

In light of the above, Ms Brambilla, without requesting to be heard, pursuant to art. 166, paragraph 6 of the Code, requested that "no sanctions should be applied to [them] [...], alternatively, in the denied and unbelieved hypothesis of the provision of sanctions, we ask that they be calculated at the statutory minimum for the reasons expressed above"

2. Outcome of the preliminary investigation

Having taken note of what is represented by Mrs. Brambilla in the documentation in the documents and in the aforementioned document called "documentary integration and corrective actions", it is noted that:

“personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”. Furthermore, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical, physiological, genetic, psychological, economic, cultural or social identity" (art. 4, no. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - hereinafter, the "Regulation") ;

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner towards the interested party («principle of lawfulness, correctness and transparency»)", "collected for specific, explicit and legitimate purposes, and subsequently processed in in a way that is not incompatible with these purposes («purpose limitation principle»), “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimization principle»)” and “processed in a manner that guarantee adequate security, through adequate technical and organizational measures ("principle of data minimization")" (art. 5, par. 1, letter a), b) c) and f) of the Regulation);

with specific reference to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on the processing of such data unless one of the specific exemptions referred to in paragraph 2 occurs;

the Guarantor has repeatedly highlighted that with the full application of the Regulation, unlike in the past, the healthcare professional, subject to professional secrecy, must no longer request the patient's consent for the treatments necessary for the healthcare service requested by the interested party, regardless of the circumstance who works as a freelancer (in a medical practice) or within a public or private healthcare facility (see provision "Clarifications on the application of the regulations for the processing of health-related data in the healthcare sector" of 7 March 2019, available on www.gpdp.it, web doc. no. 9091942). On this point, it should be noted that osteopathy has been recognized as a healthcare profession by the Presidential Decree. n. 131/2021, according to which the osteopath "carries out osteopathic manipulative treatment safely and respecting the patient's dignity and sensitivity". Numerous trade associations have adopted codes of ethics which provide for specific obligations of secrecy on the part of osteopaths in the processing of patient data (e.g. register of Italian osteopaths of 26 June 2021; Italian Association of Professional Osteopaths of 13 September 2012 updated to October 2020 ; association of exclusive osteopaths of 16.12.2020);

in cases where the processing is not strictly necessary for treatment purposes and the legal basis of the processing is represented by the consent of the interested party, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, such consent must be provided through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (art. 9, par. 2 letter a) of the Regulation and par. 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020);

communication of personal data means "giving knowledge of personal data to one or more specific subjects other than the interested party, the representative of the owner in the territory of the European Union, the manager or his representative in the territory of the European Union, the persons authorized, pursuant to article 2-quaterdecies, to process personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or interconnecting them"; by diffusion we mean "giving knowledge of personal data to undetermined subjects, in any form, including by making them available or consulting them" (art. 2-ter, paragraph 4 of the Code);

the regulations on the protection of personal data also provide that information on the state of health cannot be disseminated and can only be communicated to the interested party and can only be communicated to third parties on the basis of a suitable legal basis or upon indication of the interested party same subject to written authorization from the latter (articles 2-septies, paragraph 8 and article 166, paragraph 2, of the Code and article 9 of the Regulation);

the principles of transparency and correctness also imply that the interested party is informed of the existence of the processing and its purposes and that the personal data are processed by providing the interested parties with the information referred to in the art. 13 of the Regulation (recital no. 60 and art. 5, par. 1 letter a) of the Regulation). The information must then be provided in a concise, transparent, intelligible and easily accessible form, with simple and clear language (Recital 58 and art. 12 of the Regulation);

in case of collection of personal data from the interested party, the data controller must provide him, at the moment in which the personal data are obtained, all the information indicated in the art. 13 of the Regulation;

however, the regulations on the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014). An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference);

with specific reference to the publication of clinical cases, the Code of medical ethics approved by the National Federation of Orders of Surgeons and Dentists in 2014 (as amended in 2016 and 2017) provides that "the doctor ensures the non-identifiable nature of the subjects involved in scientific publications or disclosures of data and clinical studies" (art. 11 - Confidentiality of personal data).

the Code of Conduct for the use of health data for educational and scientific publication purposes approved with the Guarantor's provision no. 7 of 14 January 2021 (web doc. no. 9535354), expressly provides that the processing of personal data carried out for the purposes of scientific research in the medical, biomedical and epidemiological fields does not fall within the scope of application of the aforementioned code (point 4 of the premises) .

