Garante per la protezione dei dati personali (Italy) - 9955372: Difference between revisions

Garante per la protezione dei dati personali - 9955372
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 9(2)(g) GDPR Article 166 Codice Privacy Article 2-septies para 8 Codice Privacy Article 2-ter Codice Privacy Article 22 Decreto Legislativo No. 33 of 2013
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	26.10.2023
Published:
Fine:	20,000 EUR
Parties:	Lombardy Region
National Case Number/Name:	9955372
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	GARANTE PER LA PROTEZIONE DEI DATI PERSONALI (in IT)
Initial Contributor:	Luca Brocca

The Italian DPA fined the Lombardy Region €20,000 for breaching Articles 5, 6(1)(c) and (e), and 9 GDPR, relating to the improper dissemination of sensitive employment-related details.

English Summary

Facts

The Lombardy Region, acting as the data controller, published personal data of approximately 732 workers on its institutional website. The data included details related to the employment relationship, legal proceedings, remuneration, length of service, qualifications, and, notably, information about a worker's health.

The publication of this information was then brought to the attention of the Italian DPA by two Trade Union Associations.

In response to this, the DPA requested the controller to provide clarifications. To which the controller explained that the publication occurred in the context of fulfilling transparency obligations under Article 22 of Legislative Decree 33/2013.

The controller also contended that it did not process the data received from the relevant employees as their employer. Instead, it did so solely to fulfil its obligations to publish data related to transactions between legal entities. In that regard, it did not act as an employer, it could not be attributed the responsibility to guarantee the principles of data minimisation, data accuracy and transparency. The controller further emphasised that the publication took place during a pandemic emergency, affecting its capacity. Thus, the controller stated that its liability in the dissemination of the data in question could be considered mere negligence in a sporadic episode occurring in an exceptional situation.

Holding

The Italian DPA declared the processing illegal.

Firstly, the DPA reminded that data processing by a public entity may be carried out only if necessary for compliance with a legal obligation or for a task to be carried out in the public interest, pursuant to Article 6(1)(c) and (e) GDPR. It further noted that pursuant to Article 9(2) GDPR, the controller correctly processed health data for the purpose of public interest. However, considering the nature and sensitiveness of health data, this shall not be broadcasted. The controller should comply with the general principle of Article 5 GDPR, namely data minimisation.

Secondly, the DPA addressed the controller's claim that the publication of the data was in line with transparency obligations under Article 22 of Legislative Decree 33/2013. The DPA rejected this justification. It emphasised that the legislation did not authorise the extensive publication of personal data, especially details related to the employment relationship, the income of each worker and possible legal proceedings. It especially reminded of the prohibition of the diffusion of the health data of workers.

Therefore, the DPA found a violation of Article 5 GDPR, Article 6(1)(c) GDPR and Article 9 GDPR.

The duration of the illegal data dissemination was a significant factor considered by the DPA when determining the fine. Mitigating factors included the controller's prompt actions to remove the data upon discovery of the complaints brought to the DPA and the challenging circumstances during the pandemic emergency. However, the DPA stated that these circumstances did not absolve the controller of its responsibility to comply with data protection laws. Therefore, the DPA imposed a €20,000 fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9955372]

Provision of 26 October 2023

Register of measures
n. 496 of 26 October 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza, member and councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

PREMISE

1. Introduction.

Following a specific report from the OO.SS. Trade Unions. FILT-CGIL Milan and FILT-CGIL Lombardia (see notes of the 20th and 20th documents) have complained, through their lawyer, of an alleged violation of the regulations on the protection of personal data concerning the dissemination of personal data of numerous employees of some companies that manage the local public transport service in the territory of the Lombardy Region (hereinafter "Region") (Milano Serravalle - Milan company, Tangenziale p.A., Autostrada Pedemontana Lombarda p.A. and Serravalle Engineering r.l.).

