Garante per la protezione dei dati personali - 9440075

From GDPRhub
Garante per la protezione dei dati personali - 9440075
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Type: Complaint
Outcome: Upheld
Decided: 02.07.2020
Published: 27.07.2020
Fine: 4000 EUR
Parties: XX and XX
National Case Number/Name: 9440075
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: Deborah Tosi

The Italian DPA has fined Regione Campania for the violation of art. 5 and 6 GDPR. The DPA held that the publication of personal information of two debtors on the Region's website does not comply with the Regulation.

English Summary[edit | edit source]

Facts[edit | edit source]

Regione Campania published a document containing personal data of XX and XX on its website. The reporting parties complained that their names and addresses were disclosed online because they owed a debt to the Region, as provided by the final judgement of a civil suit. Regione Campania promptly removed personal information upon request of the parties. Moreover, the accused party stated that neither third parties, nor the complaining parties were harmed by the publication of the information and it argued that there was an obligation to publish those data in accordance with art. 73 of D. Lgs. 118/2011.

Dispute[edit | edit source]

Is the online publication of personal information of a debtor in compliance with art. 5 and 6 of the GDPR?

Holding[edit | edit source]

The DPA held that Regione Campania violated art 5(1)(a)(c), art. 6(1)(c)(e), art. 6(2) and art. 6(3)(b) GDPR, and concluded that art. 73 of D. Lgs. 118/2011 imposed no obligation with regard to the online publication of personal information of debtors. Therefore, the DPA issued a sanction of € 4.000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Injunction order against the Campania Region - 2 July 2020

Record of measures
n. 120 of 2 July 2020

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by dr. Antonello Soro, president, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, components and dr. Giuseppe Busia, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Gazette. n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines of the Guarantor on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in G.U. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Speaker Dr. Antonello Soro;

WHEREAS

1. Introduction

This Authority has received a report regarding the publication on the institutional website of the Campania Region of data and personal information of Messrs. XX and XX.

Specifically, as verified on the basis of the preliminary assessment carried out by the Office, it was found that at the url http: // ..., the document entitled "XX" of the XX, signed by the Head of the XX, was viewable and freely downloadable. , containing personal data of the reporting persons (name and residence), relating to a debt accrued by the Region towards them in execution of an executive sentence with specification of the amount.

The Region has communicated with note prot. n. XX of the XX that following the request for information from the Office (prot. No. XX of the XX) the "Directorate General for the Government of the Territory, Public Works and Civil Protection" proceeded to obscure the personal data subject of the report.

2. Applicable law.

Pursuant to the RGPD, the processing of personal data carried out by public entities (such as the Region) is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task of public interest o connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c and e).

It is also provided that 'Member States may maintain [...] more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1 (c) and (e), by determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] »(Article 6, paragraph 2, GDPR), with the consequence that the provision contained in art. 19, paragraph 3, of the Code (in force at the time of the facts and whose content is now reproduced in the same terms in the new art.2-ter, paragraphs 1 and 3, of the Code), where it provides that the personal data (such as publication on the Internet), by public entities, is permitted only when provided for by a law or regulation.

In any case, the data controller is also required to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "minimization", on the basis of which personal data must be "processed in a lawful, correct and transparent manner towards the data subject" and must be "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a and c, of the GDPR).

3. Preliminary assessments of the Office on the processing of personal data carried out.

From the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation, as well as subsequent evaluations, the Office with note prot. n. XX of the XX has ascertained that the Campania Region, by disclosing the personal data of the reporting parties relating to a debt accrued by the Region towards them, in execution of an executive sentence, specifying the relative amount - contained in the document entitled «XX n. XX of the XX - prat. lawyer n. XX. Area XX Sector XX Service XX »of the XX, signed by the Service Manager XX– carried out a processing of personal data that did not comply with the relevant regulations regarding the protection of personal data contained in the RGPD. Therefore, with the same note the violations carried out (pursuant to art. 166, paragraph 5, of the Code) were notified to the Region, communicating the initiation of the procedure for the adoption of corrective measures pursuant to art. 58, par. 2, of the RGPD and inviting the Region to send defensive writings or documents to the Guarantor and, if necessary, to ask to be heard by this Authority, within the term of 30 days (art.166, paragraphs 6 and 7, of the Code; as well as art. . 18, paragraph 1, of law no. 689 of 11/24/1981).

4. Defensive memoirs and hearing.

With the note prot. n. XX of the XX the Campania Region sent to the Guarantor its defensive writings in relation to the notified violations, attaching different documentation concerning the obligations regarding the protection of personal data.

In this regard, please note that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor".

Specifically, in the note prot. n. XX of XX (attached to the aforementioned acknowledgment note) it was highlighted, among other things, that:

- the personal data in the "XX" have already been "obscured";

- "in the matter in question [...] no damage was caused to third parties nor, even less, to the subjects whose names had been disclosed, without further indication";

- "the data reported within the url in dispute had been inserted as a result of the obligation pursuant to art. 73 of Legislative Decree 118/2011, relating to the procedure for recognizing the legitimacy of off-balance sheet debts of the Regions, according to which "the Regional Council recognizes by law the legitimacy of off-balance sheet debts deriving from: a) executive sentences [ …] ", Requiring entities to publish all documents supporting the related request";

- "In addition, the personal data, object of the online dissemination, concerned the execution of a civil sentence, of which the interested parties had not requested the caution referred to in art. 52, paragraph 1, of Legislative Decree 30 June 2003, n. 196, which allows the interested party to request, for legitimate reasons, with a request filed in the registry or secretariat of the office that proceeds before the relative degree of judgment is defined, which is affixed by the same registry or secretariat, on the original of the sentence or provision, an annotation aimed at precluding, in case of reproduction of the sentence or provision in any form, the indication of the personal details and other identifying data of the same interested party reported on the sentence or provision ";

- "the dispute refers to a situation that occurred before the adoption of the relevant legislation. Although Regulation 2016/679 is effective from the 20th, the implementing decree was only adopted in August 2018 ("Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council , of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC ", OJ no. 205 of 4.09.2018. by reason of the "Principle of legality", referred to in Article 1 of Law 689/1981, "No one can be subjected to administrative sanctions except by virtue of a law that entered into force before the violation was committed. which provide for administrative sanctions are applied only in the cases and for the times they consider. "It is quite evident, therefore, as in the case analyzed by the Guarantor Authority, the facts originated well before the entry into force of the in detail and, in any case, it is reiterated, were immediately and promptly resolved by the Entity ".

In addition, on the 20th, the hearing requested by the Region pursuant to art. 166, paragraph 6, of the Code in which it was represented, in addition to what has already been reported in the documentation sent, that the Region:

- "is required, pursuant to Legislative Decree 267/2000 (Chapter II, Title III) as well as art. 151, paragraph 4 of the same decree, to publish the personal data subject to reporting, also to allow the accounting magistracy to carry out checks on the decree relating to off-balance sheet debt ";

- "in any case, it has promptly taken action to obscure the complainant's personal data following knowledge of the complaint";

- «He started a training course in favor of all the regional offices and managers. The Region has also appointed a person responsible for the protection of personal data ».

During the aforementioned hearing, the Region filed the supplementary note prot. n. XX of the XX, to which various documents are attached demonstrating the adoption of "specific procedures aimed at obscuring data from the design stage", highlighted, among other things, that:

- "in the case of off-balance sheet debt, the mention of the name of the parties to whom the commitment of expenses is to be allocated," is fully lawful "as, as is known, as required by Chapter II, Tit. III of Legislative Decree 267/2000, for the adoption of spending commitments, not only is the indication of the amount to be paid and the creditor's personal details, but also the explanation of the reasons for the commitment itself (cf. ., in particular, art. 185, co. 2, [which] governs, for what is of particular interest here, the minimum information that must contain the payment order and, among these, is expressly indicated in the letter, "e) indication of the creditor and, in the case of a different person, the subject required to issue the receipt, as well as the relative tax code or VAT number ", recalling how, in hindsight, the local authority, obliged to publish that data, has advertised it only with name and surname, avoiding the insertion of the tax code which, certainly, would have led to easier identification of the allegedly injured parties ";

- "And again, as further confirmation of the obligation, at that stage, to publish the names of the two subjects, it is noted that, as required by art. 151, co. 4 of the same regulatory compendium, "the accounting system of local authorities guarantees the unitary recognition of management events from a financial, economic and equity point of view, through the adoption: a) of financial accounting, which has an authorization nature and allows for management reporting financial; b) economic and asset accounting for the purposes of information, for the recognition of the economic and equity effects of management events and to allow economic and asset reporting "being, therefore, clear the underlying rationale of the entire legislation addressed to the Public Administration when it is necessary to proceed with the recognition, in this case, of off-balance sheet debts ";

- "none of the subjects allegedly harmed by the dissemination of the data, has ever reported the problem to the Entity [...] which, as soon as it became aware of it, promptly took action to remove a data entered, however, by virtue of an obligation regulatory (still mandatory today).

5. Outcome of the investigation relating to the report submitted

In the specific case subjected to examination by the Guarantor, the subject of complaints by the reporting parties is the disclosure of their personal data contained in a document published online, namely "XX" no. XX of the XX, attached to the proposed resolution for XX, which contained the personal data (name and residence) of the reporting parties as well as information relating to the debt accrued for compensation for damage, with specification of the relative amount, by the Region towards them in execution of an enforceable sentence.

The Campania Region both in the defense briefs and in the hearing confirmed the online disclosure of the personal data of the reporting parties, presenting some observations which, although worthy of consideration, do not allow to overcome the findings notified by the Office with the initiation deed of the procedure.

In particular, it is agreed with the observation by the Region for which the accounting provisions contained in Articles 73 of d. lgs. n. 118 of 26/06/2001; 151, paragraph 4, and 185, paragraph 2 of the legislative decree n. 267 of 18/8/2000, indicate, among other things, also the elements that must contain the payment order and also serve to allow the carrying out of the necessary checks by the accounting judiciary on off-balance sheet debts. However, these articles, also for the purposes of auditing by the Court of Auditors, do not in any way provide for the online disclosure of the personal data of the reporting persons.

Similarly, even if - as stated by the Region - "the personal data, object of online disclosure, concerned the execution of a civil sentence", it is not possible to recall the provisions contained in art. 52 of the Code, which does not concern the publication of the Entity's acts, but a completely different case concerning the possibility of the interested party to request, for legitimate reasons, the obscuring of their personal data contained in the sentence in the event of its reproduction .

Finally, it is not possible to accept the further exception formulated, according to which "the dispute refers to a situation that occurred before the adoption [of the RGPD]", and the "implementing decree" contained in Legislative Decree lgs. n. 101 of 10 August 2018 "was only adopted in August 2018" and entered into force on 19/9/2018.

It is in fact necessary to take into account that, even if the document object of the report, published online, dates back to XX, for the determination of the applicable law, in terms of time, the principle of legality must be recalled - as correctly stated also by the Region - as per 'art. 1, paragraph 2, of the l. n. 689/1981 which establishes as "Laws that provide for administrative sanctions are applied only in the cases and times considered in them". This determines the obligation to take into consideration the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the alleged offense - must be identified at the time of cessation of the unlawful conduct, which occurred after the date of 25/5/2018 in which the RGPD became applicable. In fact, from the preliminary investigation it emerged that the illegal online dissemination ceased following the request for information from the Office of the XX (prot.no.XX) with the obscuring of the personal data of the whistleblowers from the institutional website by the competent General Management. In this regard, the fact that the aforementioned d. lgs. n. 101/2018 entered into force only in September 2018, given that the RGPD is a European regulation and, as such, is "mandatory in its entirety and directly applicable in each of the Member States" (Article 288 of the Treaty on functioning of the European Union) starting from the date of 25/5/2018 in which the became applicable (Article 99, paragraph 2, RGPD).

For these reasons, in relation to the conduct held, the arguments reported by the Campania Region are not sufficient to allow the filing of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

In this context, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Region is noted, as the publication on the institutional website of the personal data of the reporting persons described above took place and in a manner not compliant with the principle of data minimization and in the absence of suitable regulatory conditions, in violation of the basic principles of treatment contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD, as well as art. 19 paragraph 3 of the Code (in force at the time of the facts and whose contents are now reproduced in the same terms in the new art. 2-ter, paragraphs 1 and 3, of the Code).

Considering, however, that the conduct has exhausted its effects, as the data controller has taken steps to obscure the personal data of the reporting parties described above from the institutional website, without prejudice to what will be said on the application of the pecuniary administrative sanction, no the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the RGPD.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction (articles 58, par. 2, letter i; 83 RGPD)

The Campania Region appears to have violated Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 19, paragraph 3, of the Code, in force at the time of the unlawful conduct.

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation, with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In this case, the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the RGPD, which therefore applies to the present case.

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the RGPD as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in amount, taking into account the elements provided for by art. 83, par. 2, of the RGPD.

In relation to the aforementioned elements, the detected conduct in violation of the regulations on the protection of personal data had as its object the dissemination of personal data not belonging to particular categories or to criminal convictions or offenses (articles 9 and 10, of the RGPD ) of two interested parties. The disclosure lasted for several years, but the administration immediately took action to obscure the personal data subject of the report once it received the request for information from the Guarantor, collaborating with the Authority during the investigation of this proceeding with the purpose of remedying the violation - the character of which, also considering what is stated by the Region, appears to be of a negligent nature - mitigating the possible negative effects. In the reply to the Guarantor, various technical and organizational measures implemented pursuant to art. 25-32 of the GDPR. There are no previous violations of the relevant RGPD committed by the Campania Region.

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 4,000.00 (four thousand) for the violation of Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 19, paragraph 3, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.

In relation to the specific circumstances of this case, relating to the violation of the principle of data minimization and the dissemination of personal data on the web in the absence of a suitable legal basis, it is also believed that the accessory sanction of the publication of this provision on the website of the Guarantor, provided for by art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 57, par. 1, lett. f), of the Regulation and 144 of the Code, the unlawfulness of the processing carried out by the Campania Region in the terms indicated in the motivation pursuant to Articles 58, par. 2, lett. i) and 83 of the GDPR;

ORDER

to the Campania Region, in the person of the pro-tempore legal representative, with registered office in Via Santa Lucia 81 - 80132 Naples (NA) - C.F. 80011990639, pursuant to articles 58, par. 2, lett. i) and 83 of the Regulations, and 166 of the Code, to pay the sum of € 4,000.00 (four thousand) as a pecuniary administrative sanction for the violations mentioned in the motivation;

INJUNCES

to the same Region to pay the sum of € 4,000.00 (four thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981.

Please note that the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed, within the term set out in art. 10, paragraph 3, of d. lgs. n. 150 of 1/9/2011 provided for the submission of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019 and believes that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the RGPD, of the arts. 152 of the Code
and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 2 July 2020

PRESIDENT
Soro

THE RAPPORTEUR
Soro

THE SECRETARY GENERAL
Busia