Given the above, it is established that Ms Brambilla:

processed data on the complainant's health through the drafting of the final thesis relating to the "Diploma course in osteopathy" issued by the School, entitled "Osteopathic treatment for trigeminal neuralgia induced by removal of a malignant neoplasm in the Gasser ganglion", a.y. 2020/2021, this is because from the documentation in the documents it emerges that the aforementioned thesis contains - in the descriptive section of the clinical case - numerous anamnestic and personal information and data through which it is possible, even if indirectly, to identify the interested party. In the aforementioned thesis there is also a clinical document ("ADL scale" questionnaire) in which numerous information is indicated on the state of health of the interested party, whose personal data have been deleted in an approximate manner so as not to prevent the reading of the name and surname of the complainant and therefore to associate her personal information with numerous information relating to her state of health; the manual deletion procedure cannot in fact be defined as suitable for making the personal information of the clinical case represented anonymous, nor can it be defined as a "pseudonymisation" procedure - in accordance with the definition in art. 4, no. 4 of the Regulation - being rather a simple manual procedure for obscuring the personal details of interested parties (see in this regard provisions of 17.9.2020 web doc. n. 9479364 and n. 9479382 and of 2.3.2023 web doc. n. 9870171). Therefore, it is noted that the numerous health information present in Ms Brambilla's work can be classified as health data as it allows the identification, albeit indirect, of the complainant;

carried out processing of data on the complainant's health for the purpose of scientific publication of a final paper of a training course in a manner that does not comply with the regulations on the protection of personal data since, according to what has already been noted by the Authority in the aforementioned Code of conduct, should have been pursued through the processing of anonymized data in light of Opinion 05/2014 of WP29 or, if it was not possible to proceed with the anonymization of the data (e.g. due to the peculiarities of the clinical case represented), it should have acquired a specific and informed consent of the interested party, which cannot be found in the one acquired in documents, as it is not specific and not informed regarding the purpose in question (see the Code of Conduct for the use of health data for purposes educational and scientific publications approved with the provision of the Guarantor no. 7 of 14 January 2021, web doc. no. 9535354). In fact, although the information contains a generic reference to the dissemination of clinical data "for scientific research purposes" (which Ms. Brambilla declares not to pursue) (point 6 of the information, entitled "Dissemination of data"), this activity was not indicated in the purposes of the processing (point 1 of the information);

provided information to the complainant without the essential elements referred to in the art. 13 of the Regulation:

as all the purposes of the processing are not indicated (such as scientific publication activity);

the legal basis of the processing having been incorrectly identified:

for treatment purposes, in the art. 6 of the Regulation, which does not concern health data;

for scientific research purposes, which is subject to the specific sector regulations referred to in the Regulation and the Code (articles 5, 6, 7, 9 and 89 of the Regulation; articles 104 et seq. of the Code; provisions relating to the processing of personal data carried out for scientific research purposes, annex 5 to the provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of the legislative decree of 10 August 2018, no. 10, doc . web no. 9124510;Ethical rules for processing for statistical or scientific research purposes published pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, no. 101 of 19 December 2018, annex A5 to the Code , web document no. 9069637, which constitute an essential condition for the lawfulness and correctness of processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018);

as the right of the interested party to lodge a complaint with the Guarantor is not indicated in the information notice (art. 13, par. 2, letter d) of the Regulation);

communicated, without a suitable legal basis, the aforementioned data on the complainant's health to third parties (specifically the thesis supervisor and the XX School) who, among other things, are not indicated among the recipients of the data in the information in deeds;

carried out processing of personal data in violation of the principle of correctness, as following an express request from the complainant, it denied having carried out the thesis on the clinical case of the same, sending her a different thesis than the one actually presented to the school (documentation in documents).

2.1. critical elements in the information model

In relation to the documentation sent by Mrs. Brambilla together with the defense briefs, in taking favorable note of the corrective actions undertaken by her, it is noted that some specific critical elements persist in the updated information model. In particular, they do not appear correctly:

the legal conditions for the processing of personal data not belonging to particular categories have been identified (e.g. the indication of legitimate interest as the legal basis for sending newsletters);

indicate the legal bases for any transfer of data abroad;

the data retention period is indicated, with reference to which a contradictory wording is reported ("the data will be retained until the contract is in place and this is terminated for a maximum of 2 years and in any case for the time necessary to satisfy the purpose of the collection and in any case the legal requirements");

The aforementioned model also contains contradictory aspects with reference to the use of patients' personal data for the purposes of "sending newsletters" for "sending promotional material". In particular, in the "sending newsletters" section of the information model it is stated that no newsletters are sent, although this activity is indicated among the processing carried out in the section relating to the legal bases of the processing.