In particular, it was represented that in the XX, following a contract signed on XX - stipulated between the Region and FNM S.p.A. for the purchase by the latter of the shares of Milano Serravalle S.p.A. held by the Region - the sale of which was completed on XX - "several employees [of the companies indicated above] discovered that, by typing their name and surname into any search engine, a hyperlink to the draft contract between the Region appeared Lombardy and FNM S.p.A. the annexes of which included the lists of employees of the companies involved in the operation, including data relating to the employment relationship, the income received (subdivided by income item) and a list of all pending judicial proceedings with the workers", as well as some references to the health conditions of some interested parties.

The file containing the aforementioned contract and the related attachments "was freely downloadable at the address: h t t p: / / a r e a d o c u m e n t a l. s e r v i z i r l. i t / a t t i / d o w n l o a d /AAAAYBnbrd+mLfAGu+72pN0QYxN3M4aK32vCcmNvmk8hVXf3fjep0bQsNQj83pEB8s71Yi8i1bmZ6ilacUQ+3TLTOnwobNcDzbSO170LzkdlLk5YAfpSeqi yKphfOg32bohXSgAAAICcF/C7UmdgDnC9xEGz8zuE2iFMHjU8OyA+9y/77kJ+AfRKA8burSpa3whChTFo9qghRK+HEdmBuqhJxYfinguljazz1gh03r3cI4gcyjiY9nmBMnG0i2A+Cq1DzeQaK9Fsh hAsIzDLJx49QLU9rnsbOLEFZbOgq8Vpu2ogmAUdBgAAAAij5x8J0D/y/A==”, whose domain “servizirl.it” would be registered in the name of the Lombardy Region. “Only following the intervention of the union representatives was the file finally removed, after having been freely accessible to anyone for over a year”.

According to what is reported in the report, "as part of the negotiations for the signing of the purchase and sale contract and the due diligence operations, the companies Milano Serravalle S.p.A., Autostrada Pedemontana S.p.A. and Serravalle Engineering have communicated, pursuant to and for the purposes of art. 14 Reg. 2016/679, to the Lombardy Region and FNM S.p.A. the names of employees, divided by category pursuant to art. 2095 of the Civil Code, the tasks performed by each person, the profile held, the monthly salary, the gross annual salary, the benefits enjoyed and the amount of the performance bonus received". In particular, attached to the published resolution was "the list of all pending disputes with workers, indicating for each the name of the employee, the proceeding authority, the reasons for the dispute, the hearing dates and the value of the dispute".

2. The preliminary investigation activity.

With note of the XX, prot. n. XX, and subsequent additions, the Region, in response to a request for information from the Guarantor (prot. note no. XX of the XX, declared, in particular, that:

- “the […] Region has taken steps to publish the Regional Council Resolution no. on the institutional portal of the Lombardy Region - Publication area of deliberative documents. XX of the XX concerning the disposal of the shareholdings held in Milano Serravalle – Milano Tangenziale S.p.A. and the related shareholding purchase and sale contract, including the annexes. As regards the number of workers involved and the types of information referring to them, please refer to Paragraph 9.18 (Employees), Paragraph 9.19 and Annex 9.18.1 (a), (b), (c) of the purchase and sale contract ”;

- "a count carried out shows that the workers involved are 732 and the information relating to them mainly concerns: disputes, remuneration, length of service, qualification and career aspects in general";

- "the online dissemination of the resolution and the related contract for the purchase and sale of the shareholdings took place to fulfill a legal obligation established by Union or Member State law (art. 6, par. 1, letter C) EU Reg. n. 679/2016) and, in particular, the obligation of transparency referred to in art. 22, co. 1, letter. d-bis of Legislative Decree No. 33 of 2013 (titled "Obligations to publish data relating to supervised public entities, and private law entities under public control, as well as shareholdings in private law companies") based on the which “1. Without prejudice to the provisions of article 9-bis, each public administration annually updates: [...] d-bis) the provisions relating to the establishment of publicly held companies, the purchase of shareholdings in already established companies, the management of public shareholdings, the sale of shareholdings, listing of publicly controlled companies on regulated markets and periodic rationalization of public shareholdings, provided for by the legislative decree adopted pursuant to article 18 of law 7 August 2015, n. 124”;

