Garante per la protezione dei dati personali - 9283029
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 9(4) GDPR
|Decided:||6. 02. 2020|
|Parties:||Public High School|
|National Case Number/Name:||9283029|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
The Italian data protection authority (Garante) imposed a fine of €4.000 on a public high school, finding that the publication on the school website of the details of the teaching staff constituted a breach of the principles of lawfulness, fairness and transparency, as well as of data minimization under Article 5 (1) (a) (c) GDPR. The Garante also found that the school published part of the data failing to rely on a lawful basis and that data concerning health were published in violation of Article 9 (1), (2), (4) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The Garante examined a complaint against the publication on the school website of the details of the teaching staff (around 1.500 subjects concerned), including address, phone number, number of children and data concerning health.
Dispute[edit | edit source]
The Garante had to assess whether such disclosure was justified and lawful.
Holding[edit | edit source]
The Garante considered that the most likely applicable lawful basis for the process of personal data in the public sector is the compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority under Article 6 (1) (c) (e) GDPR. In this regard, in the Garante’s view part of the data was disclosed unlawfully with no Article 6 basis for processing. Moreover, the Garante found that the disclosure of the teaching staff personal data contravened the data protection principle of “lawfulness, fairness and transparency” and “data minimization” under Article 5 (1) (a) (c) GDPR. The Garante further found that the school also published data concerning health, failing to respect the prohibition under Article 9 (1) GDPR and without relying on any specific exemptions under Article 9 (2) (4) GDPR.
Comment[edit | edit source]
Feel free to add your comment here
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.
to be completed