Finally, it is noted that the possibility of considering art. 9, par. 2, letter. h) and par. 3 of the Regulation, in light of the elements highlighted above and in particular in consideration of the fact that osteopathy has been recognized as a healthcare profession in the Presidential Decree. n. 131/2021 and that numerous trade associations provide specific provisions regarding professional secrecy for their members.

3. Conclusions

In light of the assessments mentioned above, taking into account the declarations made by the owner during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the additional elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the act of initiation of the procedure, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by Mrs. Brambilla in the terms set out in the motivation is noted, in violation of the articles. 5, par. 1, letter. a), 6, 9 12 and 13 of the Regulation.

In this context, in light of the actions undertaken by Mrs. Brambilla following the start of the sanctioning procedure, it is deemed necessary to instruct the aforementioned professional, pursuant to art. 58, par. 2, letter. d), of the Regulation, the following corrective measures to be adopted within 30 days of the adoption of this provision: modification and integration of the information model last transmitted on the basis of the critical elements identified in paragraph 2 of this provision relating to the legal bases of the processing, including those for the possible transfer of data to third countries, and the data retention period.

Having said this, taking into account that:

the complainant's data, including health data, were not disclosed, but communicated "[...] to the training body for the discussion of the thesis. The violation was therefore limited in time and in the number of people (secretary who does not have the task of reading the papers and the teachers who, among other things, are often professionals bound by professional secrecy);

the fact is attributable to behavior of a "culpable" nature, the complainant was convinced that she had obtained consent, which in fact she did, however she confused the research purpose with the teaching purpose, thinking they were equivalent (or rather, ignoring their diversity). From this point of view, consider that we are talking about a woman at the beginning of her career who was discussing her diploma thesis in a very small circle, furthermore it is evident that for a student the norm is absolutely not easy to understand";

Ms. Brambilla, in order to mitigate the effects of the violation, at the same time as starting the investigation relating to the proceeding in question, "Firstly [...] requested the secretariat [of the Training School] not to communicate or disseminate to other subjects thesis";

the same training body has expressly declared that the personal data contained in the aforementioned thesis "are not published on websites or on other information channels, whether paper or digital" and that "they are not accessible by third parties".

partially suitable measures have been implemented to prevent the recurrence of similar events;

no further complaints have been received nor have any further sanctions been imposed against Ms Brambilla who immediately collaborated with the Authority;

the data controller is a natural person with a turnover that in the year 2022 reached an amount equal to XX Euros (as per the documentation acquired in the documents).

the circumstances of the specific case lead to classifying it as a "minor violation", pursuant to recital 148 of the Regulation and the WP 253 Guidelines, concerning the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 20161679, allowing us to believe that, in relation to the case in question, it is sufficient to warn Ms Alice Brambilla, the data controller, pursuant to articles. 58, par. 2, letter. b) of the Regulation, in relation to the ascertained violation of the provisions contained in the articles. 5, par. 1, letter. a), 6, 9 12 and 13 of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. l, lit. a) of the Regulation, declares the unlawfulness of the processing of personal data carried out by Mrs. Alice Brambilla CF XX, XX, for the violation of the basic principle of the processing referred to in the art. 5, par. 1, letter. a), and the articles. 6, 9 12 and 13 of the Regulation, within the terms set out in the justification;

b) pursuant to art. 58, par. 2, letter. b) of the Regulation, warns the aforementioned Mrs. Brambilla as owner of the processing in question, for having violated the articles. 5, par. 1, letter. a) 6, 9 12 and 13 of the Regulation, as described above;

ORDERS

pursuant to art. 58, par. 2, letter. d), of the Regulation, to Ms. Alice Brambilla within 30 days of notification of this provision, to modify and integrate the information model on the basis of the critical elements identified in paragraph 2.1 of this provision relating to the legal bases of the processing, including those for the possible transfer of data to third countries, and the data retention period.

In this regard, Ms. Alice Brambilla is requested to communicate what initiatives have been undertaken in order to implement the above enjoined by this provision and to provide adequately documented feedback, pursuant to art. 157 of the Code, within 20 days of the expiry of the deadline indicated above; any failure to respond may lead to the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 October 2023

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE GENERAL SECRETARY
Mattei

SEE ALSO Newsletter of November 27, 2023

[doc. web no. 9954241]

Provision of 26 October 2023

Register of measures
n. 497 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof. Ginevra Cerrina Feroni, vice-president, lawyer. Guido Scorza, member, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing “Code regarding the protection of personal data (hereinafter “Code”)”;

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Pasquale Stazione;

PREMISE

1. The complaint and the investigative activity

In the month of XX, this Authority received a complaint in which it was complained about the processing of numerous data on the complainant's health in violation of the regulations on the protection of personal data by Mrs. Brambilla with particular reference to the processing of a final thesis relating to the "Diploma Course in Osteopathy" at the XX Professional Training School (hereinafter School), entitled "Osteopathic treatment for trigeminal neuralgia induced by removal of a malignant neoplasm in the Gasser ganglion", a.y. 2020/2021.