- "in this regard, it is highlighted that on XX, the documentation in question was removed as a precaution following reports from interested parties" therefore "the period of time in which such data and information were available on the web page ranges from XX to XX”;

- “the publication of Regional Council Resolution no. XX of the XX took place [...] in a period in which the Lombardy Region, more than what was happening in other parts of Italy, was in full covid emergency. Period in which the Region had to deal immediately and in a difficult situation with the numerous requests deriving from health, social and economic needs. All this with almost all the staff working remotely with consequent communication and operational difficulties";

- "therefore, the difficult moment described did not facilitate a detailed analysis of the act at the time of publication, despite the presence of suitable procedures, always followed in strict compliance with the legislation on privacy, relating to the analysis and verification of the documents intended for publication. Added to this is the complexity of the operation covered by the act in question, deriving from the particular economic impact and the particular transparency needs connected to operations of this nature, which have led to a preference for a rigorous, non-restrictive application of the obligations of advertising”;

- "the episode that occurred must therefore be considered completely atypical with respect to the practice constantly followed by the Region and attributable, as mentioned, to the combination of the organizational difficulties encountered during the lock-down period and the need to guarantee maximum transparency to a economic operation of notable public and political importance. The atypical nature of the violation compared to the organizational practice followed by the Region is, moreover, made clear by the timeliness and completeness of the "reaction" activated as soon as it became known. In fact, not only were the documents in question promptly removed, but the staff were also provided with useful instructions to prevent violations in the future".

With note of the XX, prot. n. XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Region, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, concerning the alleged violations of the articles. 5, 6 and 9 of the Regulation and the articles. 2-ter and 2-septies, paragraph 8, of the Code, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, by law no. 689 of 24 November 1981).

The Region, with a note dated XX, sent its defense briefs representing that:

"the [Regional Council resolution] XX of the XX and the related annexes containing the personal data of the interested parties were published not in the context of the working context and the processing of workers' data by the employer, but in compliance with a obligation of publicity and transparency, imposed on the Lombardy Region, a public body, in the context of the execution of a contract between legal entities. Complaints against the Region cannot therefore be addressed to it as data owner as 'employer of the interested parties';

"similarly, the complaint relating to the fact of not having made the data intelligible is unfounded since the verification of the data contained in the documents and compliance with the principles of minimization, correctness and transparency was not the responsibility of the Region, as it was not the employer ' in contact with the workers, interested parties, and as she is not the owner of the communication pursuant to art. 14 GDPR";

“the Lombardy Region did not process workers' data as an employer. Instead, it processed the data contained in the documents sent to it by the respective owners for the purpose of the publications it was required to do, as a public body, contracting party to a transaction between legal entities. This processing was lawful, in compliance with Article 6 GDPR, finding its legal basis and purpose in the obligations imposed by Article 22 letter d-bis of Legislative Decree 33/2013. 'Obligations to publish data relating to supervised public bodies, and private law bodies under public control, as well as shareholdings in private law companies';

"as regards the processing methods and the general principles referred to in Article 5 GDPR, it is necessary to specify that since it is a transaction between legal persons and being the subject of the obligation to publish - as can clearly be seen from the regulatory text - data of legal persons, such as those excluded from the scope of application of the GDPR and the Privacy Code, the Region cannot be blamed for not having paid the same attention and care to the processing of data required by law, as it usually does for operations which, immediately, involve the processing of data of natural persons”;

