Garante per la protezione dei dati personali (Italy) - 9987578

Garante per la protezione dei dati personali - 9987578

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR 2-ter (1) (3) Privacy Code
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	24.01.2024
Published:
Fine:	2000 EUR
Parties:	Istituto Comprensivo Statale “F.S. Cabrini
National Case Number/Name:	9987578
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei dati personali (in IT)
Initial Contributor:	Martina Levi

The Italian DPA received a complaint from Ms. XX against the Istituto Comprensivo Statale “F.S. Cabrini” regarding the publication on the institutional website of some determinations. The Italian DPA fined the Istituto €2,000.

English Summary

Facts

The Italian DPA received a complaint from Ms. XX, a teacher in service at the Istituto Comprensivo Statale “F.S. Cabrini” (hereinafter, ‘Institute’), regarding the publication, on the institutional website of the aforementioned Institute, of dozens of managerial determinations (approximately thirty-seven) regarding organizational aspects related to the continuity of teaching activities and the management of the employment relationship with the interested party, with particular reference to the days of absence from duty made by the complainant and other school personnel and the need to provide for their replacement during the 2021/2022 school year.

Holding

The Italian DPA found that the Institute violated the provisions of Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Code (Legislative Decree 196/2003). The institute did not comply with the principles of lawfulness, fairness, transparency, and minimization provided for in Articles 5 and 6 of the GDPR and Article 2-ter of the Italian Privacy Code. Although the published information did not include sensitive data such as the reason for absence, the disclosure of such personal data was nonetheless unlawful because it was not provided for in current regulations. The Italian DPA declared the unlawfulness of the processing and the violated norms were the following: (i) Article 5(1)(a) GDPR (principles of lawfulness, fairness and transparency); (ii) Article 6(1)(c) and (e) GDPR (legal basis of processing). (iii) Article 2-ter, paragraphs 1 and 3 of the Code (applicable national standards). Administrative fine: The Institute was ordered to pay a fine of 2,000 euros for the violations committed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. n. 9987578]

Provision of 24 January 2024

Register of provisions
n. 35 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

The Authority has received a complaint from Ms. XX, a teacher in service at the State Comprehensive Institute “F.S. Cabrini” (hereinafter, “Institute”), in order to publish, on the institutional website of the aforementioned Institute, dozens of management decisions (about thirty-seven) regarding organizational aspects linked to the continuity of teaching activities and the management of the employment relationship with the interested party, with particular reference to the days of absence from service carried out by the complainant and other school staff and the need to provide for their replacement during the 2021/2022 school year.

2. The investigation activity.

In response to a request for information formulated by the Authority, the Institute, with a note of XX (protocol no. XX of XX), through its school principal, represented, in particular, that:

- the Institute “proceeds in some cases to the replacement of teaching staff through the assignment of short-term substitutes starting from the first day of absence. Such assignments must be assessed on a case-by-case basis, taking into account the weekly timetables of absent staff, the obligation to guarantee minors the right to education and continuity of training, the need to guarantee the safety and security of students and the indispensable assistance to students with special educational needs; replacements are assigned by scrolling through the first/second/third band school rankings (also using declarations of availability)”;

- “Each assignment defines the start, through an appropriate management decision, of an administrative procedure that the undersigned is required to formalize pursuant to Law 241/90 and whose final act must make use of publication on the online noticeboard for the purposes of the legal effectiveness of the procedure itself, pursuant to the aforementioned legislation (the so-called “integrative phase of the effectiveness of the administrative procedure”). Such decisions must be appropriately motivated and are precisely those cited by you in the complaint in question”;

- “The publication of the determinations must be carried out online pursuant to the provisions of art. 32, paragraph 1 of Law no. 69 of 18 June 2009, which established that “as of 1 January 2010, the obligations to publish administrative acts and provisions having the effect of legal publicity are deemed to be fulfilled with the publication on their own websites by the administrations and public bodies required”;

- “in compliance with the principle of accountability pursuant to art. 5, paragraph 2 of European Regulation 679/2016 […the minimum data necessary to be reported in the determinations that are the subject of the complaint have been assessed, which [the Institute itself] is required to publish in the online register (and not in Transparent Administration or in other spaces of the site) pursuant to the aforementioned provisions”;

- “Following this analysis [the Institute] deemed it appropriate to omit any data that was excessive and not pertinent to the purposes of publication, in particular by excluding from the documents the reasons for absence and other information from which it is possible to deduce categories of particular data of the interested party (e.g. union permits or health data); this also in full compliance with the provision of the Guarantor no. 290 of 1 September 2022, web doc. 9811361”;

- “All the documents cited by you are no longer being published”.

With note of XX (ref. no. XX of XX, the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the investigative activity, notified the Institute, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, for having implemented a dissemination of personal data of the complainant and other personnel of the Institute, concerning the need to provide for the relevant substitutions and replacements during absences on certain days of the school year, in a manner that does not comply with the principle of lawfulness, correctness and transparency in data protection matters and in the absence of a suitable basis for lawfulness, in violation of art. 5, paragraph 1, letter a), 6, paragraph 1, letter c) and e), of the Regulation and art. 2-ter, paragraphs 1 and 3 of the Code.

With the same note, the Institute was invited to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law 24 November 1981, no. 689).

With note of XX (prot. no. XX of XX), the Institute, which did not ask to be heard, sent its defense brief, declaring, in particular, that:

- “The 37 decisions that are the subject of the complaint, published for the purposes of legal publicity in line with the provisions of art. 32, paragraph 1 of Law no. 69 of 18 June 2009, involved no. 4 interested parties. Each determination included, due to a mere material error attributable to a communication defect between the Management Office and the administrative assistants in charge of the publication, the following personal data of the interested parties: name, surname and date(s) of absence. No other personal data were included, much less any indications regarding the reasons for the absence. The 37 publications were carried out from XX to XX. All of the aforementioned publications were promptly removed following the complaint received by your esteemed Authority, pursuant to note prot. XX, and precisely on XX2”;

- “With regard to the gradation of the volitional element, it is believed that there was no awareness of the contested violations, since the error occurs between the dispositive moment of the publication and the publication itself, due, in particular, to incomplete communication with the Secretariat Office. In fact, the limit of the content to be published was not promptly recalled, trusting in the repetitiveness of the operations and in the content of the basic indications”;

- “The publication of documents takes place using an integrated IT platform whose operational areas are divided into “protocol”, “teaching”, “personnel”, “accounting/budget”, “online register” and “transparent administration”. Access to each operational area is reserved only for personnel belonging to the relevant office, thanks to the use of personal credentials corresponding to the different roles. This allows for the creation of a computerized flow starting from the production of each document, up to its publication without the need to create paper copies and above all eliminating the possibility that a document is processed by a secretarial office other than the one that has the competence for it”;

- “The internal procedure envisaged for data protection provides for direct communication between the manager and the Secretarial Office in the person of the administrative assistant for the specific publication. The complexity of the daily management of the school institution with regard to covering the absences of teaching staff and the scarcity of administrative staff […] did not allow for the punctual control of communications and subsequent publication, considering that the time frame of the publication in question falls in the most delicate period of school activities, a period characterized - on the one hand - by periodic obligations such as the closure of the first four-month period and final pre-scrutiny work - on the other - by a marked commitment to the daily organization of the school service due to staff absence rates of 10% (average value) with maximum levels of 15% due to the pandemic situation. Furthermore, the obligations relating to the transparent administration/online register area were strongly influenced by school management during the Covid 19 period, which influenced the effectiveness of the aforementioned direct communication between the manager and the Secretariat Office in the person of the administrative assistant for the specific publication, in an institution that found itself facing the pandemic situation after the alternation of titular managers and acting managers: all this, also aggravated by the rotation of directors [...] who represent the only point of contact between the manager and ATA staff";

- "The secretarial staff participated in a first training course on privacy in XX, organized by the DPO in charge.On the occasion of the changeover of a different DPO, the same staff, as well as the Manager, participated in the first two meetings of a further course on privacy, on XX and XX and intends to participate in the further two meetings planned but still to be scheduled. In addition to the necessary training course also undertaken with respect to the secretarial staff, the latter were given the necessary instructions for data processing, as required by law and in accordance with the three-year PTPCT plan drawn up by the USR Lombardia. Each staff unit has read these instructions and the related authorization act for data processing, regularly producing the receipt of acknowledgement";

- the Institute has in any case adopted "a conduct aimed at maximum cooperation with the Guarantor to remedy the violation and mitigate its possible negative effects. In this perspective, immediately following the first request for information received from your esteemed Authority, [the Institute] has deemed, for the sake of maximum caution, to: a) remove the publications that are the subject of the complaint (removal carried out on XX); b) modify the format for the resolutions to be published for the replacement of absent staff, in order to avoid any reference to the name and days of absence (modification made starting from XX)[…]. Furthermore, the instructions given to ATA staff, described in letter (d), will be integrated in such a way as to provide that timely communication will be given of the data that can be published according to the individual type of provision”.

With the same note, the Institute has filed a copy of the aforementioned format, in use starting from XX, for the documents to be published in the context of the initiation of procedures for the replacement of staff pursuant to the sector regulations.

3. Outcome of the preliminary investigation.

3.1. The legislation on the protection of personal data.

In accordance with the personal data protection provisions contained in the Regulation and the Code, public bodies, including in the context of employment, may process the personal data of data subjects, including those relating to particular categories, if the processing is necessary, in general, for the management of the employment relationship and to fulfill specific obligations or tasks provided for by law or by the law of the Union or of the Member States (Articles 6, paragraph 1, letter c), 9, paragraph 2, letter b), and 4 and 88 of the Regulation). Processing is also lawful when it is “necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the controller” (Article 6, paragraphs 1, letter c) and e), 2 and 3, and Article 9, paragraph 2, letter g), of the Regulation; Articles 2-ter and 2-sexies of the Code, in the text prior to the amendments made by Legislative Decree no. 8 October 2021, no. 139).

European legislation provides that “Member States may maintain or introduce more specific provisions to adapt the application of the rules of […] Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures to ensure lawful and fair processing […]” (Article 6, paragraph 2, of the Regulation).

In this regard, it should be noted that the dissemination of personal data (such as publication on the Internet), by public bodies, is permitted only when provided for by a law or, in the cases provided for by law, by regulation (see Article 2-ter, paragraphs 1 and 3, of the Code, in the text prior to the amendments made by Legislative Decree 8 October 2021, no. 139).

The data controller is then, in any case, required to comply with the principles of data protection, including that of "lawfulness, fairness and transparency" as well as "minimization", according to which personal data must be "processed lawfully, fairly and transparently in relation to the data subject" and must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (art. 5, par. 1, letters a) and c) of the Regulation).

3.2. Online dissemination of personal data.

From the elements acquired and the facts that emerged during the investigation and subsequent assessments in relation to the matter that is the subject of the complaint, it appears that the Institute has published on the institutional website approximately thirty-seven management decisions containing information relating to the replacement and days of absence from service carried out, during the 2021/2022 school year, by the complainant and other school staff. The incident originated in the context of the use of the integrated IT platform (functional to a plurality of “operational areas, such as “protocol”, “teaching”, “personnel”, “accounting/budget”, “online register” and “transparent administration” [… each of which] is reserved only for personnel belonging to the relevant office”; see note of XX). In the context of the investigation, the Institute confirmed that this publication continued until XX, the date on which the Institute, actively cooperating with the Authority and in order to remedy the violation committed, proceeded to remove the documents published online.

In this regard, it should be noted that, as clarified by the Guarantor with the "Guidelines on the processing of personal data, including those contained in administrative deeds and documents, carried out for advertising and transparency purposes on the web by public bodies and other obligated bodies" of 15 May 2014 (web doc. 3134436) as well as on the occasion of decisions on individual cases, the publication of personal data on the institutional website, in the absence of a suitable regulatory basis, determines an illicit dissemination of data (see articles 5, 6 and 9 of the Regulation and 2-ter and 2-sexies of the Code). This has been reiterated, in particular, in numerous decisions of the Guarantor also with reference to the online publication of acts or documents containing personal data relating to the days and reasons for absence from service, precisely by educational institutions (see, in particular, Provision of 1 September 2022, no. 290, web doc. no. 9811361 and previous provisions referred to therein).

Considering that the Institute has not provided indications relating to the existence of a specific regulation establishing the publication of decisions concerning the use of short-term and occasional substitutes for the replacement of absent staff and that the generic reference to the transparency obligations referred to in art. 32, paragraph 1, of Law no. 69 of 18 June 2009 (which, however, does not require the publication of acts containing information regarding the absence from service of staff) cannot be considered sufficient to justify the conduct held in this case, the following is represented.

As traditionally reiterated by the Guarantor in relation to cases similar to the one under examination, even the presence of a regime of publicity of acts and documents cannot entail any automaticity with respect to the online dissemination of personal data and information contained therein, nor a derogation from the principles regarding the protection of personal data (see, among many, most recently, provision 14 September 2023, no. 398, web doc. no. 9940457 and provisions referred to therein).

In numerous decisions, in fact, the Guarantor has reiterated that all the limits set by the principles of data protection with regard to lawfulness and data minimization also apply to publications in the online public notice board (see part II, par. 3.a. of the “Guidelines on the processing of personal data, including those contained in administrative acts and documents, carried out for advertising and transparency purposes on the web by public bodies and other obliged entities”, cit.). This is also confirmed by the personal data protection system contained in the Regulation, in light of which it is provided that the data controller must implement "appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed" and must be "able to demonstrate" - in light of the "accountability" principle - that it has done so (Articles 5, paragraph 2; 24 and 25, paragraph 2, Regulation).

Therefore, no personal data of the complainant or other personnel should have been reported in the published resolution, using, if necessary, the "omissis" technique or other data anonymization measures (see, precisely with regard to a similar case in the school context, provision 1 September 2022, no. 290, web doc. 9811361 and previous provisions referred to therein).

In light of the above considerations, although what occurred appears to have occurred by mere error and in the presence of numerous organizational difficulties in the emergency period due to the Covid-19 epidemic, it must be concluded that the online publication on the institutional website of information relating to the absence from service of the complainant and other employees has given rise to a dissemination of personal data in the absence of a suitable basis for lawfulness, in violation of Articles 5 and 6 of the Regulation and 2-ter of the Code.

In any case, we take favorable note of the adoption, by the Institute, of organizational measures aimed at preventing similar errors, in the publication phase of determinations containing personal data, from occurring in the future, in particular through further training activities aimed at administrative staff and the adoption of updated formats to be used when publishing on the website.

4. Conclusions.

In light of the above-mentioned assessments, it is noted that the declarations made by the data controller during the investigation ˗ the veracity of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow the findings notified by the Office with the act initiating the procedure to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Guarantor Regulation no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Institute is noted, in violation of Articles 5, paragraph 1, letter a), and 6, paragraph 1, letter c) and e) of the Regulation and Article 2-ter, paragraphs 1 and 3 of the Code.

Violation of the aforementioned provisions makes the administrative sanction provided for by Article 83, paragraph 5, of the Regulation applicable to the Institute, pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 3, of the Regulation itself, as also referred to in Article 166, paragraph 2, of the Code.

5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to arts. 58, par. 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in this case the violation of the provisions cited is subject to the application of the pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in art. 83, par. 2, of the Regulation. With specific regard to the nature and seriousness of the violation and the sensitivity of the data affected by the violation (art. 83, par. 2, letters a) and g), of the Regulation), the following is noted.

In pointing out that in the workplace, data subjects are in a condition of particular “vulnerability” and that, therefore, the risks for the rights and freedoms of data subjects in this context take on particularly high coefficients of probability and severity (see recital 75 and art. 88 of the Regulation and the “Guidelines concerning the assessment of the impact on data protection and the criteria for establishing whether a processing operation is “likely to present a high risk” pursuant to Regulation 2016/679”, WP 248 of 4 April 2017, which, among the categories of vulnerable data subjects, expressly mention “employees”), it should be considered that the violation in question involved the dissemination by the Institute, in the absence of a legal basis, of personal data concerning the absences made by the complainant on certain days of the school year, even if this occurred without indicating the specific reasons or references to information attributable to particular categories of data.

As regards the duration of the violation (art. 83, par. 2, letter a), of the Regulation), it is important to highlight that it appears to have continued, for an extended period of time, until XX, date on which the Institute has in any case proceeded to remove the documents published online to remedy the violation committed.

In light of these circumstances, it is believed that, in the case in question, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, it must be considered that, for the purposes of 83, par. 2, letter e), of the Regulation, there are no previous relevant violations committed by the data controller or previous measures referred to in art. 58 of the Regulation.

It must also be considered that the Institute collaborated with the Authority during the investigation, promptly removing from its website the personal data contained in records and documents and adopting new procedures and organizational measures aimed at preventing similar errors, during the publication phase of the same, from occurring in the future (Article 83, paragraph 2, letter f), of the Regulation).

It must also be taken into account that the violation occurred in a context, such as the school context, characterized by numerous organizational difficulties as well as by the additional problems connected to the emergency period due to the spread of the Covid-19 virus (Article 83, paragraph 2, letter k) of the Regulation).

In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of Euro 2,000 (two thousand) for the violation of Articles 5, paragraph 1, letter a), and 6, paragraph 1, letter c) and e) of the Regulation and of Article 2-ter, paragraphs 1 and 3 of the Code (in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint) as an administrative pecuniary sanction deemed, pursuant to art. 83, paragraph 1, of the Regulation, to be effective, proportionate and dissuasive.

It is also believed that the accessory sanction of publication of this provision on the Guarantor's website should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor's Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, paragraph 1, letter. f), of the Regulation, the unlawfulness of the processing carried out by the Institute for violation of articles 5, par. 1, letter a), and 6, par. 1, letter c) and e) of the Regulation and art. 2-ter, paragraphs 1 and 3 of the Code, in the text prior to the amendments made by Legislative Decree no. 139 of 8 October 2021, in force at the time of the facts that are the subject of the complaint, within the terms set out in the reasons;

ORDERS

the Istituto Comprensivo Statale “F.S. Cabrini, in the person of its legal representative pro-tempore, with registered office in Via delle Forze Armate, 65 - 20147 Milan, Tax Code 97666910159, to pay the sum of 2,000 (two thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

the aforementioned Institute, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 2,000 (two thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions set out in art. 17 of the Guarantor Regulation no. 1/2019 exist.

Pursuant to arts. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 January 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei

[web doc. no. 9987578]

Provision of 24 January 2024

Register of provisions
no. 35 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY’S MEETING, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the councilor Fabio Mattei, secretary general;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

SEEN Legislative Decree 30 June 2003, n. 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

The Authority has received a complaint from Ms. XX, a teacher in service at the State Comprehensive Institute “F.S. Cabrini” (hereinafter, “Institute”), regarding the publication, on the institutional website of the aforementioned Institute, of dozens of managerial decisions (about thirty-seven) regarding organizational aspects linked to the continuity of teaching activities and the management of the employment relationship with the interested party, with particular reference to the days of absence from service carried out by the complainant and other school staff and the need to provide for their replacement during the 2021/2022 school year.

2. The preliminary investigation.

In response to a request for information formulated by the Authority, the Institute, with a note of XX (ref. no. XX of XX), through its school principal, stated, in particular, that:

- the Institute “proceeds in some cases to the replacement of teaching staff through the assignment of short-term substitutes starting from the first day of absence. Such assignments must be assessed on a case-by-case basis, taking into account the weekly timetables of absent staff, the obligation to guarantee minors the right to education and the continuity of training action, the need to guarantee the safety and security of students and the indispensable assistance to students with special educational needs; the substitutes are assigned by scrolling through the first/second/third band institute rankings (also using the declarations of availability)”;

- “Each transfer defines the start, through an appropriate management determination, of an administrative procedure that the undersigned is required to formalize pursuant to Law 241/90 and whose final act must make use of publication in the online register for the purposes of the legal effectiveness of the procedure itself, pursuant to the aforementioned legislation (so-called “integrative phase of the effectiveness of the administrative procedure”). These determinations must be appropriately motivated and are precisely those cited by you in the complaint in question”;

- “The publication of the determinations must be carried out online pursuant to the provisions of art. 32, paragraph 1 of Law no. 69 of 18 June 2009, which established that “as of 1 January 2010, the obligations to publish administrative acts and provisions with the effect of legal publicity are deemed to be fulfilled with the publication on their own websites by the administrations and public bodies required”;

- “in compliance with the principle of accountability pursuant to art. 5, paragraph 2 of European Regulation 679/2016 […the minimum data necessary to be reported in the determinations that are the subject of the complaint have been assessed, which [the Institute itself] is required to publish in the online register (and not in Transparent Administration or in other spaces of the site) pursuant to the aforementioned provisions”;

- “Following this analysis [the Institute] deemed it appropriate to omit any data that was excessive and not pertinent to the purposes of publication, in particular excluding from the documents the reasons for absence and other information from which it is possible to deduce categories of particular data of the interested party (e.g. union permits or health data); this also in full compliance with the provision of the Guarantor no. 290 of 1 September 2022, web doc. 9811361”;