In support of what was complained of, the complainant produced a copy of the aforementioned thesis (sent to her by email from the aforementioned School on XX) in which a clinical case is described through numerous anamnestic, clinical and personal details (e.g. family composition, work activity) and documents, accompanied by precise time references, through which it is possible, even if indirectly, to identify the complainant. The aforementioned thesis also contains a clinical document (A.D.L. questionnaire - index of independence in activities of daily living) which contains numerous information on the state of health of the interested party, whose personal data have only been summarily obscured.

According to what is represented in the documents, the clinical details relating to the complainant were extracted from the copious medical documentation that the interested party had sent to Ms Brambilla on the occasion of the osteopathic treatments she had undergone, despite the fact that she had explicitly requested maximum confidentiality ( email of the 20th, in documents).

The complainant also represented that she had asked Ms Brambilla for clarification regarding the use of her health data for the purposes of drafting the aforementioned thesis and that the latter denied having created this thesis on the complainant's clinical case, declaring that the thesis discussed at the School did not concern the same but another case of which he sent a copy to the same complainant (documentation in the documents).

In relation to the aforementioned complaint, this Office has started a preliminary investigation and requested information from Mrs Brambilla (note of the XX, protocol no. XX), as well as from the aforementioned School.

In response to the aforementioned request, Ms Brambilla represented, in particular, that:

at the time of the facts "he practiced his profession independently within the "Fenice" medical practice;

“upon receipt of the request for an appointment, Mrs. Alice Brambilla […] as data controller, as per practice, submitted to Mrs. [….] her information on the processing of personal data pursuant to art. 13 of the Regulation [...] and to request consent to the processing of personal data relating to your state of health for the following purposes: i) execution of the requested professional service ii) scientific research [...] and for use in the thesis";

“Specifically, the consent is visible […] with the following wording: “acquired the aforementioned information provided to me by the Data Controller pursuant to art. 13 of the EU Reg., and aware, in particular, that the processing may concern data relating to health, I give my consent for the processing of data, including health data, necessary for carrying out the operations indicated in the information";

“Clinical data are not subject to dissemination, except for the purposes of scientific research” (point 6 of the information, entitled “Dissemination of data”);

“[…] there is a free, specific, informed and unequivocal expression of the interested party's will explicitly made through a hand-signed declaration at the bottom right of the information that the professional could process the data not only for the performance but also for scientific purposes, a definition which clearly includes the use of data for case studies and their analysis in documents of an academic nature, which is certainly Mrs Brambilla's thesis";

"the subsequent communication from the interested party of the XX [...], does not change [...] the above as the call to maintain maximum confidentiality on the data communicated is a vague and generic call and not at all capable of affecting the consensual system as from the information outlined above, indeed the sending of the data represents a further confirmation for conclusive facts of the consent to the processing and that in the absence of a specific request for limitation with respect to a specific processing it must be considered total confirmation as to the content reported in the information and the consent on all treatments provided there”;

“The data included in the thesis are totally anonymized data in the sense considered valid by this Guarantor, i.e. that which to consider anonymous data which through reasonably available means can allow the interested party to be re-identified (in fact none of the hypotheses 1-3 of page 3 of the information request is possible)”;

“This is because in the text of the thesis clinical data and other aspects of the patient are reported that are useful for understanding the origin of the pain (anamnesis), but never in the presence of personal data or other data that can trace what is reported in the thesis to the identity of the [ …] Complainant, also with reference to pages 26-33 [of the thesis work] it is clear that it is impossible to trace the name of the lady appropriately obscured”;

“In summary, the data controller, in addition to having appropriately delivered the information containing all the requested information and collected data and consent to the processing of health data for both purposes, has also taken steps to anonymize the data”;

“In any case, the thesis was not published either online or elsewhere by the data controller. It was shared only with "the thesis supervisor" and "the institute secretariat for bureaucratic discussion purposes and its conservation for legal purposes".

On the mitigation of the effects related to the treatment carried out, in the aforementioned note it was stated that:

Mrs. Brambilla, through her defenders, sent a communication to the aforementioned School in which confirmation was requested "of the subjects to whom they communicated the thesis, also asking them not to communicate it to third parties and in any case to obscure the pages containing the clinical data contained therein";

the processing took place in good faith; the data controller “has provided and provides maximum collaboration; has never received other complaints or sanctions” […] the purpose [of the processing] was that of study and research for professional training purposes”;

"there is only a complaint from an interested party, no damage has been proven or reported, there has been no dissemination but simple communication to the teachers (supervisor and commission) and to the bureaucratic apparatus of the institution (secretariat)".