"in this condition, the Region's conduct is certainly reprehensible for not having paid, with a view to full responsibility, further attention to the verification of the data contained in the attachments sent to it - however not of its own - privileging the full fulfillment of its advertising obligations and limiting itself to fully publish the documents that the owner bodies have sent to it, in order to avoid the ineffectiveness sanction linked to the failure or incomplete publication of the data relating to the bodies and the consequent prohibition on the disbursement of sums. This is evidently a precaution that will be implemented in the future but attributable to a level of responsibility that cannot go beyond a mere culpa in vigilando, and, in any case, light";

"In order to avoid the repetition of even merely accidental events even in anomalous situations, the Region has already taken steps to prepare a further in-depth analysis and impact assessment of the publication treatment on the institutional portal";

“the interested parties are not regional employees. The data were not collected or drawn up by the Region, which limited itself to publishing the documents, as transmitted by the relevant owners, employers, companies involved in the transaction. As mentioned in the previous notes, the publication of the Regional Council Resolution also took place in a period in which the Lombardy Region, more than what was happening in other parts of Italy, was in full pandemic emergency. Period in which the Region had to deal immediately and in a difficult situation with the numerous requests deriving from health, social and economic needs. The difficult moment described did not facilitate a detailed analysis of the document at the time of publication, despite the presence of suitable procedures, which have always been followed in strict compliance with the legislation on privacy. This is also determined by the innocent belief of having received the documentation already adequate to comply with the principles of necessity, proportionality and relevance";

"however accidental the disputed event was, the Region has already committed itself, and hereby reiterates its commitment, for the future, to pay greater attention also to what is transmitted to it and also in transactions or relationships involving mere legal entities ”;

“a charge against the Region, in this case, cannot be made against it as the employer of the interested parties, nor can it derive from the mere fact that they are 'employees of the companies that manage the public transport service in the Lombardy territory' as a matter of liability 'territorial', nor as objective liability for the fact that the domain is registered in your name, but in terms of a slight fault deriving from not having paid greater attention to the analysis of the documents sent to you, before proceeding, in the fulfillment of your transparency obligations, to the publication of the resolution, to which they were attached, committing excessive 'reliance' in the correctness of the documentation sent to her"

“the responsibility of the Region in the dissemination of the 'controversial' data can be configured as mere contributory negligence, in vigilando, in a sporadic episode which occurred in the absolutely exceptional context of an operation between legal entities, therefore not directly affected by the privacy legislation, and in historical contingencies that saw the Region in full pandemic emergency, with reduced staff and struggling with the first experiences of remote working, with the consequent operational difficulties";

“The Lombardy Region proceeded with the appropriate removal of the data as soon as requested by the interested parties, showing maximum collaboration and availability”;

“The Lombardy Region is equipped with a complex organizational structure for the protection of personal data, its own DPO, the Register of treatments which is constantly updated and implemented, also on the basis of the analysis of policy by design and policy by default of the treatments and of DPIA carried out for high risk treatments”;

“operational instructions on the correct processing of personal data are provided to newly hired employees [...]; System Administrators are designated, constant training is carried out in order to keep the Structure attentive to privacy legislation and new operational needs. Data protection policies are drawn up, updated information for processing, a register of requests and a page dedicated to staff with infographics and templates to use";

the EDMA platform, used for drafting and publishing resolutions in the Region, was the subject of further detailed analysis, a working group was created to define the correct rules for data retention and removal of data, documents and information subject to publication mandatory”;

“This is not data relating to criminal convictions and crimes. The data whose dissemination is complained of are all inherent to the employment relationship and transmitted to the Region by the respective employers. It also appears that the relevant data pursuant to art. are isolated cases. 9 GDPR. The documents subject to publication were sent to the Lombardy Region, not drawn up by it, nor did the Region collect said data in its capacity as owner, but was in turn the recipient of it via communication from the owner".

The Region did not request to be audited by the Guarantor pursuant to art. 166, paragraph 6, of the Code.

3. Outcome of the preliminary investigation.

3.1 The regulatory framework

The personal data protection regulations provide that the processing of personal data by public entities can only be carried out if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a supervisory task". public interest or connected to the exercise of public powers vested in the data controller” (art. 6, par. 1, letters c) and e) of the Regulation).

Such processing must, however, be based on Union or Member State law, which must pursue an objective of public interest and be proportionate to the pursuit of the same. The purpose of the processing must be necessary for the execution of a task carried out in the public interest or connected to the exercise of public powers vested in the data controller (see art. 6, par. 3, of the Regulation and 2- ter of the Code).

With regard to the particular categories of personal data, including those relating to health (in relation to which there is a general prohibition on processing, with the exception of the cases indicated in art. 9, paragraph 2 of the Regulation and, in any case, a greater regime guarantee with respect to other types of data, in particular, as a result of art. 9, par. 4, as well as art. 2-septies of the Code), processing is permitted where "necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide appropriate and specific measures to protect the fundamental rights and interests of the interested party" (art. 9 , par. 2, letter g), of the Regulation). The national legislator has defined the public interest as "relevant" for the processing "carried out by subjects carrying out tasks of public interest or connected to the exercise of public powers" in the matters indicated, albeit not exhaustively, by the art. 2-sexies of the Code, establishing that the related treatments "are permitted if they are provided for by European Union law or, in the internal system, by legal provisions or, in the cases provided for by law, regulations that specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party".

In any case, data relating to health, i.e. those "relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health" (art. 4, paragraph 1 , no. 15 of the Regulation), due to the greater guarantees recognized by the Regulation and the Code, given the particular sensitivity of this category of data, "they cannot be disseminated" (art. 2-septies, paragraph 8, of the Code).

The data controller is, in any case, required to respect the general principles regarding the protection of personal data (art. 5 of the Regulation).

3.2 The online dissemination of personal data of employees of companies that manage the local public transport service in the Lombardy Region

As can be seen from the documents, as well as from the assessment carried out on the basis of the elements acquired, following the preliminary investigation and subsequent assessments of the Office, it is ascertained that the Region has published, from XX to XX on its institutional website, the " Regional Council Resolution no. XX of the XX concerning the disposal of the shareholdings held in Milano Serravalle – Milano Tangenziale S.p.A. and the related shareholding purchase and sale contract, including the attachments" and that the file containing the aforementioned contract and the related attachments "was freely downloadable at the address: h t t p: / / a r e a d o c u m e n t a l e. s e r v i z i r l. i t / a t t i / d o w n l o a d /AAAAYBnbrd+mLfAGu+72pN0QYxN3M4aK32vCcmNvmk8hVXf3fjep0bQsNQj83pEB8s71Yi8i1bmZ6ilacUQ+3TLTOnwobNcDzbSO170LzkdlLk5YAfpSeqi yKphfOg32bohXSgAAAICcF/C7UmdgDnC9xEGz8zuE2iFMHjU8OyA+9y/77kJ+AfRKA8burSpa3whChTFo9qghRK+HEdmBuqhJxYfinguljazz1gh03r3cI4gcyjiY9nmBMnG0i2A+Cq1DzeQaK9Fsh hAsIzDLJx49QLU9rnsbOLEFZbOgq8Vpu2ogmAUdBgAAAAij5x8J0D/y/A==”.

Even though, as stated by the Region, these data "were published not within the context of the work context and the processing of workers' data by the employer", the reference to the transparency obligations referred to in the art. 22 of Legislative Decree 14 March 2013, n. 33 which, in the opinion of the Region, would have justified the dissemination of the personal data of the workers, although not employees of the Region, contained, in particular, in the annexes to the contract draft (attached to resolution XX of the XX). We point out, in fact, that these provisions do not provide for the publication of data relating to the employment relationship of the employees of the companies concerned, including, among others, the income received by each worker, divided by income item, nor the list of proceedings judicial proceedings against individual workers.

