Garante per la protezione dei dati personali (Italy) - 9283029
- 9283029 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 9(4) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 6. 02. 2020 |
Published: | n/a |
Fine: | 4.000 EUR |
Parties: | Public High School |
National Case Number/Name: | 9283029 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | n/a |
The Italian data protection authority (Garante) imposed a fine of €4.000 on a public high school, finding that the publication on the school website of the details of the teaching staff constituted a breach of the principles of lawfulness, fairness and transparency, as well as of data minimization under Article 5 (1) (a) (c) GDPR. The Garante also found that the school published part of the data failing to rely on a lawful basis and that data concerning health were published in violation of Article 9 (1), (2), (4) GDPR.
English Summary
Facts
The Garante examined a complaint against the publication on the school website of the details of the teaching staff (around 1.500 subjects concerned), including address, phone number, number of children and data concerning health.
Dispute
The Garante had to assess whether such disclosure was justified and lawful.
Holding
The Garante considered that the most likely applicable lawful basis for the process of personal data in the public sector is the compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority under Article 6 (1) (c) (e) GDPR. In this regard, in the Garante’s view part of the data was disclosed unlawfully with no Article 6 basis for processing. Moreover, the Garante found that the disclosure of the teaching staff personal data contravened the data protection principle of “lawfulness, fairness and transparency” and “data minimization” under Article 5 (1) (a) (c) GDPR. The Garante further found that the school also published data concerning health, failing to respect the prohibition under Article 9 (1) GDPR and without relying on any specific exemptions under Article 9 (2) (4) GDPR.
Comment
Feel free to add your comment here
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.
to be completed