Given the above, Ms Brambilla represented that no charges could be made against her and, alternatively, she asked that "all the mitigating circumstances of the case in question referred to in the art. be taken into consideration. 83 of Regulation no. 2016/679 […]”.

Attached to the aforementioned note, Ms Brambilla sent a copy of the information and consent signed by the complainant, from which it emerges that:

in point 1, entitled "Purpose of data processing", it is indicated that "the data processing is aimed solely at the correct and complete execution of my professional task connected with the massage therapy and osteopathy activities carried out to protect your health";

in point 6, entitled "dissemination of data", it is indicated that "clinical data are not subject to dissemination except for the purposes of scientific research. To carry out this assignment, the professional may also become aware of and use health data for the processing of which in compliance with the regulatory provisions referred to above (art. 6 of the EU Regulation) is hereby requesting express consent".

With a note from the XX, the School, in response to a request for information from the Office of the XX (prot. n. XX), declared that the personal data contained in the aforementioned thesis "are not published either on websites or on other channels both paper and digital information" and which "are not accessible by third parties".

On the basis of the elements acquired as part of the preliminary investigation, the Office, with deed of XX (prot. n. XX), notified on the same date by certified email, initiated, pursuant to art. 166, paragraph 5, of the Code, with reference to the specific illegal situations referred to therein, a procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, against Ms. Brambilla, inviting her to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, l. n. 689 of 24 November 1981).

In particular, with the aforementioned document the Office found that Ms Brambilla:

processed data on the complainant's health as part of the completion of a training course (final thesis) in a manner that does not comply with the regulations on the protection of personal data;

provided the complainant with information lacking the essential elements referred to in the art. 13 of the Regulation;

communicated, without a suitable legal basis, the aforementioned data on the complainant's health to third parties (specifically to the thesis supervisor and to the School) who, among other things, are not indicated among the recipients of the data in the information in the documents ;

carried out processing in violation of the principle of correctness, as following an express request from the complainant, he denied having carried out the thesis on the clinical case concerning the latter, sending her a different thesis compared to the one actually presented to the school (documentation in documents);

all this in violation of the articles. 5, par. 1, letter. a), 6, 9, 12 and 13 of the Regulation;

With a note dated XX (received by certified email on XX), Mrs. Brambilla - through her lawyers - sent a document called "corrective action documentary integration" in which the actions undertaken following the opening of the procedure by the Office aimed at a "revision of its privacy management system by analyzing and intervening, from a technical and organizational point of view" also having "relevance pursuant to art. 83, par.2, letter. c) and d)". In particular, these actions concerned various areas including:

training, through the participation of Mrs Brambilla herself in various courses on the processing of personal data in the healthcare sector;

the review of the information to be provided to interested parties:

I. "with the indications of the Guarantor regarding the inaccuracies contained therein regarding the identification of the legal basis and the missing information";

II. with the indication of the "consent referred to in the art. 9, par. 2, letter. a) […]  as the legal basis for the health data since the profession of the complainant, although processing health data, is not included in orders with the related obligation of professional secrecy, therefore, it is believed to be the most suitable to fill the regulatory coverage given by the secrecy professional dictated by law otherwise missing here. No reference to research and/or study reasons has been included as the complainant has now completed her educational path";

the adoption of "a model for the appointment of data controllers for any external collaborators (data controllers)";

the drafting of an impact assessment pursuant to art. 35 of the Regulation;

the adoption of specific technical and organizational measures;

In light of the above, Ms Brambilla, without requesting to be heard, pursuant to art. 166, paragraph 6 of the Code, requested that "no sanctions should be applied to [them] [...], alternatively, in the denied and unbelieved hypothesis of the provision of sanctions, we ask that they be calculated at the statutory minimum for the reasons expressed above"

2. Outcome of the preliminary investigation

Having taken note of what is represented by Mrs. Brambilla in the documentation in the documents and in the aforementioned document called "documentary integration and corrective actions", it is noted that:

“personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”. Furthermore, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical, physiological, genetic, psychological, economic, cultural or social identity" (art. 4, no. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - hereinafter, the "Regulation") ;

pursuant to the Regulation, personal data must be "processed in a lawful, correct and transparent manner towards the interested party («principle of lawfulness, correctness and transparency»)", "collected for specific, explicit and legitimate purposes, and subsequently processed in in a way that is not incompatible with these purposes («purpose limitation principle»), “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimization principle»)” and “processed in a manner that guarantee adequate security, through adequate technical and organizational measures ("principle of data minimization")" (art. 5, par. 1, letter a), b) c) and f) of the Regulation);

with specific reference to particular categories of data, including health data, art. 9 of the Regulation establishes a general prohibition on the processing of such data unless one of the specific exemptions referred to in paragraph 2 occurs;

the Guarantor has repeatedly highlighted that with the full application of the Regulation, unlike in the past, the healthcare professional, subject to professional secrecy, must no longer request the patient's consent for the treatments necessary for the healthcare service requested by the interested party, regardless of the circumstance who works as a freelancer (in a medical practice) or within a public or private healthcare facility (see provision "Clarifications on the application of the regulations for the processing of health-related data in the healthcare sector" of 7 March 2019, available on www.gpdp.it, web doc. no. 9091942). On this point, it should be noted that osteopathy has been recognized as a healthcare profession by the Presidential Decree. n. 131/2021, according to which the osteopath "carries out osteopathic manipulative treatment safely and respecting the patient's dignity and sensitivity". Numerous trade associations have adopted codes of ethics which provide for specific obligations of secrecy on the part of osteopaths in the processing of patient data (e.g. register of Italian osteopaths of 26 June 2021; Italian Association of Professional Osteopaths of 13 September 2012 updated to October 2020 ; association of exclusive osteopaths of 16.12.2020);

in cases where the processing is not strictly necessary for treatment purposes and the legal basis of the processing is represented by the consent of the interested party, taking into account the nature of such data, which is particularly sensitive in terms of fundamental rights and freedoms, such consent must be provided through a positive act with which the interested party expresses a free, specific, informed and unequivocal will relating to the processing of personal data concerning him (art. 9, par. 2 lett. a) of the Regulation and par. 4 of Guidelines 5/2020 on consent pursuant to Regulation (EU) 2016/679, adopted by the European Data Protection Committee on 4 May 2020);

communication of personal data means "giving knowledge of personal data to one or more specific subjects other than the interested party, the representative of the owner in the territory of the European Union, the manager or his representative in the territory of the European Union, the persons authorized, pursuant to article 2-quaterdecies, to process personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or interconnecting them"; by diffusion we mean "giving knowledge of personal data to undetermined subjects, in any form, including by making them available or consulting them" (art. 2-ter, paragraph 4 of the Code);

the regulations on the protection of personal data also provide that information on the state of health cannot be disseminated and can only be communicated to the interested party and can only be communicated to third parties on the basis of a suitable legal basis or upon indication of the interested party same subject to written authorization from the latter (articles 2-septies, paragraph 8 and article 166, paragraph 2, of the Code and article 9 of the Regulation);

the principles of transparency and correctness also imply that the interested party is informed of the existence of the processing and its purposes and that the personal data are processed by providing the interested parties with the information referred to in the art. 13 of the Regulation (recital no. 60 and art. 5, par. 1 letter a) of the Regulation). The information must then be provided in a concise, transparent, intelligible and easily accessible form, with simple and clear language (Recital 58 and art. 12 of the Regulation);

in case of collection of personal data from the interested party, the data controller must provide him, at the moment in which the personal data are obtained, all the information indicated in the art. 13 of the Regulation;

however, the regulations on the protection of personal data do not apply in relation to anonymous data. In this regard, it is also worth specifying that "(...) information that does not refer to an identified or identifiable natural person or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" is considered anonymous. , this also applies to processing carried out for statistical or research purposes (see recital no. 26 of the Regulation). The risk of re-identification of the interested party must, however, be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing , and technological developments" (see recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014). An anonymization process cannot be effectively defined as such if it is not suitable for preventing anyone who uses such data, in combination with "reasonably available" means, from:

1. isolate a person in a group (single-out);

2. link anonymized data to data relating to a person present in a distinct data set (linkability);

3. deduce new information relating to a person from anonymized data (inference);

with specific reference to the publication of clinical cases, the Code of medical ethics approved by the National Federation of Orders of Surgeons and Dentists in 2014 (as amended in 2016 and 2017) provides that "the doctor ensures the non-identifiable nature of the subjects involved in scientific publications or disclosures of data and clinical studies" (art. 11 - Confidentiality of personal data).

the Code of Conduct for the use of health data for educational and scientific publication purposes approved with the Guarantor's provision no. 7 of 14 January 2021 (web doc. no. 9535354), expressly provides that the processing of personal data carried out for the purposes of scientific research in the medical, biomedical and epidemiological fields does not fall within the scope of application of the aforementioned code (point 4 of the premises) .