In particular, paragraph 1 letter. d-bis) of art. 22 of the aforementioned decree provides, among the obligations to publish data relating to supervised public entities and private law entities under public control, exclusively the publication of "provisions regarding the establishment of joint-stock companies public sector, purchase of shareholdings in already established companies, management of public shareholdings, sale of shareholdings", without any specific and direct obligation to publish the "identifying data, classification, qualification, date of hiring and seniority of service, as well as the overall company cost in terms of gross annual salary and other remuneration elements" referring to individual workers (see point 9.18.1 of the contract template attached to the acknowledgment note of the XX) nor of the "judicial proceedings pending with the workers” (see annex 9.18.12 to the contract draft).

The legislation, in fact, does not authorize the publication of personal data, but exclusively provides for a specific regime of knowledge of "measures relating to the establishment of publicly held companies, purchase of shareholdings in already established companies, management of public shareholdings, sale of shareholdings social, listing of publicly controlled companies in regulated markets and periodic rationalization of public shareholdings" by public administrations, to be updated annually.

In this regard, in this case, the Regional Council Resolution no. XX of the XX contained, in attachment, the list of approximately 732 employees of the aforementioned companies and in particular information mainly referring to the "disputes, remuneration, length of service, qualification and in general career aspects" of the workers.

From the documentation in the documents it also emerges that, in the case of an employee, information relating to health was also reported regarding the request for compensation for damage caused to the worker's health, as a result of oppressive behavior on the part of the employer (see par. 9.18.12 and 9.19 of the aforementioned resolution).

In reiterating that the personal data protection system requires for any processing operation (art. 4, point 2 of the Regulation) including dissemination (art.2-ter paragraph 4 letter b) of the Code) the need to have a appropriate legal basis, please note that the Guarantor has long provided indications regarding the prerequisites (and, if these are met, specific methods) for the lawful publication, including online, of deeds and documents containing personal data (see . provision of 15 May 2014 no. 243 "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for advertising and transparency purposes on the web by public entities and other obliged bodies" web document no. 3134436).

In this regard, it should be remembered - given, in any case, the prohibition on the dissemination of data relating to health - that the Guarantor, on several occasions, has clarified that even the possible presence of a specific advertising regime (a circumstance which in any case does not occur in case in question), cannot involve any automatism with respect to the online dissemination of personal data and information, nor a derogation from the principles regarding the protection of personal data (see the Guidelines cited above). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is envisaged that the data controller must implement "adequate technical and organizational measures to ensure that they are processed, by default, only the personal data necessary for each specific purpose of the processing" and must be "able to demonstrate" - in light of the principle of "accountability" - that he has done so (art. 5, par. 2; 24 and 25, par. 2, Regulation).

In this context, before proceeding with the publication of the resolution and its annexes, the Region should have noticed the presence of personal data relating to numerous workers and, consequently, should have verified the existence of a law or regulation that legitimized such publication, in compliance with the principle of lawfulness (see art. 5 of the Regulation).

Also considering that in the document being published there was also a reference to a dispute concerning compensation for damage caused to the worker's health as a result of oppressive behavior on the part of the employer, it must be considered that the diffusion concerned also data relating to health, i.e. data "relevant to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health" (art. 4, par. 1, n 15 of the Regulation; see also paragraph 35 of the same).

This category of data also includes the mere reference to "any information from which one can deduce, even indirectly, the state of illness or the existence of pathologies of the interested parties" (see Guidelines cited) as in the case of species. Therefore, such data, although relating to a single worker, must be processed in compliance with the most stringent regime applicable to data relating to health which, as mentioned, cannot be disclosed (art. 2-septies, paragraph 8 of the Code).

This principle has been reiterated in numerous decisions of the Guarantor with regard to individual cases (see among many, provisions no. 68 of 25 February 2021, web doc. 9567429; no. 255 of 24 June 2021, web doc. no. 9688099; no. 404 of 1 December 2022, web doc. 9842783; no. 405, of 1 December 2022, web doc. 9844727; no. 420 of 15 December 2022, web doc. 9853429; no. 3 of 11 January 2023, web doc. no. 9857610).

Although the episode from which this investigation originated took place "in a period in which the Lombardy Region, more than what was happening in other parts of Italy, was in full pandemic emergency. Period in which the Region had to deal immediately and in a difficult situation with the numerous requests deriving from health, social and economic needs" and although, as soon as it learned the news, it immediately took action to ensure the definitive removal from the website of the aforementioned personal data, it must however be concluded, for the reasons set out above, that the personal data of hundreds of workers (around 730), in one case also relating to health, were published for a long period of time - from XX to XX - on the institutional website of the Region, and freely accessible online, in the absence of a legal basis and in violation of the general prohibition on disseminating health-related data in violation of articles. 5, 6 par.1 lett. c) and e) and 9 of the Regulation and the articles. 2-ter and 2-septies, paragraph 8, of the Code.

However, we favorably take note of the initiatives taken by the Region, also with the involvement of the Data Protection Manager, through the creation of "a working group for the definition of the correct rules for data retention and removal of data, documents and information subject to mandatory publication".

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illicit nature of the processing of personal data carried out by the Region is noted, given that the personal data of numerous workers (around 730), including those relating to the health of a worker, have been published from XX to XX on the institutional website of the Region, and freely accessible online, in the absence of a legal basis and in violation of the general prohibition on disseminating data relating to health, in violation of articles. 5, 6 par.1 lett. c) and e) and 9 of the Regulation and the articles. 2-ter and 2-septies, paragraph 8, of the Code.

Violation of the aforementioned provisions makes the administrative sanction provided for by the art applicable. 83, par. 5 of the Regulation, pursuant to articles. 58, par. 2, letter. i), and 83, par. 3, of the Regulation itself, as also referred to in the art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the aforementioned data have been removed from the institutional website of the Region and from the network, the conditions for the adoption of further corrective measures do not exist. referred to in the art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3 of the Regulation, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular sensitivity of the personal data disseminated online regarding the management of the employment relationship and ongoing disputes of numerous interested parties was considered, as well as, with regard to a worker, also data relating to health. Furthermore, the diffusion occurred over an extended period of time (from the XX to the XX). The failure to comply with the indications that the Guarantor has long provided to all public entities with the Guidelines mentioned above and in numerous provisions on individual concrete cases adopted over the years by the Guarantor was also considered.

On the other hand, it was taken into consideration that the Region, having become aware of the publication even before the start of the investigation by the Guarantor, implemented all the necessary activities to remove the personal data in question from its institutional website and from the network. It was also taken into consideration that the violation began during a particularly delicate phase (XX) in which the Region was committed to addressing the particular needs arising from the state of emergency. The initiatives taken by the Region were also evaluated, including the creation of "a working group for the definition of the correct rules for data retention and removal of data, documents and information subject to mandatory publication".

Furthermore, there are previous measures referred to in Article 58, paragraph 2, against the Region, relating to relevant violations.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 20,000 (twenty thousand) euros for the violation of the articles. 5, 6 par.1 lett. c) and e) and 9 of the Regulation and the articles. 2-ter and 2-septies, paragraph 8, of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account that the personal data, which was disseminated online, concerned the personal data of numerous workers, including data relating to health, it is also believed that the additional sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the illegality of the processing carried out by the Lombardy Region due to violation of the articles. 5, 6 par.1 lett. c) and e) and 9 of the Regulation and the articles. 2-ter and 2-septies, paragraph 8, of the Code, in the terms set out in the justification;

ORDER

to the Lombardy Region, in the person of the legal representative pro tempore, with registered office in Piazza Città di Lombardia, 1 - 20124 Milan (MI), C.F. 80050050154, to pay the sum of 20,000 (twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Region, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000 (twenty thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the Guarantor's website, believing that the conditions set out in the art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 26 October 2023

PRESIDENT
Stantion

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei