Garante per la protezione dei dati personali (Italy) - 9445324

From GDPRhub
Garante per la protezione dei dati personali - 9445324
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Article 2-ter of the Italian Privacy Code
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.07.2020
Published:
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: 9445324
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: Davide C.

The Italian DPA found that posting some lists at the front door of a school containing personal data of minors is an unlawful dissemination of data.

English Summary

Facts

Some lists containing names of minors, as well as their dates of birth, addresses of residence, telephone numbers and the statement "no vaccine documentation" were posted at the front door of a school in Uggiano la Chiesa.

Dispute

Holding

The DPA ascertained that posting such information in a public space results in unlawful dissemination of personal data, given the lack of any reliable legal basis under art. 6 GDPR. However, the statement "no vaccine documentation" (made by pencil) was not considered as a processing of health data, as it did not reflect the real status of students, who were actually in compliance with vaccine obligations, as reported by the principal. Since the principal admitted the mistaken dissemination and assured the adoption of countermeasures, such as the removal of the lists and and the update of privacy training of the personnel, the DPA issued a minor fine of EUR 2,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

In today's meeting, which was attended by President Antonello Soro, Prof. Licia Califano and Mrs Giovanna Bianchi Clerici, and Mr. Giuseppe Busia, the General Secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter Regulation);

HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code");

HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in G.U. no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Given the documentation in deeds;

Given the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, web doc. n. 1098801;

Rapporteur Prof. Licia Califano;

PRESS

1. Introduction.

The Authority has received some reports regarding the posting, at the entrance of the Institute including the state of Uggiano la Chiesa, of some lists containing "names of minors, dates of birth, addresses of residence, telephone numbers and the words "no vaccine copy". On the same issue have appeared some news from the local press.

2. The investigative activity.

The School Institute has responded to the request for information from this Authority (note prot. n. XX of XX) with the note of XX.
Specifically, the School Manager represented, among other things, that:

- "the lists (...) had been posted for mere material error, without any authorization and signature of the Headmaster;

- to have "provided to remove the same" and to have "ascertained that the wording in pencil on these lists ("no copy of vaccines") did not refer in any way to the children indicated therein who are in fact in compliance with the vaccination obligations;

- "We are also considering appropriate disciplinary action to be taken against those who have implemented the above violation and to provide for a further training course in accordance with the DPO, in addition to that already carried out on 08.10.2018 with all staff, in order to emphasize again the sensitive aspects regarding the processing of personal data.

The Office, on the basis of the verifications carried out and the elements acquired, also through the documentation sent by the School Institute and the facts that emerged as a result of the preliminary activity, as well as the subsequent evaluations, has ascertained that the aforementioned Istituto Comprensivo, by posting on the entrance door of the pre-school of Otranto the above mentioned lists relating to minors, The company has carried out a treatment that does not comply with the relevant regulations on the protection of personal data, consisting in the disclosure of personal data and information relating to minors in the absence of a suitable legal basis for the dissemination of such data, in accordance with art. 2-ter, paragraphs 1 and 3, of the Code, which instead admits the aforesaid possibility by public entities only when the disclosure is provided for by law or, in cases provided for by law, by regulation.

There is no evidence of the dissemination of data relating to the health of minors because, as represented by the school manager, the words in pencil "missing vaccines copy", did not refer to children listed in the list that were, however, in compliance with vaccination obligations.

It was thus proceeded to the notification of violations, provided for in Article. 166, paragraph 5, of the Code, the School Institute, communicating the initiation of proceedings for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations and inviting the Institute to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by the Authority, within 30 days (Article 166, paragraphs 6 and 7 of the Code, and Article 18, paragraph 1, by Law No. 689 of 24/11/1981).

In particular, the Office has considered that the dissemination of the aforementioned lists has occurred in violation of the regulations on the protection of personal data and, in particular:

a) in a manner that does not comply with the principles of "lawfulness, correctness and transparency" and "data minimization", in violation of Article 5, paragraph 1, letters a) and c) of the Regulation;

b) in the absence of a suitable legal basis for the dissemination of the above mentioned personal data, in violation of art. 6, par. 1, letter c) and e), par. 2 and par. 3, letter b) of the Regulation and art. 2-ter, paragraphs 1 and 3, of the Code;

By note of the XX, the Comprehensive Institute sent its defensive briefs, and declared, in particular, that:

a) "with reference to the nature, seriousness and duration of the violation carried out by the School Institution, it is specified that it has erroneously affixed to the internal door of the school entrance lists containing personal data (name and surname, dates of birth, addresses of residence, telephone number) of the students";

b) "(...) the above mentioned lists were promptly removed as soon as the news of the posting reached the undersigned. Therefore the duration of the violation was rather limited in time since the lists remained posted within the School only 3 or 4 days";

c) "The same, in fact, were removed the same day on which the news was learned (i.e. Saturday, the day on which teaching activities are suspended). All the families involved in this event, the teachers as well as all the staff were subsequently summoned in order to inform everyone about the situation in the whole educational community".

3. Result of the investigation relating to the complaint submitted. Applicable regulations.

As a preliminary point, it is represented that, according to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person ("interested party")". (art. 4, par. 1, no. 1 of the Regulations). Moreover, "a natural person is considered identifiable if he or she can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his or her physical, physiological, genetic, psychic, economic, cultural or social identity" (ibid.).

The processing of personal data carried out in the public domain is lawful only if such processing is necessary "to fulfill a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected with the exercise of public authority vested in the data controller" (art. 6, par. 1, letter c) and e)).

The European legislation also provides that "Member States may maintain or introduce more specific provisions to adapt the application of the provisions of this Regulation with regard to the processing, in accordance with paragraph 1(c) and (e), determining more precisely specific requirements for the processing and other measures to ensure lawful and correct processing (...)" with the consequence that, in the present case, the provision contained in Article 6(1)(c) and (e) is applicable. 2-ter of the Code, according to which the operation of disclosure of personal data in the public sphere is permitted only when provided for by a provision of law or, in the cases provided for by law, by regulation.

In this framework, the processing of personal data must be carried out in compliance with the principles indicated in art. 5 of the Regulation, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent way towards the person concerned" as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (par. 1, lett. a) and c).

4. Conclusions.

In the light of the above considerations, taking into account the statements made by the data controller in the course of the preliminary investigation ˗ whose truthfulness can be called to account pursuant to art. 168 of the Code and considering that, with reference to the case in point, the defensive pleadings produced by the Institute did not produce elements such as to determine the filing of the proceedings, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Istituto Comprensivo di Uggiano La Chiesa, for having circulated, by posting on the entrance door of the kindergarten of Otranto, some lists containing personal data of minors.

This dissemination took place in violation of the regulations for the protection of personal data and, specifically:

a) in violation of the principles of "lawfulness, correctness and transparency" and "data minimization", as per art. 5, par. 1, letter a) and c) of the Regulation;


b) in the absence of a suitable legal basis for the publication of the above mentioned personal data, in violation of art. 6, par. 1, letter c) and e), par. 2 and par. 3, letter b) of the Regulation and 2-ter, paragraphs 1 and 3, of the Code;

The violation of the above provisions makes the administrative sanction provided for in Article 83, paragraph 5, of the Regulation applicable, pursuant to Article 58, paragraph 2, letter i), of the Regulation itself and Article 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, since the Institute has declared that it has removed the lists from the school door (see note of XX), the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulations are not met.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction (art. 58, par. 2, letter i; 83 Regulations).

Violation of Articles 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), par. 2 and par. 3, letter b) and Article 2-ter, paragraphs 1 and 3, caused by the conduct of the Istituto Comprensivo di Uggiano La Chiesa, is subject to the application of the pecuniary administrative penalty pursuant to Article 83, par. 5, letter a) of the Regulations.

In this regard, art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, with intent or negligence, various provisions of these Regulations, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation".

In the case in point, the violation of the above provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation, which therefore applies to the case in point.

The Guarantor, pursuant to Art. 58, par. 2, letter i); 83 of the Regulation as well as art. 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] adopts the injunction order, by which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019).

The aforementioned fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for in Article 83, paragraph 2, of the Regulation.

In relation to the aforementioned elements, it was considered that the conduct found, held in violation of the regulations on the protection of personal data, although referring to a small number of individuals and having had a limited duration (two/three days), had as its object the dissemination of personal data relating to particularly vulnerable individuals such as minors.

On the other hand it was considered: the culpable nature of the violation, since the dissemination of the aforementioned personal data was due to a mere error and that the aforementioned information would have been posted on the school's internal entrance door; that the Institute took action to remove the personal data of the persons concerned as soon as the request for information was received and cooperated with the Authority during the investigation of the present proceedings in order to remedy the violation and mitigate its possible negative effects; that actions were taken by the Institute to implement new organizational measures. Moreover, there are no previous violations of the relevant Regulations committed by the above mentioned Institute.

In view of the above elements, assessed as a whole, it is considered necessary to determine the amount of the financial penalty, provided for in Article 83, paragraph 2 of the Regulation, in the amount of € 2,000.00 (two thousand) for the violation of articles. 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b) of the Regulation; art. 2-ter, par. 1 and 3 of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same Regulation.

In relation to the specific circumstances of this case, considering that the operation carried out is particularly invasive of the sphere of confidentiality of the persons concerned, who are minors, it is considered that the accessory sanction of the publication on the website of the Garante of this measure, provided by art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, should apply.

Finally, it should be noted that the requirements of Article 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at the performance of tasks and the exercise of powers delegated to the Garante.

ALL THIS BEING SAID, THE GARANTE

pursuant to art. 57, par. 1, letter f), of the Regulations and art. 144 of the Code declares the unlawfulness of the processing in personal data carried out by the Istituto Comprensivo of Uggiano La Chiesa, for violation of art. 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), of the Regulations, and art. 2-ter, paragraphs 1 and 3, of the Code, in the terms set out in the grounds.

ORDER

Pursuant to art. 58, par. 2, letter i) and 83 of the Regulations, as well as art. 166 of the Code, to 'Istituto Comprensivo Statale in Uggiano La Chiesa, with registered office in Via S. Pertini, 1, 73020 Uggiano La Chiesa (LE) - C.F. 92012650757, in the person of the pro-tempore legal representative, to pay the sum of € 2. 000.00 (two thousand) by way of administrative fine for the violations indicated in this measure; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, through the payment, within thirty days, of an amount equal to half of the penalty imposed.

ORDER

to the same Institute, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 2,000.00 (two thousand), according to the methods indicated in the attachment, within 30 days of notification of this measure, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law No. 689/1981.

REQUIRE

Pursuant to art. 166, paragraph 7, of the Code, the publication of this measure on the website of the Garante and considers that the requirements of art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante.

In accordance with Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, it is possible to appeal against this measure before the ordinary judicial authorities, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself or within sixty days if the applicant resides abroad.