Given the above, it is established that Ms Brambilla:

processed data on the complainant's health through the drafting of the final thesis relating to the "Diploma course in osteopathy" issued by the School, entitled "Osteopathic treatment for trigeminal neuralgia induced by removal of a malignant neoplasm in the Gasser ganglion", a.y. 2020/2021, this is because from the documentation in the documents it emerges that the aforementioned thesis contains - in the descriptive section of the clinical case - numerous anamnestic and personal information and data through which it is possible, even if indirectly, to identify the interested party. In the aforementioned thesis there is also a clinical document ("ADL scale" questionnaire) in which numerous information is indicated on the state of health of the interested party, whose personal data have been deleted in an approximate manner so as not to prevent the reading of the name and surname of the complainant and therefore to associate her personal information with numerous information relating to her state of health; the manual deletion procedure cannot in fact be defined as suitable for making the personal information of the clinical case represented anonymous, nor can it be defined as a "pseudonymisation" procedure - in accordance with the definition in art. 4, no. 4 of the Regulation - being rather a simple manual procedure for obscuring the personal details of interested parties (see in this regard provisions of 17.9.2020 web doc. n. 9479364 and n. 9479382 and of 2.3.2023 web doc. n. 9870171). Therefore, it is noted that the numerous health information present in Ms Brambilla's work can be classified as health data as it allows the identification, albeit indirect, of the complainant;

carried out processing of data on the complainant's health for the purpose of scientific publication of a final paper of a training course in a manner that does not comply with the regulations on the protection of personal data since, according to what has already been noted by the Authority in the aforementioned Code of conduct, should have been pursued through the processing of anonymized data in light of Opinion 05/2014 of WP29 or, if it was not possible to proceed with the anonymization of the data (e.g. due to the peculiarities of the clinical case represented), it should have acquired a specific and informed consent of the interested party, which cannot be found in the one acquired in documents, as it is not specific and not informed regarding the purpose in question (see the Code of Conduct for the use of health data for purposes educational and scientific publications approved with the provision of the Guarantor no. 7 of 14 January 2021, web doc. no. 9535354). In fact, although the information contains a generic reference to the dissemination of clinical data "for scientific research purposes" (which Ms. Brambilla declares not to pursue) (point 6 of the information, entitled "Dissemination of data"), this activity was not indicated in the purposes of the processing (point 1 of the information);

provided information to the complainant without the essential elements referred to in the art. 13 of the Regulation:

as all the purposes of the processing are not indicated (such as scientific publication activity);

the legal basis of the processing having been incorrectly identified:

for treatment purposes, in the art. 6 of the Regulation, which does not concern health data;

for scientific research purposes, which is subject to the specific sector regulations referred to in the Regulation and the Code (articles 5, 6, 7, 9 and 89 of the Regulation; articles 104 et seq. of the Code; provisions relating to the processing of personal data carried out for scientific research purposes, annex 5 to the provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of the legislative decree of 10 August 2018, no. 10, doc . web no. 9124510;Ethical rules for processing for statistical or scientific research purposes published pursuant to art. 20, paragraph 4, of Legislative Decree 10 August 2018, no. 101 of 19 December 2018, annex A5 to the Code , web document no. 9069637, which constitute an essential condition for the lawfulness and correctness of processing (art. 2-quater of the Code and art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018);

as the right of the interested party to lodge a complaint with the Guarantor is not indicated in the information notice (art. 13, par. 2, letter d) of the Regulation);

communicated, without a suitable legal basis, the aforementioned data on the complainant's health to third parties (specifically the thesis supervisor and the XX School) who, among other things, are not indicated among the recipients of the data in the information in deeds;

carried out processing of personal data in violation of the principle of correctness, as following an express request from the complainant, it denied having carried out the thesis on the clinical case of the same, sending her a different thesis than the one actually presented to the school (documentation in deeds).

2.1. critical elements in the information model

In relation to the documentation sent by Mrs. Brambilla together with the defense briefs, in taking favorable note of the corrective actions undertaken by her, it is noted that some specific critical elements persist in the updated information model. In particular, they do not appear correctly:

the legal conditions for the processing of personal data not belonging to particular categories have been identified (e.g. the indication of legitimate interest as the legal basis for sending newsletters);

indicate the legal bases for any transfer of data abroad;

the data retention period is indicated, with reference to which a contradictory wording is reported ("the data will be retained until the contract is in place and this is terminated for a maximum of 2 years and in any case for the time necessary to satisfy the purpose of the collection and in any case the legal requirements");

The aforementioned model also contains contradictory aspects with reference to the use of patients' personal data for the purposes of "sending newsletters" for "sending promotional material". In particular, in the "sending newsletters" section of the information model it is stated that no newsletters are sent, although this activity is indicated among the processing carried out in the section relating to the legal bases of the processing.

