Garante per la protezione dei dati personali - 9445550

From GDPRhub
Garante per la protezione dei dati personali - 9445550
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 15 GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Type: Other
Outcome: n/a
Decided: 02.07.2020
Published: n/a
Fine: 5000 EUR
Parties: XX
Istituto Nazione per la Previdenza Sociale (INPS)
National Case Number/Name: 9445550
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: n/a

Italian DPA assesses criteria to determine the amount of the fine under Article 83(2) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subjects complains about the violation of its right of access (Article 15 GDPR) by the Istituto Nazionale per la previdenza Sociale (INPS). The Garante initiated a proceeding and established the violation of the complainant's right of access.

Dispute[edit | edit source]

The Garante must must determine the amount of the fine. To that end, the Authority uses the criteria provided for by Article 83 GDPR.

Holding[edit | edit source]

The Garante establishes the violation of the right of access. In order to quantify the administrative sanction, the Authority takes into account the elements provided for in Article 83, paragraph 2, of the Regulation including, (1) the non-intentional nature of the violation, (2) the lack of staff in the controller (a body governed by public law) and (3) the absence of previous violations of the same type.

On the basis of the above elements, the Garante quantifies the sanction in the amount of 5,000.00 Euros (Art. 83, par. 5, GDPR).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by dr. Antonello Soro, president, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the Regulation);

GIVEN the legislative decree 30 June 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

GIVEN the documentation in the deeds

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. N. 1098801 );

SPEAKER Giovanna Bianchi Clerici;

WHEREAS

1. The instance

With a note dated May 29, 2018, Ms XX filed an appeal pursuant to art. 145 and ss. of the Code, in force at the time of the facts that are the subject of the request, asking to obtain access to health data concerning you from the National Institute of Social Security - Provincial Directorate of Brescia, hereinafter "Institute", having not received feedback to requests already made against the same pursuant to the legislation on the protection of personal data.

2. The preliminary activity

The Authority, with a note dated 31 July 2018, reiterated, on 17 October 2018, pursuant to art. 157 of the Code, invited the Institute, as data controller, to evaluate the possibility of adhering to the requests of the interested party and to proceed, in any case, to inform her about the decisions adopted or that it would be intended to be adopted, attaching any documentation and sending a copy of the reply to this Authority at the same time.

Considering the failure of the Institute to reply within the indicated deadline (despite having been represented to the same that, in the event of non-compliance with the invitation, the administrative sanction provided for by Article 83, paragraph 5, of the Regulations would become applicable) and thus becoming applicable, pursuant to art. 166, paragraph 2, of the Code, the aforementioned sanction has been notified to the Institute, communicating the initiation of the procedure and inviting it to send defensive writings or documents to the Guarantor and, possibly, to ask to be heard by the Authority . (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n.689 of 24 November 1981) (deed of 25 January 2019, prot. n. 2736/19, notified on the same date by certified e-mail).

The Institute, in the context of the requested defensive writings, provided feedback to the Authority (with a note dated 22 February 2019), highlighting, moreover, the various phases in which Ms XX had come into contact with the same. In particular, the Provincial Director, XX, declared that:

- "the request (from Ms XX) was received on July 31, coinciding with the period of greatest use of absences for holidays for most of the staff";

- "the complexity and size of the productive fabric are also highlighted in terms of the management of communications which, from the various and different channels made available to companies, professionals, other administrations and citizens, reach us daily", highlighting the considerable number of telematic contacts ( approximately 225,000), being able to take advantage of 318 units available in 2018;

- the Institute "did not formally check the request received by Ms XX, believing that she had been made aware several times of all the treatments that concerned her and that, having all the accompanying documentation available of a possible and eventual appeal should the judgment not be deemed suitable, such correspondence was fully considered suitable to satisfy the request for access. In substance, it was not understood which were the documents that Ms complained of not having received ", considering that" the reports sent and all the remaining correspondence also contained information regarding the Data Controller, the methods of processing and what else pertaining to the right of access exercised ".

A communication from the Data Protection Officer was also attached to the aforementioned note of 22 February, who, in addition to what was already represented by the Provincial Director, in expressing regret for the lack of response from the Institute, declared that :

- "regarding the issue of medical documentation, INPS acted according to the rules imposed by the administrative procedure referred to in the service requested by Ms XX; in fact, in more detail, it is noted that the paper documentation presented by the lady during the visit (...), is made visible only to health personnel and, in the event of any need to keep all or part of the medical documentation presented, this is acquired in copy by the Commission and, consequently, inserted in the personal health file and archived in such a way that it cannot be consulted except by the authorized health personnel of the office and for the purposes related to the procedure in progress ";

- “in any case, it is believed that the acquisition of documentation relating to the administrative procedure (…) is to be requested as part of the exercise of the right of access to administrative documents, pursuant to law no. 241/90 and ss. m. and i., in the manner indicated therein, and not through the instrument of proposing the request for access to personal data pursuant to art. 7 of Legislative Decree no. 196/2003 ".

The same Institute, with a subsequent note dated March 29, 2019, also sent to the Guarantor, provided Ms. XX with the requested information, also making her aware of the possibility of "requesting, without any charge, the PIN that the INPS has activated and which will allow you to access, through the institutional site, all the information concerning you, including that concerning the status of any services requested ". The Institute has also sent further subsequent feedback notes to Ms XX, in order to satisfy her requests and to clarify the problems created (12 December 2019, 22 January 2020 and 12 February 2020).

Having acknowledged the statements of the Institute (which confirmed that it had not provided, prior to the invitation from the Office, the information relating to the action taken by Ms XX, regarding a request from her pursuant to Article 15 of the Regulation ), the Office, with deed dated May 22, 2019, prot. n. 17163, notified on the same date by certified e-mail, which here must be understood as fully reproduced, has initiated, pursuant to art. 166, paragraph 5, of the Code, this time, with reference to the failure to respond to the requests made by the interested party regarding the exercise of rights, a procedure for the adoption of corrective measures pursuant to art. 58, par. 2, of the Regulations towards the Institute,inviting him again to send defensive writings or documents to the Guarantor or to ask to be heard by the Authority. The Institute has not produced any documents in this regard.

3. The legislation on the protection of personal data

As a preliminary point, it is noted that starting from 25 May 2018 the Regulation became applicable which made it necessary to adapt the existing national regulatory framework on the matter; the Authority, by virtue of the direct applicability of the Regulation and pending the intervention of the national legislator, ordered, with a provision of 31 May 2018 (web doc. no. 8997237), the non-application, starting from the aforementioned date, of the rules relating to the procedure for appeal contained in the Code as they are considered incompatible with the provisions relating to complaints pursuant to art. 77 ff. of the Regulation itself. The Office, with a note dated 31 July 2018, represented to the interested party the effects of the change in the regulatory framework; therefore the document presented is decided according to the provisions applicable to the complaint procedure currently contained in art. 77 of the Regulation, as well as in art. 143 of the revised Code - as well as in internal regulation no. 1/2007 - for the part compatible with the new regulatory framework; the Office proceeded, with a subsequent internal note dated 17 October 2018,to order the restitution of the secretarial fees already paid by the interested party for the presentation of the appeal, taking into account the gratuitousness of the complaint expressly provided for by the Regulations (see art. 57, par. 3, Regulations).

With reference to the facts covered by the application, it is represented that the regulations on the protection of personal data provide for the right of the interested party to obtain from the data controller access to personal data and specific information on the processing of data referred to him ( see art.15 et seq. of the Regulation and Recital n.63 and artt.7 et seq. of the Code regarding the protection of personal data, before the changes made to the same by Legislative Decree 10 August 2018, n.101 ).

In this regard, in order to determine the applicable law, in terms of time, the principle of legality referred to in art. 1, paragraph 2, of Law 689/1981 which establishes as "Laws that provide for administrative sanctions are applied only in the cases and times considered in them". This determines the obligation to take into consideration the provisions in force at the time of the committed violation, which in the case in question must be identified at the act in which the unlawful omissive conduct took place, which occurred before the date of 25 May 2018 in which the Regulation has become applicable. In fact, from the preliminary investigations it emerged that the request for access by Mrs.XX was carried out on April 16, 2018 and requested on May 8 and 9, 2018 and that the owner should have provided a reply within fifteen days of its receipt (Article 146, paragraph 2, of the Code, in the version prior to the reformulation of the same made by means of Legislative Decree no. 101/2018). Therefore, the Code applies to the processing of personal data in question, in the version described prior to Legislative Decree no. 101/2018, which only provided for the violation of the provisions of art. 7 and ss. was punished by any administrative sanction.the Code applies to the processing of personal data in question, in the version described prior to Legislative Decree no. 101/2018, which only provided for the violation of the provisions of art. 7 and ss. was punished by any administrative sanction.the Code applies to the processing of personal data in question, in the version described prior to Legislative Decree no. 101/2018, which only provided for the violation of the provisions of art. 7 and ss. was punished by any administrative sanction.

From another point of view, however, the omissive conduct of the Institute with respect to the obligation to ensure response to the requests of the Authority to provide information and exhibit documents, pursuant to art. 157 of the Code and within the scope of the powers referred to in art. 58 of the Regulation was put in place in November 2018, a time when the Regulation was fully applicable and the Code had already been amended by Legislative Decree no. 101/2018.

4. Outcome of the investigation

Given that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor"), following the examination of the documentation acquired as well as the statements made to the Authority during the procedure which, in fact, in highlighting the culpable nature of the violation, they acknowledge the contested shortcomings, it emerges that the Institute with its conduct has violated Articles 7 and ss. of the Code (in the version prior to the changes made by Legislative Decree no. 101/2018), having provided feedback to the complainant's request for access only following the invitation,by the Office of the Guarantor, to adhere to his requests, as well as art. 157 of the Code (in the version subsequent to decree 101), not having complied with the invitation of the Guarantor to provide information, within the terms indicated by the same.

5. Conclusions

In light of the aforementioned assessments, it is believed that, limited to the profile concerning the conduct relating to the failure to respond to the request for access to data formulated pursuant to art. 7 and ss. of the Code, the administrative sanctioning procedure must be filed, taking into account, for the reasons set out above, the applicability of the Code, in the version prior to the changes made by Legislative Decree no. 101/2018, which did not provide that the violation of the provisions of art. 7 and ss. was punished by an administrative sanction.

Otherwise, it is represented that the elements provided by the data controller in the defensive briefs in relation to the conduct relating to the non-compliance with the invitation of the Guarantor to provide the requested information, pursuant to art. 157 of the Code, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this procedure, however, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, in relation to this last violation, the preliminary assessments of the Office are confirmed and the violation of art. 157 of the Code, for not having the Institute responded to the invitation of the Guarantor to provide the requested information, by the date indicated by the same Authority, within the scope of the powers referred to in art. 58 of the Regulation.

In relation to the aforementioned conduct concerning the non-compliance with the invitation of the Guarantor to provide the requested information, pursuant to art. 157 of the Code, it should be noted that the violation of art. 157 of the Code, caused by the conduct put in place by the Institute, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, lett. a) of the Regulations.

The Guarantor, pursuant to art. 58, par. 2, lett. i), 83 of the Regulation, as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the accessory administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative pecuniary sanction according to the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation, with respect to which, on the one hand, the culpable nature of the violation, the represented shortage of staff of the Office and the fact that there are no previous violations of the same type previously committed and, on the other, the the fact that the failure to comply with the invitation of the Guarantor to provide the requested information has resulted in an aggravation of the procedure with a consequent lengthening of its time.

Due to the aforementioned elements, assessed as a whole, also pursuant to art. 83, par. 2 of the Regulation, it is believed to determine the amount of the pecuniary sanction envisaged by art. 83, par. 5) of the Regulations, to the extent of € 5,000.00 (five thousand) for the violation of art. 157 of the Code, as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the same Regulation, effective, proportionate and dissuasive.

In relation to the specific circumstances of this case, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

a) orders the filing of the administrative sanctioning procedure referred to in the notification of the violation made pursuant to art. 166, paragraph 5, of the Code, limited to the alleged violation of the failure to respond to the request regarding the exercise of rights, for the reasons mentioned in the motivation;

b) pursuant to art. 57, par. 1, lett. f) of the Regulations, declares illegal the conduct of the National Institute of Social Security - Provincial Directorate of Brescia, for having violated art. 157 of the Code, failing to respond to the request for information formulated by the Guarantor, within the terms indicated by the latter;

ORDER

to the National Institute of Social Security-Provincial Directorate of Brescia, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as 166 of the Code, to pay the sum of 5,000.00 (five thousand) euros as a fine for the violation of art. 157 of the Code;

INJUNCES

to the same Institute to pay the sum of 5,000.00 (five thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adoption of the consequent executive acts pursuant to art. 27 of Law 689/1981.

Pursuant to art. 166, paragraph 8, of the Code, informs the aforementioned Institute that «within the term referred to in article 10, paragraph 3, of legislative decree no. 150 of 2011 provided for the filing of the appeal, the transgressor and the jointly and severally liable can settle the dispute by adapting to the requirements of the Guarantor, if given, and by paying an amount equal to half of the penalty imposed ".

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.