Garante per la protezione dei dati personali - 9269618
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 33 GDPR
|Decided:||23. 01. 2020|
|Fine:||30 000 EUR|
|Parties:||University "La Sapienza" Rome|
|National Case Number/Name:||9269618|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
On December 2020, 23rd the Italian Data Protection Authority imposed a fine of 30 000 Euro on the university of Rome “la Sapienza”, acting as a data controller under the GDPR. The data controller did not process personal data with an appropriate level of security, as required by article 32, read in conjunction with article 33 GDPR.
The Garante examined the notification by the university “la Sapienza” of the existence of a data breach occurred via a whistleblowing platform. Personal data of a technical administrative employee and a student of the university (together referred to as the “reporting persons”) have been disclosed on the internet, after the two reporting persons opened confidential reports on criminal conducts. The reporting persons’ personal data (name, surname, structure/seat, phone number, email address, and reporting date) present in some of the web pages of the whistleblowing platform, were indexed and freely traceable on the internet by anyone having access to a search engine.
Does a decrease in the effectiveness of technical measures undertaken for access control of the personal data remain the responsibility of the data controller?
Does the failure to use encryption tools for personal data transport constitutes an infringement of article 32 GDPR, taking into account the nature, object and purpose of treatment and the risk for rights and freedoms of the reporting persons that a whistleblowing mechanism entails?
The Garante stated that the university “la Sapienza” failed to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk under article 32 GDPR. On the one hand, the university failed in limiting access to the personal data only to authorized persons with authentication credentials and a specific authorized profile. On the other hand, the university should have used encryption tools for data transport, instead of only using the unsecure ‘http’ protocol.
Feel free to add your comment here
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the ***LANGUAGE*** original. Please refer to the ***LANGUAGE*** original for more details.
Corrective and sanctioning measure against the University of Rome "La Sapienza" - 23 January 2020 Register of measures n. 17 of 23 January 2020 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA In today's meeting, in the presence of dr. Antonello Soro, president, of Dr. Augusta Iannini, vice-president, of Prof. Licia Califano and of Dr. Giovanna Bianchi Clerici, members and of dr. Giuseppe Busia, secretary general; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data and which repeals Directive 95/46 / EC, "General data protection regulation" (hereinafter "Regulation"); GIVEN the Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of n. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Guarantor Regulation no. 1/2019"); Having regard to the documentation in documents; Having regard to the comments made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801 ; Speaker dr. Antonello Soro; WHEREAS 1. The violation of personal data. With a note dated 14 December 2018 (prot. No. 37333), the University of Rome "La Sapienza" notified the Guarantor, pursuant to art. 33 of the Regulation, the disclosure of personal data processed through the platform that the University, at the time of the facts, used for the acquisition and management of reports of offenses by its employees and third parties, within the framework of the so-called whistleblowing discipline. In particular, the University has notified the "dispersion of common personal data (name, e-mail address) relating to 2 whistleblowers via the whistleblowing platform (provided by Agic Technology srl) on search engines" (see note of 14 December 2018, p. 1). 2. The preliminary activity. In response to the specific requests made by the Office, the University (see notes of 9 January 2019, prot. No. 800 and 8 February 2019, prot. No. 4492) has provided specific elements in order to allow a complete reconstruction of the fact. a) that the "publication on the web of the list of subjects who have opened confidential reports contained in the application" of illegal conduct has also given rise to the indexing of the web pages in question by web search engines (see Annex 1 to note of 9 January 2019, p. 1); b) to be "aware of the dispersion of data on 12.12.2018" (see note of 9 January 2019, p. 1) and to have notified the Guarantor of the personal data breach within 72 hours from the moment in which he learned about it; c) that "accidentally dispersed personal data refer to a technical-administrative employee and to a student of the University" (see note of 9 January 2019, p. 1); d) that “the personal data […] affected by the data breach were the following: name; surname; structure / seat; phone; e-mail; reporting date "(see technical document on IT architecture of 6 February 2019, p. 4) while" the content of the reports has not been made accessible to unauthorized persons in any way "(see Annex 1 to the note of 9 January 2019, p. 1); e) to have communicated the violation of personal data to the two interested parties on January 30, 2019. In this regard, the University has represented that "[...] taking into account the presence of copies of the data (which have become public) stored on the servers indexing of web pages (eg google) despite blocking access to the online portal (first emergency intervention), it was decided, also for purely prudential reasons, to make the communication to the aforementioned interested parties "(see note February 8, 2019, pp. 1-2); f) to have involved the InfoSapienza Center for the suspension of the whistleblowing application and the cancellation from some search engines of the cached copies of the web pages containing these data. On this point, the University specified in particular that it "proceeded to obscure the page at 15.55 on the same day" in which it learned of the violation (see technical document on IT architecture of 6 February 2019, p. 4). , highlighting that "after the protection of the domain concerned, the Infosapienza Center carried out a first analysis of the results indexed by Google" and that "from this research it was possible to notice how all the pages involved in the data breach contained in the title the [... ] string Confidential Nominative Reports "(see technical report on the Google indexing resolution of 28 January 2019, p. 3); g) to have initially asked Google to remove the individual indexed contents - and in some cases stored in cached copies - using the tool called "Remove outdated content", representing that "however, this tool has proved inefficient for the removal of multiple dynamic pages. In fact, following the removal of the first reported URLs, the problem encountered highlighted that the same pages among the Google results were still present, simply having the values of the GET parameters different from the URL initially removed "(see technical report on the resolution of the Google indexing of January 28, 2019, p. 4) h) that he then "proceeded to report the entire directory http://segnalazioni.uniroma1.it", [...] obtaining the complete removal of the results associated with Whistleblowing "(see technical report on the resolution of the Google indexing of 28 January 2019, p. 5). i) to have worked to "report the removal of the entire website also on Bing, and consequently on Yahoo, always belonging to Microsoft and operating with the same engine as Bing" (see technical report on the Google indexing resolution of the January 28, 2019, p. 6). With a note dated 15 April 2019 (prot. No. 12891), the Office, on the basis of the elements acquired, also through the documentation sent and the facts that emerged during the preliminary investigation, notified the University, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, inviting the aforementioned owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n . 689 of 24/11/1981). In particular, the Office considered that the violation of personal data which, although accidental and promptly notified to the Guarantor pursuant to art. 33 of the Regulation, has resulted in the processing of personal data: a) not in compliance with the principles of "lawfulness, correctness and transparency", in violation of art. 5, par. 1, lett. a) of the Regulations; b) in the absence of a suitable regulatory requirement, in violation of art. 2-ter, paragraphs 1 and 3, of the Code and art. 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b) of the Regulations; c) in violation of the "more specific rules to ensure the protection of rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships" pursuant to art. 88, par. 1, of the Regulation in relation to art. 54-bis of the d. lgs. March 30, 2001, n. 165; d) in violation of art. 32 of the Regulation, in the absence of adequate technical and organizational measures aimed at guaranteeing the confidentiality and integrity of the personal data processed by means of the application. With a note dated 17 May 2019 (prot. No. 17392), the University sent its defense briefs where it declared that: a) the violation "dates back to a period prior (24.04.2018) to the date from which the Regulations became applicable", which therefore "cannot be contested by this Administration for violations of provisions not applicable at the time of the dispersal" and which also applies to the present case art. 22, paragraph 13, of Legislative Decree 101/2018 (see note of 17 May 2019, cit., Pp. 1-2); b) "the assimilation of the case in question - data breach which accidentally led to the disclosure of data - to a disclosure of personal data in the absence of a suitable regulatory requirement" is unfounded (see cit., p. 2); c) the dispute relating to the "failure to comply with current and more specific rules to ensure the protection of rights and freedoms with regard to the processing of employees' personal data in the context of employment relationships [referred to in art. 88, par. 1, of the Regulation in relation to art. 54-bis of Legislative Decree no. 165/2001] "is unfounded in that it is" exclusively attributable [and] only to the alleged failure to prepare adequate technical and organizational measures "(see cit., P. 6); d) "the cause of the problem [...] of the system http://segnalazioni.uniroma1.it is linked to a mandatory update and modification (system patch) of the security settings of the Microsoft Sharepoint software platform which has interfered with the application some lists that were natively unexposed (and therefore not indexable by search engines) are allowed to be viewed "(see cit., p. 7); e) "the computer authentication system [...] was not involved in the slightest in the exposure of the identifying data of the whistleblowers, which instead took place through the accidental overwriting of the access permissions of an internal web page of the application" (see ., p. 7); f) "the single page erroneously displayed [...] was identifiable through search engines only by using specific keywords for this purpose" and that this "was possible [...] by entering the 'name' or 'date' field of one of the two reports "(See cit., P. 7); g) "it cannot be said that the dissemination was made possible by an ineffective authentication system since only the RPCT or, as a limit, the reporting persons themselves had the information to be able to trace the data" (cf. ., p. 7); h) with regard to the "failure to use cryptographic tools for the transport and storage of data [...], the absence of the HTTPS network protocol was irrelevant for the purpose of exfiltration of the data in question" and that this measure does not it would be "mandatory but simply suggested in accordance with current legislation" (see cit., p. 8); i) with regard to the "incomplete decoupling of the reporting party's data from the content of the report", this dispute would also be unfounded in the eventuality that "anyone, provided they have information relating to the content of a report and the date of its reception, [may] trace the identity of the reporting person "(see cit., p. 8); j) "the data in the application [...] do not necessarily correspond to indications of 'truth', well being able to [...] correspond to both a pseudonym or invented names (eg 'Paolino Paperino") and to real names of a person who does not correspond to the actual identity of the reporting person "(cf. cit., p. 9). 3. Outcome of the preliminary investigation. Applicable legislation. As a preliminary, it is represented that, although the violation of the personal data subject to the investigation by this Authority began before the date of full application of the Regulation (and in particular, according to what was declared, on April 24, 2018), at end of the determination of the regulatory framework applicable from a temporal point of view, the principle of legality as per art. 1, paragraph 2, of law no. 689 of 24 November 1981 which, in providing as "The laws that provide for administrative sanctions apply only in the cases and times considered in them", establishes the recurrence of the principle of tempus regit actum. The application of this principle therefore determines the obligation to take into consideration the provisions in force at the time of the violation. In the case in question, the complete removal of personal data from the web pages and the suspension of the application took place, after 12 December 2018, the date on which the University declared that it became aware of the violation (see note of 9 January 2019, p. 1 and technical report on the Google indexing resolution of 28 January 2019, cit.). Therefore, considering the permanent nature of the offense, which is, moreover, of an omissive nature, the applicable discipline must be identified with reference to that in force at the date of completion of the case, to be recognized precisely at the time of the cessation of the conduct, which occurred after the aforementioned date of 12 December. 2018, when both the aforementioned Regulation and the internal adjustment regulations (Legislative Decree 101 of 2018) already applied. 3.1. The security of the treatment. According to the Regulation, personal data must be "processed in such a way as to guarantee adequate security of personal data, including the protection, through appropriate technical and organizational measures, from unauthorized or illegal treatment and from loss, destruction or damage accidental "(Article 5, paragraph 1, letter f) of the Regulation). In this regard, art. 32 of the Regulation states that "taking into account the state of the art and implementation costs, as well as the nature, object of the context and the purposes of the processing, as well as the risk of varying probability and seriousness for the rights and freedoms of the natural persons, the data controller and the data processor put in place adequate technical and organizational measures to guarantee an adequate level of safety to the risk "and that" in assessing the adequate level of safety, special account is taken of the risks presented by the processing that derive in particular [...] from the unauthorized disclosure [... of] personal data transmitted, stored or otherwise processed ". During the preliminary investigation, the University illustrated the measures adopted to guarantee the safety of the treatment. In particular, it emerged that the whistleblowing application used was a software product available on the market and that the same did not allow the data controller to make "customizations". As represented by the University, the Infosapienza Center had provided only the virtual machines, according to the prerequisites indicated by the software supplier, within which the supplier had installed the components (DBMS and SharePoint middleware) necessary for the operation of the whistleblowing application (see technical document on IT architecture of 6 February 2019, p. 4). to. Technical measures for access control. Based on the documentation in the records, the identifying data of the reporting persons present in some of the web pages of the whistleblowing application were indexed and freely traceable on the net with the help of common web search engines by anyone. This circumstance is proved by the fact that among the results of a query made through the Google search engine with the string "inurl: segnalazioni.uniroma1.it" there were web pages containing the personal identification data of certain reporting persons, some of which were also present in the form of a cached copy of Google (see minutes of transactions carried out on January 14, 2019). This further allows us to believe that, contrary to what the University represents, not only the RPCT or, as a limit, the reporting agents themselves had the information to be able to trace the data "(see note of 17 May 2019, p . 7), but also by anyone through free Internet searches. The availability of such personal data on the web is indicative of the fact that the web pages in question were exposed on the public network in the absence of technical measures for access control, which would have allowed to limit access to only authorized subjects with authentication credentials and a specific authorization profile, this in violation of art. 32 of the Regulation. Although the University has represented, in the defense memoirs, that "the cause of the problem [... would be] linked to a mandatory update and modification (system patch) of the security settings of the Microsoft Sharepoint software platform" which would have given rise to a " accidental overwriting of access permits "of some web pages of the whistleblowing application, it should be noted that, in any case, the data controller is required to adopt specific procedures" to test, verify and regularly evaluate the effectiveness of the technical and organizational measures in order to guarantee the security of the processing "(art. 32, par. 1, lett. d), of the Regulation). The alleged reduction in the effectiveness of the technical measures for access control, which, according to what was declared by the University, would have resulted from the update of the Microsoft Sharepoint platform, remains however attributable to the sphere of responsibility of the data controller. b. Technical measures for the transport and storage of data. During the investigation it also emerged that access to the whistleblowing application was via the web address "http://segnalazioni.uniroma1.it". The "http" network protocol (hypertext transfer protocol) used for data transport does not guarantee secure communication both in terms of confidentiality and integrity of the exchanged data and of authenticity of the website displayed. With regard to the application in question, taking into account the nature, object and purpose of the processing as well as the high risk for the rights and freedoms of the reporting persons, the solution adopted by the University cannot be considered an adequate technical measure to guarantee the confidentiality and integrity of the data processed as well as the authenticity of the website displayed by the subjects who use it both as a channel for sending reports (employees, students, etc.) and as a tool for managing them (RPCT and any of his collaborators). Failure to use cryptographic tools to transport data therefore runs counter to art. 32 of the Regulation, which, moreover, in par. 1, lett. a), expressly identifies data encryption as one of the possible security measures suitable to guarantee an adequate level of security to the risk (on this point, see also recital 83 of the Regulation in the part where it states that "the data controller [ ...] should assess the risks inherent in the processing and implement measures to limit these risks, such as encryption "as well as with the recommendations of ANAC on the use of" end-to-end encryption tools for the content of reports and any documentation attached "contained in the Guidelines on the protection of civil servants who report crimes (so-called whistleblower), adopted with resolution no. 6 of 28 April 2015. The need to adopt technical and organizational measures to guarantee safety, confidentiality and integrity of the data processed in the context of IT procedures for the management of reports, through secure data transport protocols, is was recently reiterated by the Guarantor (cf. Ruling no. 215 of 4 December 2019, doc. web no. 9215763, containing the opinion on the outline of "Guidelines on the protection of perpetrators of reports of crimes or irregularities that have come to their knowledge due to an employment relationship, pursuant to art. 54-bis of Legislative Decree 165/2001 (so-called whistleblowing) "). Lastly, it is noted that, as is clear from the documentation acquired during the preliminary investigation, the University limited itself to accepting the design choices of the company that provided the whistleblowing application which did not provide for the encryption of personal data ( identification data of the reporting person, information relating to the reporting as well as any attached documentation) stored in the database used by the same application, not adopting adequate technical and organizational measures to guarantee the confidentiality and integrity of the personal data processed by means of the whistleblowing application, in violation of art. 32 of the Regulation. 3.2. Conclusions. In light of the aforementioned assessments, taking into account the declarations made by the data controller during the investigation ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ it is represented that the elements provided by the data controller in the defense pleadings do not allow to overcome the findings notified by the Office with the act of initiating the procedure, however none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. For these reasons, the illegality of the processing of personal data carried out by the University of Rome "La Sapienza" is noted, for having, in particular, failed to fulfill the security obligations imposed by art. 32 of the Regulation. In this context, considering, in any case, that the conduct has exhausted its effects, and given that the University has declared that it has suspended the application (see note of 8 February 2019, p. 1), the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2 of the Regulation. 4. Adoption of the injunction order for the application of the pecuniary administrative sanction and the accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulations; article 166, paragraph 7, of the Code). Pursuant to art. 83, par. 3 of the Regulation, if in relation to the same treatment or related treatments, a data controller or manager violates, with willful misconduct or fault, various provisions of the Regulation, the amount of the pecuniary administrative sanction does not exceed the amount applicable for the violation plus serious. In light of the above, it is deemed necessary to apply the sanction referred to in art. 83, par. 4, lett. a) of the Regulation, in relation to the found failure to fulfill the security obligations pursuant to art. 32 of the Regulation itself, attributable to the University The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each individual case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code "(art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned administrative pecuniary sanction imposed, according to the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by art. 83, par. 2 of the Regulation. In relation to the aforementioned elements, the particular seriousness of the conduct was considered with respect to treatments whose sector regulation provides, for the protection of the interested party, a high degree of confidentiality, as well as the intensity of the subjective element (especially the seriousness of the negligence ), precisely because of the significant inadequacy of the measures adopted, from a technical and organizational point of view, in order to meet the security and particular confidentiality requirements of data management in the context of whistleblowing procedures (art.83, par.2 , letters b), d) and g) of the Regulation. On the other hand, pursuant to letters a) and c) of the aforementioned art. 83, par. 2, it was considered that the infringement actually involved a small number of interested parties (only two) and corrective measures adopted promptly aimed at eliminating the causes that generated the contested conduct were also taken into account, in particular, taking action with the search engines to obtain the de-indexing and removal of the cached copies of the web pages of the whistleblowing application (see the owner's initiatives listed in par. 2 of this provision). It was also considered that the Authority became aware of the violation following the notification by the owner, who actively cooperated with the Authority during the investigation and the present proceeding, that no reports or complaints were received regarding to the conduct subject of this proceeding, nor are there previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation (Article 83, paragraph 2, letter e), f), h), i), of the Regulation itself). Based on the aforementioned elements, evaluated as a whole, it is believed to determine the amount of the financial penalty - also taking into account, pursuant to art. 22, paragraph 13, of the d. lgs. n. 101 of 2018, of the time context in which the offense was committed, - to the extent of 30,000 euros (thirty thousand) in particular for the violation of art. 32, of the Regulations as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulations, effective, proportionate and dissuasive. In this context, it is also considered - also in consideration of the invasiveness of the contested treatment with respect to the fundamental rights of the interested parties, of the deficiencies found in relation to the security of the University's information systems, of the particular confidentiality regime established by the whistleblowing provisions - which, pursuant to articles 166, paragraph 7, of the Code, and 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this publication should be published on the Guarantor's website, as an ancillary sanction. However, the occurrence of the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS PROVIDED THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the University of Rome "La Sapienza", in the terms referred to in the reasons. ORDER at the University of Rome "La Sapienza", with registered office in Piazzale Aldo Moro 5, Rome CF 80209930587, in the person of the pro tempore legal representative, to pay the sum of € 30,000.00 (thirty thousand) as a penalty pecuniary administrative for the conduct indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code is empowered to settle the dispute, by paying, within thirty days, an amount equal to half the penalty imposed. enjoins to the aforementioned University, in case of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 30,000.00 (thirty thousand) according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. HAS pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the website of the Guarantor, also recognizing the recurrence of the conditions referred to in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, 23 January 2020 PRESIDENT Soro THE SPEAKER Soro THE SECRETARY GENERAL Busia