Finally, it is noted that the possibility of considering art. 9, par. 2, letter. h) and par. 3 of the Regulation, in light of the elements highlighted above and in particular in consideration of the fact that osteopathy has been recognized as a healthcare profession in the Presidential Decree. n. 131/2021 and that numerous trade associations provide specific provisions regarding professional secrecy for their members.

3. Conclusions

In light of the assessments mentioned above, taking into account the declarations made by the owner during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the additional elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the act of initiation of the procedure, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by Mrs. Brambilla in the terms set out in the motivation is noted, in violation of the articles. 5, par. 1, letter. a), 6, 9 12 and 13 of the Regulation.

In this context, in light of the actions undertaken by Mrs. Brambilla following the start of the sanctioning procedure, it is deemed necessary to instruct the aforementioned professional, pursuant to art. 58, par. 2, letter. d), of the Regulation, the following corrective measures to be adopted within 30 days of the adoption of this provision: modification and integration of the information model last transmitted on the basis of the critical elements identified in paragraph 2 of this provision relating to the legal bases of the processing, including those for the possible transfer of data to third countries, and the data retention period.

Having said this, taking into account that:

the complainant's data, including health data, were not disclosed, but communicated "[...] to the training body for the discussion of the thesis. The violation was therefore limited in time and in the number of people (secretary who does not have the task of reading the papers and the teachers who, among other things, are often professionals bound by professional secrecy);

the fact is attributable to behavior of a "culpable" nature, the complainant was convinced that she had obtained consent, which in fact she did, however she confused the research purpose with the teaching purpose, thinking they were equivalent (or rather, ignoring their diversity). From this point of view, consider that we are talking about a woman at the beginning of her career who was discussing her diploma thesis in a very small circle, furthermore it is evident that for a student the norm is absolutely not easy to understand";

Ms. Brambilla, in order to mitigate the effects of the violation, at the same time as starting the investigation relating to the proceeding in question, "Firstly [...] requested the secretariat [of the Training School] not to communicate or disseminate to other subjects thesis";

the same training body has expressly declared that the personal data contained in the aforementioned thesis "are not published on websites or on other information channels, whether paper or digital" and that "they are not accessible by third parties".

partially suitable measures have been implemented to prevent the recurrence of similar events;

no further complaints have been received nor have any further sanctions been imposed against Ms Brambilla who immediately collaborated with the Authority;

the data controller is a natural person with a turnover that in the year 2022 reached an amount equal to XX Euros (as per the documentation acquired in the documents).

the circumstances of the specific case lead to classifying it as a "minor violation", pursuant to recital 148 of the Regulation and the WP 253 Guidelines, concerning the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) no. 20161679, allowing us to believe that, in relation to the case in question, it is sufficient to warn Ms Alice Brambilla, the data controller, pursuant to articles. 58, par. 2, letter. b) of the Regulation, in relation to the ascertained violation of the provisions contained in the articles. 5, par. 1, letter. a), 6, 9 12 and 13 of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) pursuant to art. 57, par. l, lit. a) of the Regulation, declares the unlawfulness of the processing of personal data carried out by Mrs. Alice Brambilla CF XX, XX, for the violation of the basic principle of the processing referred to in the art. 5, par. 1, letter. a), and the articles. 6, 9 12 and 13 of the Regulation, within the terms set out in the justification;

b) pursuant to art. 58, par. 2, letter. b) of the Regulation, warns the aforementioned Mrs. Brambilla as owner of the processing in question, for having violated the articles. 5, par. 1, letter. a) 6, 9 12 and 13 of the Regulation, as described above;

ORDERS

pursuant to art. 58, par. 2, letter. d), of the Regulation, to Ms. Alice Brambilla within 30 days of notification of this provision, to modify and integrate the information model on the basis of the critical elements identified in paragraph 2.1 of this provision relating to the legal bases of the processing, including those for the possible transfer of data to third countries, and the data retention period.

In this regard, Ms. Alice Brambilla is requested to communicate what initiatives have been undertaken in order to implement the above enjoined by this provision and to provide adequately documented feedback, pursuant to art. 157 of the Code, within 20 days of the expiry of the deadline indicated above; any failure to respond may lead to the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to lodge an appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 October 2023

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE GENERAL SECRETARY
Mattei
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9954241&oldid=37508"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki