Garante per la protezione dei dati personali (Italy) - 9960948

From GDPRhub
Garante per la protezione dei dati personali - 9960948
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16 November 2023
Published:
Fine: 18000 EUR
Parties: Cluster S.r.l.
National Case Number/Name: 9960948
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: carloc

The Italian DPA fined a company €18,000 for a data breach involving sensitive data and data related to the criminal offences of a minor. Contrary to Article 32(1)(b) and (d) GDPR, the company failed to ensure the security of its data processing.

English Summary

Facts

A company called Cluster S.r.l. (the controller) arranged a workshop for postgraduate psychiatry students. The teaching materials included an expert's opinion from a juvenile justice case, which contained details about a deceased minor's (the data subject) medical and criminal history, as well as the personal data of members of his family. The opinion was not properly pseudonymized and revealed the data subject's surname. Furthermore, data had been published on a third-party website.

A complaint was brought to the DPA by the data subject's mother.

Following a request for information by the DPA, the controller explained that the material in question was shared for training purposes only with the course participants, who were also subject to professional secrecy, and the disclosure of which was expressly forbidden. The controller also added that it had not known that the material had been published on a third-party website.

The controller further clarified that it had uploaded the expert's opinion to their internal system to make it available for the workshop and to have emailed the students a URL to access this information after, upon request of one of the speakers. The controller's system was not publicly accessible from the Internet, and the URL was the only way for the public to access the expert's opinion. However, the controller also acknowledged to have failed to verify whether the speaker had removed all the personal data of the data subject and his mother. Finally, the controller suggested that some students may have shared the URL and made it available on the Internet. After finding out about these concerns, the controller immediately removed the expert's opinion from its system.

Holding

On the basis of the information provided, the Italian DPA stated that without prejudice to the failure to assess whether the person who drafted the expert's opinion correctly anonymised the data processed, the controller was obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing. This means ensuring the confidentiality of the processing and regularly testing and evaluating the effectiveness of the technical and organisational measures to provide the security of processing, in accordance with Article 32(1)(b) and (d) GDPR.

In the case at hand, the DPA noted that the controller processed the personal data of the data subject and his family members in violation of the GDPR as it failed to provide adequate measures to ensure confidentiality and to verify the effectiveness of the technical and organisational measures adopted. As a matter of fact, the controller neither had an authentication procedure to limit access to the expert's opinion, nor did it assess the adequacy of its anonymisation measures.

Therefore, considering the duration of the breach and the categories of personal data concerned, the level of seriousness of the breach committed by the controller was high. Hence, the DPA fined the controller €18,000 for failing to process personal data securely, in violation of Articles 5(1)(f) GDPR and Article 32(1)(b) and (d) GDPR.

Comment

Two aspects of the decisions are interesting. First, the data subject died before the complaint was filed. The GDPR applies to the personal data of the deceased because of specific rules in Italian law[1].

Second, the complaint was filed long after the workshop took place. The controller claimed that prescription period of the administrative offence (that is, the violation of the GDPR) had passed[2]. However, the authority held that the violation continued until the controller removed the personal data from the system. As a result, the controller could still be fined.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE Newsletter of 15 December 2023



[doc. web no. 9960948]

Provision of 16 November 2023

Register of measures
n. 527 of 16 November 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING SEEN the Legislative Decree. 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stazione;

PREMISE

1. The request and the preliminary investigation activity

With note dated XX, Mrs XX formulated a complaint regarding the communication to third parties and the dissemination on the web (see url: XX) of her personal data, as well as information relating to health and investigations into crimes concerning son XX, died in XX.

In particular, some psychiatric reports were visible, carried out by Dr. XX, as documentation forming part of the "Clinical material that cannot be disseminated and transmitted to the participants of the XX with the obligation of professional secrecy". This document contained a lot of information on XX (in one section the surname is clear) relating to his biography, medical history, medicines taken, crimes for which he was under investigation, as well as on his mother (the complainant in the proceedings in question). This documentation also contains information regarding another subject, called "XX", for whom the psychiatric assessment report was published.

What was declared by the complainant was verified by the Department, as part of a preliminary verification carried out and documented in documents.

Following the Office's request for information regarding Dr. XX, editor of the aforementioned report (note of the XX, prot. n. XX), provided feedback, declaring that:

- "the document from which the complaint presented by Mrs. XX originates is part of the educational material prepared by the undersigned on the occasion of the training event, organized by CLUSTER S.r.l. (Body for the organization of professional conferences in the medical-scientific field) entitled XX, held in XX from 21st to 23rd June XX, and aimed at graduates in Medicine and Surgery, Specialists or Trainees in Psychiatry";

- "as per consolidated practice in training courses for Doctors, on this occasion, the presentation of some "Clinical Cases" was foreseen, useful for commenting on and integrating the theoretical reports held by the various Speakers";

- "my activity (...) involved the presentation of clinical cases through the commentary of Expertise and Consultations, in which I participated personally during the performance of my profession as Technical Consultant for the Prosecutor's Office and the Juvenile Court of XX , and the sharing, (...), of educational material summarizing the case studies presented, on which the following wording was expressly reported: «Clinical material not disseminated and transmitted to the participants of the XX with the obligation of professional secrecy»";

- "it was, therefore, material shared for training purposes only with the course participants, who were also subject to the obligation of professional secrecy (from doctor to doctor) whose disclosure was expressly prohibited";

- "the undersigned believes that he has correctly relied on the obligation of professional secrecy incumbent on the recipients of the teaching material in question, by placing the above-mentioned wording on it";

- "I learn, however, only today, (...), that the document in question was unduly published" and "thus made available on the internet. In strongly reiterating that this is a behavior to which I am totally unrelated (..), I state that in no way can any responsibility be attributed to me nor for the publication of the teaching material - to which, in any case, I have not given any consent – nor for the possibility of finding and "downloading" it by subjects other than the participants in the ECM course to whom this material was exclusively addressed".

Also in light of the doctor's declarations, with note dated XX, prot. n. XX, the Cluster s.r.l. company was asked. (hereinafter "the Company"), which had organized the XX training event, to provide, pursuant to art. 157 of the Code, certain elements of information useful for the evaluation of the case. With a note dated March 1st, the Company responded to the aforementioned request for information from the Authority, declaring, among other things, that:

- “Cluster, in spite of itself, learned only after having read this request for clarification that, even following the successful outcome of the initiatives promoted by Dr. XX, contents continued to be accessible on the web (through a link attributable to the same) and data processed during the realization of the XX event which it believed it had treated with the appropriate precautions and in a way absolutely compatible with the type of data";

- “In short, Cluster was completely unaware that the online dissemination of personal data processed within the XX was taking place (…) and proceeded without delay to remove the contents accessible through the link from its management system (…) making sure that this initiative may have excluded any possible further diffusion";

- "due to the tasks undertaken within the event, Dr. XX therefore transmitted in digital format to Cluster the psychiatric reports drawn up by him at the conclusion of tasks carried out by him as expert witness of the Court of XX, expressly requesting Cluster that such educational material was graphically laid out and made available to participants at the end of the event so that they could consult it and acquire greater awareness of the contents covered";

- "Cluster has therefore uploaded the documentation received onto its management system (CMS - Congress Management System ...) in compliance with the request received, limiting the dissemination of the teaching material only to doctors-surgeons already enrolled in the course (i.e. to subjects required to confidentiality and professional secrecy)”;

- "the documentation in question was formed and in any case prepared by Dr. XX (...) in execution of the tasks assigned to him by the Court of XX and Cluster merely received this documentation in order to carry out the event. It is useful here to underline that these reports, like all the teaching material usually treated on the occasion of medical-scientific events, "belong" to the person who draws them up and forms them and the related intellectual work is protected by art. . 1 of Law no. 633/1941 (…)”;

- "this means that, by applying the aforementioned discipline to the relationship between Teacher and Provider, the latter is prohibited from making any modification to the intellectual work made available by the teacher, as well as from making use of the teacher's teaching material without your prior authorization. The only margin of maneuver (if it can be defined as such) allowed to the Provider concerns "aesthetic" changes, so to speak, relating to editing or layout, essentially aimed at facilitating consultation of the teaching material during the event";

- "any violations of the provisions in force regarding the processing of personal data contained in the text of the document may be attributed to Cluster solely within the limits of incorrect control activities with respect to the documentation";

- "this does not, however, imply that Cluster should not have paid more attention in verifying that Dr. particular data. Cluster can only reiterate its regret in this regard";

- "in this case the web form for the XX event was activated and, via the website www.clustersrl.it, the 26 participants signed up. The day before the start of the course, as always, the possibility of registering for new participants was inhibited and the course was obscured on www.clustersrl.it. In theory, therefore, the URL in question should no longer have been reachable. As anticipated, at the end of the course, Prof. XX and Dr. XX asked us to make the teaching material presented available to the 26 students involved. It is likely that, in order to facilitate its dissemination among these 26 subjects, this material was uploaded as an attachment on the event web form and that this URL (no longer reachable otherwise) was sent via e-mail to the 26 interested in the in order to allow them to download the PDF containing the reports prepared by Dr. XX";

- "it seems possible to exclude without fear of contradiction that the communication of the data to third parties and their dissemination online could be the result of a poor functioning of the management system itself or of pre-planned or simply negligent conduct by the Cluster";

- "the fact (learned from the invitation to deduce) that the URL generated by the Cluster CMS has been made accessible on the web therefore and certainly follows from illicit conduct carried out by subjects who, unduly and without being in any way authorized to do so by Cluster (nor as far as we have learned from Dr. XX, owner of the intellectual work), have taken possession of data and contents that do not belong to them and have made it lawful to disclose them";

- "the online dissemination, or rather the uploading to the CMS management system, probably took place starting from the end date of the event";

- "the technical and organizational measures usually adopted by Cluster as described in the previous paragraphs are suitable to guarantee the correct processing of personal data collected by the Company which operated in the belief of limiting the circulation of data to what was strictly necessary to execute to the event exclusively aimed at subjects required to respect the duty of confidentiality and professional secrecy".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

In particular, the Office, in the aforementioned act, considered that the Company had processed personal, health and judicial data, in violation of the basic principles of processing referred to in articles. 5, 6, 9, 10 and, allowing accessibility, without passing any IT authentication procedure, to the aforementioned web address, of the security obligations referred to in the art. 32 of the Regulation, as well as articles. 2-septies and 2-octies of the Code.

With a note from the XX Cluster, in recalling what was already highlighted in the note from the XX, it sent its defense briefs, in which, in particular, it highlighted that:

- "the factual circumstances set out in note XX converge with the statements made by Dr. XX during the investigation regarding the substantial trend of the historical facts that occurred. In fact, the respective narratives confirm that the teaching material used during the XX was prepared and trained by Dr. XX on the occasion of professional assignments conferred by the Court of XX, just as it appears confirmed that Dr. on the teaching material, has sent the documentation to Cluster so that it could be made available to the participants";

- "no negligent behavior can therefore be contested against Cluster (as the mere addressee/receiver of such educational material) with reference to the processing and initial collection of the health and judicial data used by Dr. XX for the preparation of the psychiatric reports. It is equally believed that we can agree on the fact that Dr. XX was the only person required both to collect the appropriate consent from the interested parties for the data to be transmitted to third parties (including the Cluster itself), and to do what is necessary to anonymize the personal data contained in your report. Consider that Cluster has never had direct relationships with the patients mentioned in the medical reports concerning us";

- "having received the teaching material, Cluster, at the request of Dr. XX, uploaded the teaching material onto the company management system (CMS) without the person in charge paying due attention and accuracy to the content of the documentation received and omitting, in particular, to verify that said material complies with the principles established by the Code regarding data protection";

- "the uploading of the material to the management system is, however, an act that has generated a mere service URL for internal use, in itself unsuitable for causing the dissemination of data (of any type) on the web. The dissemination of the data in question on the web therefore does not follow from the uploading of the data onto the internal management system but depended exclusively on further conduct carried out by one (or more) of the 26 doctors who, having received the URL via e-mail in question, have disseminated the data in violation of the professional secrecy to which they are required due to their qualification";

- "the preceding narrative therefore highlights that the dissemination on the web of personal data belonging to particular categories was made possible only as a result of a series of concurrent illicit conduct starting from the transmission of non-anonymized teaching material by Doctor XX to same Cluster to conclude with the material fact attributable to one or more learners who published the URL in question";

- "therefore, it does not appear incorrect to state that the only possible negligent behavior attributable to Cluster here could only be the sending of the URL by e-mail to the 26 participants, conduct which, even from a causal point of view, it cannot have led to the dissemination of the URL on the web”;

- "Cluster cannot therefore be charged with or sanctioned for any violation relating to the (failure) to collect consent to the processing of the patient's data (which is a duty to which Dr. XX was required, who was also required to make the data anonymous before proceeding with transmission to the same Cluster); similarly, Cluster cannot be charged and consequently sanctioned for the dissemination of the material in question on the web which, as mentioned, is attributable to one or more of the 26 participants in the course";

- "in the case in question (...), the illegitimate conduct possibly attributable to Cluster consists in the mere sending of the URL to the 26 participants and this is the circumstance which indirectly made possible the subsequent dissemination of the data on the web by third parties. However, it must be taken into consideration that: the teaching material (...) does not belong to the Cluster but to the Scientific Responsible, the sole owner of the copyright on the work, a circumstance which, in accordance with the provisions of art. 1 of Law no. 633/1941, prohibits Cluster from making any modification or manipulation of the contents received. It follows that the person who first and foremost did not adopt the appropriate precautions aimed at complying with the obligation of anonymisation of the data is to be identified as the Scientific Manager who prepared the document and sent it to the Cluster to which at most a conduct can be ascribed culprit already identified; the educational material in question was intended for consultation only by subjects who, due to their qualification as doctors, were expressly required to observe an obligation of confidentiality as well as required to respect professional secrecy with an express prohibition on the dissemination and circulation of any data. It follows that the dissemination of the teaching material was made possible as a result of an illicit act by a third party in which Cluster did not even physically take part; the dissemination of the data is not the result of deficiencies relating to IT security measures or a violation of security obligations as the CMS is a technological tool which, by its nature, does not propagate data (of any type) externally";

- “the conduct attributable to Cluster, even from a causal point of view, with respect to the disputed violation can be considered limited or in any case marginal. On the other hand, the conduct of Dr. XX and the students had a decisive causal impact on the causation of the disputed violations";

- “the types of data usually processed by Cluster do not include health data attributable to a specific subject, nor judicial data. The circumstance which is the subject of this proceeding is therefore completely exceptional, anomalous and completely irregular compared to what is the ordinary and usual entrepreneurial activity of the Cluster and occurred due to the choice of the Scientific Managers to use, as teaching material, cases concrete clinicians that they have had the opportunity to get to know as a result of their freelance activity. The processing of particular categories of data is not part of Cluster's ordinary business activity; the number of interested parties involved in the violation: the reconstruction of the facts, carried out following the investigation promoted by the Distinguished Guarantor (thus confirmed both by the narrative of Dr. XX and by that of Cluster) leads to convergence on the fact that the violation contested is to be considered limited to the data of the mentioned subject only";

- "in the absence of elements that allow us to establish with certainty the dies a quem of the disputed violation, it must therefore be considered that its duration is limited between the day on which the Distinguished Guarantor received the complaint from which this proceeding arose and the one in which the contents were actually removed from the web";

- "the violation (has) a "non-intentional" character according to the meaning indicated by the WP253 Guidelines which attribute to the word "unintentional" the absence of the data controller's intention to cause the violation (...); the existence of any malicious or intentional nature must therefore be excluded on the part of Cluster which has already expressed its sincere regret for the incident and which can at most be considered guilty of having transmitted, due to excessive trust in the participants, the material to the learners once the event has concluded”;

- “(…) Cluster was completely unaware that the online dissemination of personal data processed within the XX was taking place (albeit in an absolutely limited manner) and, after having learned with the request for information received pursuant to art. 157 of the Code that not even following the initiatives promoted by Dr. further diffusion”;

- “Cluster therefore believes that it has promptly adopted efficient and effective measures as quickly as possible with respect to the emergence of the violation”;

- "following the disputed violation, Cluster took steps to have the type of data stored on its CMS verified again and, following the examination carried out, it can be ruled out that the CMS management software contains data other than the common ones collected as part of the business ordinarily carried out";

- "also with reference to the data processed, the CMS management system responds to the technical-organizational requirements set out in the GDPR. The CMS used by Cluster is structured to collect, by default, only the personal data strictly necessary for completing the registration of operators belonging to the scientific medical sector and, again by default, does not allow the disclosure of the data collected to subjects other than Age.Na.S.”;

- "the data contained in the CMS can only be consulted by internal personnel with the necessary authorizations for data processing by virtue of individual access credentials and no circulation of the data towards the outside is foreseen except within the limits of what is necessary for the provision of training credits to students";

- “Cluster reiterates (...) that the dissemination of data to third parties brought to the attention of the Dear Guarantor did not occur as a consequence of a deficiency or violation of the access systems to its company management and that, equally, the disputed violation did not occur as a result of system errors, unauthorized access or the use of insufficient security measures";

- “Cluster believes that the removal from its management system of the contents accessible through the link mentioned in the introduction together with the verification carried out regarding the exclusion of further possible forms of data circulation will exhaust the spectrum of possible activities to be implemented to remedy to the alleged violation";

- “Cluster has in fact acknowledged that:

- one's negligent behavior must be contextualized and considered in the context of the negligent conduct certainly carried out by the other subjects involved in this proceeding as well as by the participants in the ECM course (and who are unrelated to this proceeding) who have actually disseminated the contents on the web ;

- the negligent conduct that may be attributable to Cluster is in any case attributable to the mere sending of a URL by e-mail to 26 participants bound by the duty of confidentiality and professional secrecy. and, in any case, results from a single processing (“the same or linked processing operations”) of data; the purpose underlying the processing of the data that concerns us was unique, i.e. to facilitate the dissemination of the same among the participants in the ECM course;

- the data processing requested from Cluster is necessary in order to fulfill a function of public interest which is regulated in agreements of public importance;

- the scope of data processing is limited, at most, to a national level;

- one's behavior is not characterized by malice or intentionality;

- has promptly removed the link from its management system thus adopting, as quickly as possible, the appropriate measures to remedy the violation";

- “with respect to the various thresholds indicated by the art. 83 GDPR and Guidelines 04/2022 Cluster acknowledges that the company turnover achieved in the last 10 years of activity has always been less than 2,000,000 euros and, also given the size of the company which currently has only 1 employee, believes that the requirements may exist to be able to proceed with a reduction of 0.2% compared to the initial amount due to the low level of severity of the violation as resulting from consideration of all the elements indicated";

- "where the Honorable Guarantor (...) does not deem it necessary to conclude the procedure initiated by archiving the position, Cluster requests that the statute of limitations for the contested administrative offense be declared since the five-year deadline set by the art. 28 paragraph 1 of the law. 689/1981. In this regard, Cluster has specified that the only negligent conduct attributable to it consists in sending the URL containing the teaching material by e-mail to the 26 students who signed up for XX and which cannot in any way be ascribed to Cluster the subsequent dissemination of said educational material on the web";

- "it must therefore be considered that the conduct attributable to Cluster took place when the URL was sent by e-mail once the training event of 21-23 June XX was concluded with the consequence that the five-year term, established at penalty of forfeiture from the art. 28, paragraph 1 of Law 689/1981, for the contestation of any administrative offense it must be considered to have expired on a date certainly prior to the start of the proceedings and in any case on a date prior to the completion of any act having an interruptive effect".

The Company has, therefore, requested that the proceedings in question be dismissed.

The hearing requested by the Company took place on XX. In this circumstance it was specified that:

- “the relationship between society and scientific managers is not equal (…); this led the company to accept the Doctor's request to communicate to the students the URL from which it was possible to download the educational material in question";

- "the simple upload to the CMS system would not have produced any diffusion or propagation if the URL had not been sent via email and subsequently shared by one or more of the 26 recipients of the email";

- "the company had a legitimate expectation of confidentiality towards the recipients of the email, considering that they were doctors subject to professional secrecy";

- "the company has not reported any type of advantage since what happened";

- "we understand the emotional tension of Mrs. XX who decided to start this proceeding".

3.  Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs and during the hearing, it is noted that:

1. personal data means "any information relating to an identified or identifiable natural person ("interested party"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical identity, physiological, genetic, psychological, economic, cultural or social" (art. 4, par. 1, point n. 1 of the Regulation) and, by anonymous data we mean "(...) information that does not refer to a natural person identified or identifiable or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" (see Recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014);

2. anonymization cannot be considered achieved through the mere removal of the data subject's details or replacement of the same with a pseudonymous code. The anonymized data, in fact, is such only if it does not allow in any way the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to the person (owner or other person) try to use these tools to identify an interested party. The risk of re-identification of the interested party must be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing and technological developments” (see again Recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 20141);

3. the protections provided for by the regulations on the protection of personal data continue to apply to personal data concerning deceased persons (as highlighted by the Guarantor in the provisions of 10 January 2019, n. 2, web doc. n. 9084520 and 29 April 2021, no. 173, web doc. no. 9672313);

4. personal data must be "processed in a manner that guarantees adequate security (...) including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing or from accidental loss, destruction or damage («integrity and confidentiality»)” (art. 5, par. 1, letter f) of the Regulation);

5. regarding the security of processing, art. 32 of the Regulation establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, among others, where appropriate: pseudonymisation and encryption of personal data […]” (par. 1) and that “in assessing the adequate level of security, special account is taken of the risks presented by the processing which derive in particular from destruction, loss, modification, unauthorized disclosure or 'access, accidentally or illegally, to personal data transmitted, stored or otherwise processed' (para. 2);

6. the Guarantor, in approving the Code of Conduct of the Veneto Region for the use of health data for educational purposes and scientific publication (web doc. n. 9535402, https://www.gpdp.it/web/ guest/home/docweb/-/docweb-display/docweb/9535402), which identifies specific guarantees and measures to protect patients, represented that: "the use of personal data for educational purposes and scientific publication by operators health professions that operate within the organizational structure of the data controller can only take place after adopting specific anonymisation and pseudonymisation measures” (…); “if it is not possible to proceed with the anonymisation of the data, the owner must acquire specific consent from the interested party, after which the data will in any case be subjected to pseudonymisation (art. 5 of the Code)” (provision of 14 January 2021, n. . 7, web doc. no. 9535354).

4. Conclusions

In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), it is noted that the elements provided by the Company in the defense briefs referred to above and during the hearing are not suitable to accept the request for dismissal, not allowing the findings notified by the Office to be fully overcome with the aforementioned document initiating the proceedings.

In particular, without prejudice to the assessment regarding the failure to adopt specific anonymization measures of the data processed by the doctor who drew up the documentation and subsequently used it for educational purposes, it is noted that, if the conduct relating to the The sending of the URL by e-mail to the doctors participating in the course ended at the time of the training event on 21-23 June XX, with the consequent effective date of the five-year deadline established by the art. 28, paragraph 1, law no. 689/1981, according to which "the right to collect the sums due for the violations indicated by this law expires within five years from the day on which the violation was committed", similarly the conduct concerning the obligations cannot be considered concluded regarding the security of processing, persistent until the moment the violation became apparent. As, in fact, mentioned above, the obligation on the data controller to implement adequate technical and organizational measures to guarantee a level of security adequate to the risk, which includes the ability to ensure confidentiality, integrity, availability and resilience of the systems as well as a procedure to regularly test, verify and evaluate the effectiveness of the technical and organizational measures in order to guarantee the security of the processing (art. 32, par. 1, letters b) and d) of the Regulation) existed until the moment in which the violation was ascertained, which persisted over time until the start of the investigation by the Authority.

For these reasons, we note the illicit nature of the processing of personal data carried out by the Company, in the terms set out in the motivation, for having failed to provide adequate measures to ensure confidentiality on a permanent basis and to regularly verify and evaluate the effectiveness of the technical measures. and organizational, adopting, for example, an IT authentication procedure to access the documentation described, containing personal data, with respect to which no assessment had been carried out regarding the adequacy of the anonymisation measures adopted.

In this framework, considering that the Company has removed the link from its management system, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5 and 32 of the Regulation is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Taking into account that the violation of articles. 5 and 32 took place as a result of a single conduct, art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in the present case, the most serious violation concerns the art. 5, par. 1, letter. f), of the Regulation, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros or, for companies, up to 4% of the total annual worldwide turnover of the previous financial year, if higher.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation.

In light of the above and, in particular, the duration of the violation as well as the categories of personal data involved (personal, health and judicial data), it is believed that the level of severity of the violation committed by the Company is high (see Committee European Data Protection Authority, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Considering the Company's turnover and evaluating a series of elements as a whole, including that the Authority became aware of the event following a complaint by the interested party in relation to the processing of her and her son's personal data ( art. 83, par. 2, letter h) of the Regulation) and the Company has removed the link from its management software (art. 83, par. 2, letter c) of the Regulation), it is deemed to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of 18,000.00 (eighteen thousand) euros for the violation of the articles. 5 and 32, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Company Cluster s.r.l., due to the violation of the articles. 5 and 32 of the Regulation.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Company Cluster s.r.l., with registered office in XX (10123), Via Carlo Alberto n. 32, Tax Code/VAT number 07530720015, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 16 November 2023

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE DEPUTY SECRETARY GENERAL
Philippi



SEE Newsletter of 15 December 2023



[doc. web no. 9960948]

Provision of 16 November 2023

Register of measures
n. 527 of 16 November 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING SEEN the Legislative Decree. 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stazione;

PREMISE

1. The request and the preliminary investigation activity

With note dated XX, Mrs XX formulated a complaint regarding the communication to third parties and the dissemination on the web (see url: XX) of her personal data, as well as information relating to health and investigations into crimes concerning her son XX, died in XX.

In particular, some psychiatric reports were visible, carried out by Dr. XX, as documentation forming part of the "Clinical material that cannot be disseminated and transmitted to the participants of the XX with the obligation of professional secrecy". This document contained a lot of information on XX (in one section the surname is clear) relating to his biography, medical history, medicines taken, crimes for which he was under investigation, as well as on his mother (the complainant in the proceedings in question). This documentation also contains information regarding another subject, called "XX", for whom the psychiatric assessment report was published.

What was declared by the complainant was verified by the Department, as part of a preliminary verification carried out and documented in documents.

Following the Office's request for information regarding Dr. XX, editor of the aforementioned report (note of the XX, prot. n. XX), provided feedback, declaring that:

- "the document from which the complaint presented by Mrs. XX originates is part of the educational material prepared by the undersigned on the occasion of the training event, organized by CLUSTER S.r.l. (Body for the organization of professional conferences in the medical-scientific field) entitled XX, held in XX from 21st to 23rd June XX, and aimed at graduates in Medicine and Surgery, Specialists or Trainees in Psychiatry";

- "as per consolidated practice in training courses for Doctors, on this occasion, the presentation of some "Clinical Cases" was foreseen, useful for commenting on and integrating the theoretical reports held by the various Speakers";

- "my activity (...) involved the presentation of clinical cases through the commentary of Expertise and Consultations, in which I participated personally during the performance of my profession as Technical Consultant for the Prosecutor's Office and the Juvenile Court of XX , and the sharing, (...), of educational material summarizing the case studies presented, on which the following wording was expressly reported: «Clinical material not disseminated and transmitted to the participants of the XX with the obligation of professional secrecy»”;

- "it was, therefore, material shared for training purposes only with the course participants, who were also subject to the obligation of professional secrecy (from doctor to doctor) whose disclosure was expressly prohibited";

- "the undersigned believes that he has correctly relied on the obligation of professional secrecy incumbent on the recipients of the teaching material in question, by placing the above-mentioned wording on it";

- "I learn, however, only today, (...), that the document in question was unduly published" and "thus made available on the internet. In strongly reiterating that this is a behavior to which I am totally unrelated (..), I state that in no way can any responsibility be attributed to me nor for the publication of the teaching material - to which, in any case, I have not given any consent – nor for the possibility of finding and "downloading" it by subjects other than the participants in the ECM course to whom this material was exclusively addressed".

Also in light of the doctor's declarations, with note dated XX, prot. n. XX, the Cluster s.r.l. company was asked. (hereinafter "the Company"), which had organized the XX training event, to provide, pursuant to art. 157 of the Code, certain elements of information useful for the evaluation of the case. With a note dated March 1st, the Company responded to the aforementioned request for information from the Authority, declaring, among other things, that:

- “Cluster, in spite of itself, learned only after having read this request for clarification that, even following the successful outcome of the initiatives promoted by Dr. XX, contents continued to be accessible on the web (through a link attributable to the same) and data processed during the realization of the XX event which it believed it had treated with the appropriate precautions and in a way absolutely compatible with the type of data";

- “In short, Cluster was completely unaware that the online dissemination of personal data processed within the XX was taking place (…) and proceeded without delay to remove the contents accessible through the link from its management system (…) making sure that this initiative may have excluded any possible further diffusion";

- "due to the tasks undertaken within the event, Dr. XX therefore transmitted in digital format to Cluster the psychiatric reports drawn up by him at the conclusion of tasks carried out by him as expert witness of the Court of XX, expressly requesting Cluster that such educational material was graphically laid out and made available to participants at the end of the event so that they could consult it and acquire greater awareness of the contents covered";

- "Cluster has therefore uploaded the documentation received onto its management system (CMS - Congress Management System ...) in compliance with the request received, limiting the dissemination of the teaching material only to doctors-surgeons already enrolled in the course (i.e. to subjects required to confidentiality and professional secrecy)”;

- "the documentation in question was formed and in any case prepared by Dr. XX (...) in execution of the tasks assigned to him by the Court of XX and Cluster merely received this documentation in order to carry out the event. It is useful here to underline that these reports, like all the teaching material usually treated on the occasion of medical-scientific events, "belong" to the person who draws them up and forms them and the related intellectual work is protected by art. . 1 of Law no. 633/1941 (…)”;

- "this means that, by applying the aforementioned discipline to the relationship between Teacher and Provider, the latter is prohibited from making any modification to the intellectual work made available by the teacher, as well as from making use of the teacher's teaching material without your prior authorization. The only margin of maneuver (if it can be defined as such) allowed to the Provider concerns "aesthetic" changes, so to speak, relating to editing or layout, essentially aimed at facilitating consultation of the teaching material during the event";

- "any violations of the provisions in force regarding the processing of personal data contained in the text of the document may be attributed to Cluster solely within the limits of incorrect control activities with respect to the documentation";

- "this does not, however, imply that Cluster should not have paid more attention in verifying that Dr. particular data. Cluster can only reiterate its regret in this regard";

- "in this case the web form for the XX event was activated and, via the website www.clustersrl.it, the 26 participants signed up. The day before the start of the course, as always, the possibility of registering for new participants was inhibited and the course was obscured on www.clustersrl.it. In theory, therefore, the URL in question should no longer have been reachable. As anticipated, at the end of the course, Prof. XX and Dr. XX asked us to make the teaching material presented available to the 26 students involved. It is likely that, in order to facilitate its dissemination among these 26 subjects, this material was uploaded as an attachment on the event web form and that this URL (no longer reachable otherwise) was sent via e-mail to the 26 interested in the in order to allow them to download the PDF containing the reports prepared by Dr. XX";

- "it seems possible to exclude without fear of contradiction that the communication of the data to third parties and their dissemination online could be the result of a poor functioning of the management system itself or of pre-planned or simply negligent conduct by the Cluster";

- "the fact (learned from the invitation to deduce) that the URL generated by the Cluster CMS has been made accessible on the web therefore and certainly follows from illicit conduct carried out by subjects who, unduly and without being in any way authorized to do so by Cluster (nor as far as we have learned from Dr. XX, owner of the intellectual work), have taken possession of data and contents that do not belong to them and have made it lawful to disclose them";

- "the online dissemination, or rather the uploading to the CMS management system, probably took place starting from the end date of the event";

- "the technical and organizational measures usually adopted by Cluster as described in the previous paragraphs are suitable to guarantee the correct processing of personal data collected by the Company which operated in the belief of limiting the circulation of data to what was strictly necessary to execute to the event exclusively aimed at subjects required to respect the duty of confidentiality and professional secrecy".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described, the Office, with note dated XX (prot. n. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

In particular, the Office, in the aforementioned act, considered that the Company had processed personal, health and judicial data, in violation of the basic principles of processing referred to in articles. 5, 6, 9, 10 and, allowing accessibility, without passing any IT authentication procedure, to the aforementioned web address, of the security obligations referred to in the art. 32 of the Regulation, as well as articles. 2-septies and 2-octies of the Code.

With a note from the XX Cluster, in recalling what was already highlighted in the note from the XX, it sent its defense briefs, in which, in particular, it highlighted that:

- "the factual circumstances set out in note XX converge with the statements made by Dr. XX during the investigation regarding the substantial trend of the historical facts that occurred. In fact, the respective narratives confirm that the teaching material used during the XX was prepared and trained by Dr. XX on the occasion of professional assignments conferred by the Court of XX, just as it appears confirmed that Dr. on the teaching material, has sent the documentation to Cluster so that it could be made available to the participants";

- "no negligent behavior can therefore be contested against Cluster (as the mere addressee/receiver of such educational material) with reference to the processing and initial collection of the health and judicial data used by Dr. XX for the preparation of the psychiatric reports. It is equally believed that we can agree on the fact that Dr. XX was the only person required both to collect the appropriate consent from the interested parties for the data to be transmitted to third parties (including the Cluster itself), and to do what is necessary to anonymize the personal data contained in your report. Consider that Cluster has never had direct relationships with the patients mentioned in the medical reports concerning us";

- "having received the teaching material, Cluster, at the request of Dr. XX, uploaded the teaching material onto the company management system (CMS) without the person in charge paying due attention and accuracy to the content of the documentation received and omitting, in particular, to verify that said material complies with the principles established by the Code regarding data protection";

- "the uploading of the material to the management system is, however, an act that has generated a mere service URL for internal use, in itself unsuitable for causing the dissemination of data (of any type) on the web. The dissemination of the data in question on the web therefore does not follow from the uploading of the data onto the internal management system but depended exclusively on further conduct carried out by one (or more) of the 26 doctors who, having received the URL via e-mail in question, have disseminated the data in violation of the professional secrecy to which they are required due to their qualification";

- "the preceding narrative therefore highlights that the dissemination on the web of personal data belonging to particular categories was made possible only as a result of a series of concurrent illicit conduct starting from the transmission of non-anonymized teaching material by Doctor XX to same Cluster to conclude with the material fact attributable to one or more learners who published the URL in question";

- "therefore, it does not appear incorrect to state that the only possible negligent behavior attributable to Cluster here could only be the sending of the URL by e-mail to the 26 participants, conduct which, even from a causal point of view, it cannot have led to the dissemination of the URL on the web”;

- "Cluster cannot therefore be charged with or sanctioned for any violation relating to the (failure) to collect consent to the processing of the patient's data (which is a duty to which Dr. XX was required, who was also required to make the data anonymous before proceeding with transmission to the same Cluster); similarly, Cluster cannot be charged and consequently sanctioned for the dissemination of the material in question on the web which, as mentioned, is attributable to one or more of the 26 participants in the course";

- "in the case in question (...), the illegitimate conduct possibly attributable to Cluster consists in the mere sending of the URL to the 26 participants and this is the circumstance which indirectly made possible the subsequent dissemination of the data on the web by third parties. However, it must be taken into consideration that: the teaching material (...) does not belong to the Cluster but to the Scientific Responsible, the sole owner of the copyright on the work, a circumstance which, in accordance with the provisions of art. 1 of Law no. 633/1941, prohibits Cluster from making any modification or manipulation of the contents received. It follows that the person who first and foremost did not adopt the appropriate precautions aimed at complying with the obligation of anonymisation of the data is to be identified as the Scientific Manager who prepared the document and sent it to the Cluster to which at most a conduct can be ascribed culprit already identified; the educational material in question was intended for consultation only by subjects who, due to their qualification as doctors, were expressly required to observe an obligation of confidentiality as well as required to respect professional secrecy with an express prohibition on the dissemination and circulation of any data. It follows that the dissemination of the teaching material was made possible as a result of an illicit act by a third party in which Cluster did not even physically take part; the dissemination of the data is not the result of deficiencies relating to IT security measures or a violation of security obligations as the CMS is a technological tool which, by its nature, does not propagate data (of any type) externally";

- “the conduct attributable to Cluster, even from a causal point of view, with respect to the disputed violation can be considered limited or in any case marginal. On the other hand, the conduct of Dr. XX and the students had a decisive causal impact on the causation of the disputed violations";

- “the types of data usually processed by Cluster do not include health data attributable to a specific subject, nor judicial data. The circumstance which is the subject of this proceeding is therefore completely exceptional, anomalous and completely irregular compared to what is the ordinary and usual entrepreneurial activity of the Cluster and occurred due to the choice of the Scientific Managers to use, as teaching material, cases concrete clinicians that they have had the opportunity to get to know as a result of their freelance activity. The processing of particular categories of data is not part of Cluster's ordinary business activity; the number of interested parties involved in the violation: the reconstruction of the facts, carried out following the investigation promoted by the Distinguished Guarantor (thus confirmed both by the narrative of Dr. XX and by that of Cluster) leads to convergence on the fact that the violation contested is to be considered limited to the data of the mentioned subject only";

- "in the absence of elements that allow us to establish with certainty the dies a quem of the disputed violation, it must therefore be considered that its duration is limited between the day on which the Distinguished Guarantor received the complaint from which this proceeding arose and the one in which the contents were actually removed from the web”;

- "the violation (has) a "non-intentional" character according to the meaning indicated by the WP253 Guidelines which attribute to the word "unintentional" the absence of the data controller's intention to cause the violation (...); the existence of any malicious or intentional nature must therefore be excluded on the part of Cluster which has already expressed its sincere regret for the incident and which can at most be considered guilty of having transmitted, due to excessive trust in the participants, the material to the learners once the event has concluded”;

- “(…) Cluster was completely unaware that the online dissemination of personal data processed within the XX was taking place (albeit in an absolutely limited manner) and, after having learned with the request for information received pursuant to art. 157 of the Code that not even following the initiatives promoted by Dr. further diffusion”;

- “Cluster therefore believes that it has promptly adopted efficient and effective measures as quickly as possible with respect to the emergence of the violation”;

- "following the disputed violation, Cluster took steps to have the type of data stored on its CMS verified again and, following the examination carried out, it can be ruled out that the CMS management software contains data other than the common ones collected as part of the business ordinarily carried out";

- "also with reference to the data processed, the CMS management system responds to the technical-organizational requirements set out in the GDPR. The CMS used by Cluster is structured to collect, by default, only the personal data strictly necessary for completing the registration of operators belonging to the scientific medical sector and, again by default, does not allow the disclosure of the data collected to subjects other than Age.Na.S.”;

- "the data contained in the CMS can only be consulted by internal personnel with the necessary authorizations for data processing by virtue of individual access credentials and no circulation of the data towards the outside is foreseen except within the limits of what is necessary for the provision of training credits to students";

- “Cluster reiterates (...) that the dissemination of data to third parties brought to the attention of the Dear Guarantor did not occur as a consequence of a deficiency or violation of the access systems to its company management and that, equally, the disputed violation did not occur as a result of system errors, unauthorized access or the use of insufficient security measures";

- “Cluster believes that the removal from its management system of the contents accessible through the link mentioned in the introduction together with the verification carried out regarding the exclusion of further possible forms of data circulation will exhaust the spectrum of possible activities to be implemented to remedy to the alleged violation";

- “Cluster has in fact acknowledged that:

- one's negligent behavior must be contextualized and considered in the context of the negligent conduct certainly carried out by the other subjects involved in this proceeding as well as by the participants in the ECM course (and who are unrelated to this proceeding) who have actually disseminated the contents on the web ;

- the negligent conduct that may be attributable to Cluster is in any case attributable to the mere sending of a URL by e-mail to 26 participants bound by the duty of confidentiality and professional secrecy. and, in any case, results from a single processing (“the same or linked processing operations”) of data; the purpose underlying the processing of the data that concerns us was unique, i.e. to facilitate the dissemination of the same among the participants in the ECM course;

- the data processing requested from Cluster is necessary in order to fulfill a function of public interest which is regulated in agreements of public importance;

- the scope of data processing is limited, at most, to a national level;

- one's behavior is not characterized by malice or intentionality;

- has promptly removed the link from its management system thus adopting, as quickly as possible, the appropriate measures to remedy the violation";

- “with respect to the various thresholds indicated by the art. 83 GDPR and Guidelines 04/2022 Cluster acknowledges that the company turnover achieved in the last 10 years of activity has always been less than 2,000,000 euros and, also given the size of the company which currently has only 1 employee, believes that the requirements may exist to be able to proceed with a reduction of 0.2% compared to the initial amount due to the low level of severity of the violation as resulting from consideration of all the elements indicated";

- "where the Honorable Guarantor (...) does not deem it necessary to conclude the procedure initiated by archiving the position, Cluster requests that the statute of limitations for the contested administrative offense be declared since the five-year deadline set by the art. 28 paragraph 1 of the law. 689/1981. In this regard, Cluster has specified that the only negligent conduct attributable to it consists in sending the URL containing the teaching material by e-mail to the 26 students who signed up for XX and which cannot in any way be ascribed to Cluster the subsequent dissemination of said educational material on the web";

- "it must therefore be considered that the conduct attributable to Cluster took place when the URL was sent by e-mail once the training event of 21-23 June XX was concluded with the consequence that the five-year term, established at penalty of forfeiture from the art. 28, paragraph 1 of Law 689/1981, for the contestation of any administrative offense it must be considered to have expired on a date certainly prior to the start of the proceedings and in any case on a date prior to the completion of any act having an interruptive effect".

The Company has, therefore, requested that the proceedings in question be dismissed.

The hearing requested by the Company took place on XX. In this circumstance it was specified that:

- “the relationship between society and scientific managers is not equal (…); this led the company to accept the Doctor's request to communicate to the students the URL from which it was possible to download the educational material in question";

- "the simple upload to the CMS system would not have produced any diffusion or propagation if the URL had not been sent via email and subsequently shared by one or more of the 26 recipients of the email";

- "the company had a legitimate expectation of confidentiality towards the recipients of the email, considering that they were doctors subject to professional secrecy";

- "the company has not reported any type of advantage since what happened";

- "we understand the emotional tension of Mrs. XX who decided to start this proceeding".

3.  Outcome of the preliminary investigation

Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs and during the hearing, it is observed that:

1. personal data means "any information relating to an identified or identifiable natural person ("interested party"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his physical identity, physiological, genetic, psychological, economic, cultural or social" (art. 4, par. 1, point n. 1 of the Regulation) and, by anonymous data we mean "(...) information that does not refer to a natural person identified or identifiable or to personal data made sufficiently anonymous to prevent or no longer allow the identification of the interested party" (see Recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymization techniques, adopted on 10 April 2014);

2. anonymization cannot be considered achieved through the mere removal of the data subject's details or replacement of the same with a pseudonymous code. The anonymized data, in fact, is such only if it does not allow in any way the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to the person (owner or other person) try to use these tools to identify an interested party. The risk of re-identification of the interested party must be carefully assessed taking into account "all the means, [...], which the data controller or a third party can reasonably use to identify said natural person directly or indirectly. To ascertain the reasonable probability of using the means to identify the natural person, consideration should be given to all objective factors, including the costs and time required for identification, taking into account both the technologies available at the time of the processing and technological developments” (see again Recital no. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 20141);

3. the protections provided for by the regulations on the protection of personal data continue to apply to personal data concerning deceased persons (as highlighted by the Guarantor in the provisions of 10 January 2019, n. 2, web doc. n. 9084520 and 29 April 2021, no. 173, web doc. no. 9672313);

4. personal data must be "processed in a manner that guarantees adequate security (...) including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing or from accidental loss, destruction or damage («integrity and confidentiality»)” (art. 5, par. 1, letter f) of the Regulation);

5. regarding the security of processing, art. 32 of the Regulation establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, among others, where appropriate: pseudonymisation and encryption of personal data […]” (par. 1) and that “in assessing the adequate level of security, special account is taken of the risks presented by the processing which derive in particular from destruction, loss, modification, unauthorized disclosure or 'access, accidentally or illegally, to personal data transmitted, stored or otherwise processed' (para. 2);

6. the Guarantor, in approving the Code of Conduct of the Veneto Region for the use of health data for educational purposes and scientific publication (web doc. n. 9535402, https://www.gpdp.it/web/ guest/home/docweb/-/docweb-display/docweb/9535402), which identifies specific guarantees and measures to protect patients, represented that: "the use of personal data for educational purposes and scientific publication by operators health professions that operate within the organizational structure of the data controller can only take place after adopting specific anonymisation and pseudonymisation measures” (…); “if it is not possible to proceed with the anonymisation of the data, the owner must acquire specific consent from the interested party, after which the data will in any case be subjected to pseudonymisation (art. 5 of the Code)” (provision of 14 January 2021, n. . 7, web doc. no. 9535354).

4. Conclusions

In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), it is noted that the elements provided by the Company in the defense briefs referred to above and during the hearing are not suitable to accept the request for dismissal, not allowing the findings notified by the Office to be fully overcome with the aforementioned document initiating the proceedings.

In particular, without prejudice to the assessment regarding the failure to adopt specific anonymization measures of the data processed by the doctor who drew up the documentation and subsequently used it for educational purposes, it is noted that, if the conduct relating to the The sending of the URL by e-mail to the doctors participating in the course ended at the time of the training event on 21-23 June XX, with the consequent effective date of the five-year deadline established by the art. 28, paragraph 1, law no. 689/1981, according to which "the right to collect the sums due for the violations indicated by this law expires within five years from the day on which the violation was committed", similarly the conduct concerning the obligations cannot be considered concluded regarding the security of processing, persistent until the moment the violation became apparent. As, in fact, mentioned above, the obligation on the data controller to implement adequate technical and organizational measures to guarantee a level of security adequate to the risk, which includes the ability to ensure confidentiality, integrity, availability and resilience of the systems as well as a procedure to regularly test, verify and evaluate the effectiveness of the technical and organizational measures in order to guarantee the security of the processing (art. 32, par. 1, letters b) and d) of the Regulation) existed until the moment in which the violation was ascertained, which persisted over time until the start of the investigation by the Authority.

For these reasons, we note the illicit nature of the processing of personal data carried out by the Company, in the terms set out in the motivation, for having failed to provide adequate measures to ensure confidentiality on a permanent basis and to regularly verify and evaluate the effectiveness of the technical measures. and organizational, adopting, for example, an IT authentication procedure to access the documentation described, containing personal data, with respect to which no assessment had been carried out regarding the adequacy of the anonymisation measures adopted.

In this framework, considering that the Company has removed the link from its management system, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5 and 32 of the Regulation is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Taking into account that the violation of articles. 5 and 32 took place as a result of a single conduct, art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in the present case, the most serious violation concerns the art. 5, par. 1, letter. f), of the Regulation, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros or, for companies, up to 4% of the total annual worldwide turnover of the previous financial year, if higher.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation.

In light of the above and, in particular, the duration of the violation as well as the categories of personal data involved (personal, health and judicial data), it is believed that the level of severity of the violation committed by the Company is high (see Committee European Data Protection Authority, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Considering the Company's turnover and evaluating a series of elements as a whole, including that the Authority became aware of the event following a complaint by the interested party in relation to the processing of her and her son's personal data ( art. 83, par. 2, letter h) of the Regulation) and the Company has removed the link from its management software (art. 83, par. 2, letter c) of the Regulation), it is deemed to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of 18,000.00 (eighteen thousand) euros for the violation of the articles. 5 and 32, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Company Cluster s.r.l., due to the violation of the articles. 5 and 32 of the Regulation.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Company Cluster s.r.l., with registered office in XX (10123), Via Carlo Alberto n. 32, Tax Code/VAT number 07530720015, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 16 November 2023

PRESIDENT
Stantion

THE SPEAKER
Stantion

THE DEPUTY SECRETARY GENERAL
Philippi
  1. Article 2-terdecies(1) of the Italian privacy code allows individuals (including relatives) to exercise the data rights of a deceased data subject under Articles 15-22 GDPR under certain conditions. In the GPDP's interpretation, this implies that the entire GDPR applies to the personal data of the deceased. This interpretation finds precedents in the GDPD's case law: see GPDP - 9084520 and GPDP - 9672313.
  2. See Art.28(1) l. 689/1981