Garante per la protezione dei dati personali (Italy) - 9994882
From GDPRhub
| Garante per la protezione dei dati personali - 9994882 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 9 GDPR Article 32 GDPR Article 83(2)(e) GDPR Article 157 Codice della privacy |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 08.02.2024 |
| Published: | |
| Fine: | 18,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 9994882 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante (in IT) |
| Initial Contributor: | im |
The DPA fined a Local Health Authority €18,000 for sharing patient’s data regarding dismissal of financial benefits to another person due to a material error. or The DPA determined that a measure against the same controller is not a 'previous infringement' under Article 83(2)(e) GDPR. It cannot be considered into fine calculation as the current complaint’ conduct predates the previous measure.
English Summary
Facts
Data subject lodged a complaint against Local Health Authority (‘controller’) for sending an e-mail addressed to the data subject mistakenly to another person. The e-mail contained the decision on denial of financial benefits for the use of healthcare services at a private healthcare facility outside the region. The e-mail, therefore, contained personal data such as data subject’s identification data, name of the hospital where she intended to receive healthcare, certain elements relating to the medical course already undertaken and to be undertaken.
The DPA requested additional information from the controller, however, no response was received. The DPA contacted the controller again, in order to inform them of breaching Article 157 of the Italian Privacy Code by failing to provide information requested by the DPA.
After the second attempt for contact, the controller responded to the request claiming a mere clerical error which was addressed on the same day by informing the addressee of the e-mail that the attachment was erroneously sent to them and invited him to delete the documentation received. Moreover, there is no evidence suggesting that the user to whom the documentation was accidentally sent actually saw it.
The controller did not submit any arguments regarding its failure to reply to the request for information.
Holding
In its decision, the DPA cited Recital 35 GDPR which specifies that data related to health ‘includes information on the natural person collected in the course of his registration for the purpose of receiving healthcare services.’ Such information may be disclosed to third parties on the basis of a suitable legal prerequisite or by the data subject’s written authorization based on Article 84 of the Italian Privacy Code.
Consequently, the controller’s disclosure of sensitive data to a third party that was not authorized to receive it is in breach of basic processing principles under Article 5(1)(f), 9 GDPR for a lack of appropriate technical and organization measures leading to the infringement.
In addition to the lack of appropriate technical and organization measures, the DPA also found a violation of controller’s security obligations set out in Article 32 GDPR leading to the infringement.
The DPA noted that prior to the current event, the controller has been penalized for a violation of personal data procession principles arising in similar circumstances in the DPA’s ruling no. 9872621. However, this measure cannot be regarded as a ‘previous infringement’ pursuant to Article 83(2)(e) GDPR because the measure addressing the other infringement was enacted after the conduct leading to the current complaint. Therefore, the DPA considered only the elements of this case in the calculation of the administrative fine.
As a result, the complaint was considered a single conduct After considering the number of other applicable elements according to Article 83 GDPR, the DPA imposed a fine in the amount of €18,000. for a violation of Article 5, 9, 32 GPDR and Article 157 of the Italian Privacy Code.
Comment
The decision no. 9872621 resembles the facts and violations of the aforementioned case concerning the same controller. However, in the previous case, the controller demonstrated a high degree of cooperation. The DPA imposed a fine of €4,000.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9994882] Provision of 8 February 2024 Register of measures n. 63 of 8 February 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”); HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC”; GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”); HAVING SEEN the documentation in the documents; GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801; Speaker: Prof. Ginevra Cerrina Feroni; PREMISE 1. The complaint With note dated XX, Mrs. XX formulated a complaint regarding the transmission by the local social and health authority no. 1 of Sassari, dated XX (“15:39PM”) of an email addressed to the aforementioned complainant, but to an email address not belonging to her. In particular, the aforementioned email contained the provision (protocol note no. XX) with which the Extra-Region Hospitalization Office, Sassari District of the Company, denied the granting of economic benefits, such as travel and accommodation expenses, to take advantage of of health services pursuant to L. R. n. 26/1991 at a private healthcare facility outside the region. According to what was declared and documented by the complainant, the aforementioned document contained her identifying data, the indication of the hospital where she intended to receive health care as well as some elements relating to the medical path undertaken and to be undertaken. With note dated XX (prot. n. XX), the Authority requested the Company, pursuant to art. 157 of the Code, useful information for the evaluation of the case, by sending this request to the address: XX, which appears to have been delivered. However, no response was received to this request for information. Therefore, the Office, with note dated XX (prot. n. XX), as the Company did not comply with the request to provide the elements requested by the Guarantor, notified the same Company of the violation of the art. 157 of the Code, communicating, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, par. 2, of the Regulation. Together with the aforementioned note of the XX, the request sent with the previous note of the XX was sent again. With a note dated XX, the Company responded to the request for information dated XX (subsequently retransmitted with a note dated XX), forwarding a note from the Management of the District of Sassari, Anglona, Romangia and Western Nurra, with which it was stated that: - "on XX, Mrs. (...) Professional Administrative Collaborator of the Extra-Regional Hospitalization Office of the District of Sassari, sent the note XX both to Mrs. XX's email (....) and via the collection/ ar of the XX, withdrawn by the same on XX"; - "please note that due to a mere material error, Ms. (...), on date XX, sent to Mr.'s email (...), instead of the confirmation of the relevant practice, the note XX of the XX, addressed to Mrs. XX. The same, on the same day, having taken note of the above, being in good faith and unaware of violating the rights of others, correctly and promptly communicated to Mr. (...) at 4.57 pm of the XX, the incorrect sending of the attachment, and consequently invited him to delete the documentation received regarding another user, since it was a strictly personal document, as proven and documented by the XX email which is attached to the documents"; - "the Writing District apologizes for the inconvenience caused to Mrs. XX, and will ensure that similar cases do not arise again in the future". The Company has not provided any argument regarding the failure to respond to the request for information, formulated by the Authority, pursuant to art. 157 of the Code, with the note dated XX. 2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code In relation to the facts described above, the Office, with note dated XX (protocol no. XX) notified the local social and health authority no. 1 of Sassari, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements in the documents, it was found that the Company, by transmitting documentation containing data on Mrs. XX's health to a third party not authorized to receive it, carried out a treatment of health data in violation of the basic principles of processing referred to in articles. 5 and 9 of the Regulation, as well as the safety obligations referred to in art. 32 of the same Regulation. With a note dated XX, the Company sent its defense briefs, in which, in particular, it highlighted that: - "in addition to what has already been communicated with the PEC note of the XX, that the nature of the violation in question is exclusively negligent, as the subject did not want the event to occur. In fact, the employee of the Extra Region Hospitalization Office promptly invited the sole recipient of the letter to cancel the documentation received regarding another user, since it was a strictly personal document, as proven and documented by the XX email, attached with the PEC indicated above. Furthermore, it is highlighted that there is no proof that the user to whom the documentation was mistakenly sent actually viewed it"; - "the Company, through the Social and Health District of Sassari, to mitigate the effects of the violation, has implemented internal technical and organizational measures, such as information to the administrative offices of the district that process sensitive data (...). He also consulted the company information services, who suggested a system for sending communications, by email, with an encrypted mail system with access password that the non-Region Hospitalization Office concerned is already using". 3. Outcome of the preliminary investigation Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs and in the hearing, the following is observed: 1. "within the scope of the powers referred to in article 58 of the Regulation, and for the performance of its tasks, the Guarantor may request the owner, the manager, the representative of the owner or manager, the interested party or even a third parties to provide information and exhibit documents also with reference to the contents of databases" (art. 157 of the Code); 2. "data relating to health" means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health (art. 4, par. 1, n. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services"; 3. the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated to third parties on the basis of a suitable legal basis or upon indication of the interested party himself, subject to the latter's written authorization last (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree 10 August 2018, no. 101); 4. the data controller is required to respect the principles of data protection, including that of "integrity and confidentiality", according to which personal data must be "processed in a manner that guarantees adequate security (... ), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage” (art. 5, par. 1, letter f) of the Regulation). The adequacy of such measures must be assessed by the data controller with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the interested parties, taking into account the risks arising from the destruction , from the loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed (art. 32, par. 1 and 2 of the Regulation); 5. the Company failed to provide feedback to the XX Authority's request for information and communicated data relating to Ms XX's health which conflicts with the basic principles of processing referred to in the articles. 5 and 9 of the Regulation as well as with the safety obligations referred to in the art. 32 of the Regulation. 4. Conclusions In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the Company in the defense briefs do not allow to overcome the findings notified by the Office with the cited act of initiation of the procedure, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019. For these reasons, the illicit nature of the processing of personal data carried out by the local health and social care company no. 1 of Sassari, in the terms set out in the motivation, in particular, for having processed personal data in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation, of the safety obligations referred to in the art. 32 of the Regulation as well as art. 157 of the Code. In this context, considering that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code). The violation of the articles. 5, 9 and 32 of the Regulation as well as art. 157 of the Code is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation (see art. 166, paragraph 2). Taking into account that the violation of articles. 5, 9 and 32 of the regulation and art. 157 of the Code took place as a result of a single conduct, art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. In the present case, the most serious violation concerns the articles. 5, par. 1, letter. f), and 9 of the Regulation and art. 157 of the Code, subject to the administrative sanction provided for by 83, par. 5, of the Regulation. Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation. In light of the above and, in particular, the category of personal data affected by the violation, but also the small number of interested parties (one) and the non-intentional nature of the violation, it is believed that the level of severity of the violation committed by the Company is low (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). Furthermore, we would like to point out that the Company has already been the recipient of a provision adopted pursuant to art. 58 of the Regulation for having processed personal data, in a similar circumstance, in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation, of the obligations referred to in the art. 32 of the Regulation (provision dated 23 March 2023, web doc. no. 9872621). However, the aforementioned violation cannot be classified as a "previous violation" pursuant to art. 83, par. 2, letter. e), as the measure which ascertained it was adopted subsequent to the conduct which gave rise to today's complaint. Having said this, evaluated a series of elements as a whole and, in particular, that: - the Authority became aware of the event following a complaint by the interested party (art. 83, par. 2, letter h) of the Regulation); - the owner, in order to avoid the repetition of the event that occurred, introduced an encrypted email system with access password and asked the recipient of the email to delete the documentation received (art. 83, par. 2, letter f ) and c) of the Regulation); - the violation concerned a specific internal structure of the data controller and not the overall organization of the same (art. 83, par. 2, letter k) of the Regulation); it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 18,000.00 (eighteen thousand) euros for the violation of the articles. 5, 9 and 32 of the Regulation and art. 157 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive. It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the local health and social care company no. 1 of Sassari, for the violation of articles. 5, 9 and 32 of the Regulation and art. 157 of the Code. ORDER pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the local social and health authority no. 1 of Sassari, with registered office in Sassari, Via Alceo Catalocchino, 9 07100 - C.F./P. IVA 02884000908, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. HAS pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 8 February 2024 PRESIDENT Stantion THE SPEAKER Cerrina Feroni THE DEPUTY SECRETARY GENERAL Philippi [doc. web no. 9994882] Provision of 8 February 2024 Register of measures n. 63 of 8 February 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and Dr. Claudio Filippi, deputy general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”); HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC”; GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”); HAVING SEEN the documentation in the documents; GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801; Speaker: Prof. Ginevra Cerrina Feroni; PREMISE 1. The complaint With note dated XX, Mrs. XX formulated a complaint regarding the transmission by the local social and health authority no. 1 of Sassari, dated XX (“15:39PM”) of an email addressed to the aforementioned complainant, but to an email address not belonging to her. In particular, the aforementioned email contained the provision (protocol note no. XX) with which the Extra-Region Hospitalization Office, Sassari District of the Company, denied the granting of economic benefits, such as travel and accommodation expenses, to benefit of health services pursuant to L. R. n. 26/1991 at a private healthcare facility outside the region. According to what was declared and documented by the complainant, the aforementioned document contained her identifying data, the indication of the hospital where she intended to receive health care as well as some elements relating to the medical path undertaken and to be undertaken. With note dated XX (prot. n. XX), the Authority requested the Company, pursuant to art. 157 of the Code, useful information for the evaluation of the case, by sending this request to the address: XX, which appears to have been delivered. However, no response was received to this request for information. Therefore, the Office, with note dated XX (prot. n. XX), as the Company did not comply with the request to provide the elements requested by the Guarantor, notified the same Company of the violation of the art. 157 of the Code, communicating, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, par. 2, of the Regulation. Together with the aforementioned note of the XX, the request sent with the previous note of the XX was sent again. With a note dated XX, the Company responded to the request for information dated XX (subsequently retransmitted with a note dated XX), forwarding a note from the Management of the District of Sassari, Anglona, Romangia and Western Nurra, with which it was stated that: - "on XX, Mrs. (...) Professional Administrative Collaborator of the Extra-Regional Hospitalization Office of the District of Sassari, sent the note XX both to Mrs. XX's email (....) and via the collection/ ar of the XX, withdrawn by the same on XX"; - "please note that due to a mere material error, Ms. (...), on date XX, sent to Mr.'s email (...), instead of the confirmation of the relevant practice, the note XX of the XX, addressed to Mrs. XX. The same, on the same day, having taken note of the above, being in good faith and unaware of violating the rights of others, correctly and promptly communicated to Mr. (...) at 4.57 pm of the XX, the incorrect sending of the attachment, and consequently invited him to delete the documentation received regarding another user, since it was a strictly personal document, as proven and documented by the XX email which is attached to the documents"; - "the Writing District apologizes for the inconvenience caused to Mrs. XX, and will ensure that similar cases do not arise again in the future". The Company has not provided any argument regarding the failure to respond to the request for information, formulated by the Authority, pursuant to art. 157 of the Code, with the note dated XX. 2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code In relation to the facts described above, the Office, with note dated XX (protocol no. XX) notified the local social and health authority no. 1 of Sassari, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981). In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements in the documents, it was found that the Company, by transmitting documentation containing data on Mrs. XX's health to a third party not authorized to receive it, carried out a treatment of health data in violation of the basic principles of processing referred to in articles. 5 and 9 of the Regulation, as well as the safety obligations referred to in art. 32 of the same Regulation. With a note dated XX, the Company sent its defense briefs, in which, in particular, it highlighted that: - "in addition to what has already been communicated with the PEC note of the XX, that the nature of the violation in question is exclusively negligent, as the subject did not want the event to occur. In fact, the employee of the Extra Region Hospitalization Office promptly invited the sole recipient of the letter to cancel the documentation received regarding another user, since it was a strictly personal document, as proven and documented by the XX email, attached with the PEC indicated above. Furthermore, it is highlighted that there is no proof that the user to whom the documentation was mistakenly sent actually viewed it"; - "the Company, through the Social and Health District of Sassari, to mitigate the effects of the violation, has implemented internal technical and organizational measures, such as information to the administrative offices of the district that process sensitive data (...). He also consulted the company information services, who suggested a system for sending communications, by email, with an encrypted mail system with access password that the non-Region Hospitalization Office concerned is already using". 3. Outcome of the preliminary investigation Having taken note of what is represented by the Company in the documentation in the documents, in the defense briefs and in the hearing, the following is observed: 1. "within the scope of the powers referred to in article 58 of the Regulation, and for the performance of its tasks, the Guarantor may request the owner, the manager, the representative of the owner or manager, the interested party or even a third parties to provide information and exhibit documents also with reference to the contents of databases" (art. 157 of the Code); 2. "data relating to health" means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health (art. 4, par. 1, n. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health "include information on the natural person collected during his registration for the purpose of receiving health care services"; 3. the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated to third parties on the basis of a suitable legal basis or upon indication of the interested party himself, subject to the latter's written authorization last (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree 10 August 2018, no. 101); 4. the data controller is required to respect the principles of data protection, including that of "integrity and confidentiality", according to which personal data must be "processed in a manner that guarantees adequate security (... ), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage” (art. 5, par. 1, letter f) of the Regulation). The adequacy of such measures must be assessed by the data controller with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the interested parties, taking into account the risks arising from the destruction , from the loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed (art. 32, par. 1 and 2 of the Regulation); 5. the Company failed to provide feedback to the XX Authority's request for information and communicated data relating to Ms XX's health which conflicts with the basic principles of processing referred to in the articles. 5 and 9 of the Regulation as well as with the safety obligations referred to in the art. 32 of the Regulation. 4. Conclusions In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ it is stated that the elements provided by the Company in the defense briefs do not allow to overcome the findings notified by the Office with the cited act of initiation of the procedure, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019. For these reasons, the illicit nature of the processing of personal data carried out by the local health and social care company no. 1 of Sassari, in the terms set out in the motivation, in particular, for having processed personal data in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation, of the safety obligations referred to in the art. 32 of the Regulation as well as art. 157 of the Code. In this context, considering that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code). The violation of the articles. 5, 9 and 32 of the Regulation as well as art. 157 of the Code is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation (see art. 166, paragraph 2). Taking into account that the violation of articles. 5, 9 and 32 of the regulation and art. 157 of the Code took place as a result of a single conduct, art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. In the present case, the most serious violation concerns the articles. 5, par. 1, letter. f), and 9 of the Regulation and art. 157 of the Code, subject to the administrative sanction provided for by 83, par. 5, of the Regulation. Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation. In light of the above and, in particular, the category of personal data affected by the violation, but also the small number of interested parties (one) and the non-intentional nature of the violation, it is believed that the level of severity of the violation committed by the Company is low (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). Furthermore, we would like to point out that the Company has already been the recipient of a provision adopted pursuant to art. 58 of the Regulation for having processed personal data, in a similar circumstance, in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation, of the obligations referred to in the art. 32 of the Regulation (provision dated 23 March 2023, web doc. no. 9872621). However, the aforementioned violation cannot be classified as a "previous violation" pursuant to art. 83, par. 2, letter. e), as the measure which ascertained it was adopted subsequent to the conduct which gave rise to today's complaint. Having said this, evaluated a series of elements as a whole and, in particular, that: - the Authority became aware of the event following a complaint by the interested party (art. 83, par. 2, letter h) of the Regulation); - the owner, in order to avoid the repetition of the event that occurred, introduced an encrypted email system with access password and asked the recipient of the email to delete the documentation received (art. 83, par. 2, letter f ) and c) of the Regulation); - the violation concerned a specific internal structure of the data controller and not the overall organization of the same (art. 83, par. 2, letter k) of the Regulation); it is deemed necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 18,000.00 (eighteen thousand) euros for the violation of the articles. 5, 9 and 32 of the Regulation and art. 157 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive. It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the local health and social care company no. 1 of Sassari, for the violation of articles. 5, 9 and 32 of the Regulation and art. 157 of the Code. ORDER pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the local social and health authority no. 1 of Sassari, with registered office in Sassari, Via Alceo Catalocchino, 9 07100 - C.F./P. IVA 02884000908, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981. HAS pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 8 February 2024 PRESIDENT Stantion THE SPEAKER Cerrina Feroni THE DEPUTY SECRETARY GENERAL Philippi
