Garante per la protezione dei dati personali (Italy) - 9445796

From GDPRhub
Garante per la protezione dei dati personali - 9445796
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: None
Parties: Municipality Campi Bisenzio / Responsible for transparency of the Italian municipality Campi Bisenzio
Executive personnel and directors of Italian municipalities
National Case Number/Name: 9445796
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Autorità Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

On request of the responsible for transparency in the Italian municipality Campi Bisenzio regarding access to details on the performance evaluation of executive personnel and directors in the same municipality, the Italian Data Protection Authority (Autorità garante per la protezione dei dati personali) stated, in its opinion from 29th of July 2020, in a manner consistent with precedent decisions and opinions, that even after a formal request, the municipality is not obliged to publish any information regarding the detailed assignment of points in the analysis of the organizational behavior in accordance with the principles set out in Article 5(1)(b) and (e).

English Summary

Facts

Generally speaking, Italian law states that anyone can request access to public information. This right of access is only limited by the protection of other legally important interests. A first application for civic access to detailed information about the assignment of points for organizational behavior in the performance evaluation brought forward by a resident was dismissed by the public administration. Before denial, the responsible for transparency of the municipality contacted the Italian DPA and requested its opinion on the publication of detailed information regarding the organizational behavior of executive personnel and directors in the local municipality. This information, which is based on detailed personal data, was gathered to evaluate their performance and attribute a corresponding performance bonus, the amount of which was published according to national law.

Dispute

Does the public have the right to access the detailed evaluation of organizational behavior of executive personnel and directors of public institutions on the basis of which performance bonuses are paid?

Holding

The publication of information regarding the assignment of points in an evaluation of the organizational behavior of directors and executive personnel of an Italian municipality may cause an “unjustified and disproportional interference with their rights and liberty”. It could, furthermore, lead to damage on a “professional, personal, social and relational” level. In addition, it was considered that the data subjects relied on a certain confidentiality regarding the processing of their personal data, being completely ignorant about the fact that these analyses could be published after an application for civic access. Such detailed personal information exceeds the duty of transparency as provided for in national law. By recalling the fundamental principles of the GDPR mentioned in Article 5, namely the limitation of purpose and the minimization of data, as well as the national legislation (d.lgs. 33/2013), which obliges the community to publish the compound emoluments received by the directors and executive personnel as well as general data regarding the evaluation of performance and the corresponding distribution of bonuses, the national Authority states that further details must not be published.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Opinion on request for civic access - 29 July 2020

Register of measures
No 147 of 29 July 2020

THE DATA PROTECTION SUPERVISOR

At today's meeting, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members and Mr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, 'General Data Protection Regulation' (hereinafter 'GPSD');

Having regard to Article 154(1)(g) of the Personal Data Protection Code - Legislative Decree No 196 of 30 June 2003 (hereinafter 'the Code');

Having regard to Article 5, paragraph 7, of Legislative Decree no. 33 of 14 March 2013 on "Reorganization of the rules concerning the right of civic access and the obligations of publicity, transparency and dissemination of information by public administrations";

Having regard to Determination no. 1309 of 28/12/2016 of the National Anti-Corruption Authority (ANAC), adopted in agreement with the Guarantor, entitled "Guidelines containing operational indications for the purposes of defining exclusions and limits to civic access pursuant to Article 5, paragraph 2, of Legislative Decree no. 33/2013", in the Official Gazette General Series no. 7 of 10/1/2017 and in http://www.anticorruzione.it/portal/public/classic/AttivitaAutorita/AttiDellAutorita/_Atto?ca=6666 (hereinafter "ANAC Guidelines on civic access");

Having regard to the provision of the Guarantor no. 521 of 15/12/2016, containing the aforementioned "Understanding on the outline of the ANAC Guidelines providing operational indications for the definition of exclusions and limits to civic access", in www.gpdp.it, web document no. 5860807;

Having regard to the documentation in deeds;

Having regard to the remarks made by the Secretary General pursuant to Article 15 of the Garante Regulation No. 1/2000;

Rapporteur: Prof. Ginevra Cerrina Feroni;

PREMISE

With the note in deeds, the Head of Transparency of the Municipality of Campi Bisenzio has asked the Guarantor for the opinion provided for by Article 5, paragraph 7, of Legislative Decree no. 33/2013, as part of the proceedings relating to a request for review by a citizen on a measure of denial of its own request for civic access submitted to that municipality.

The investigation shows that a request for civic access was submitted - pursuant to art. 5, paragraph 2, of Legislative Decree no. 33/2013 - concerning the issue of a copy "of the assessment forms filled out by the Mayor in 2019, relating to the organizational conduct of the Executives/Managers for the year 2018", as well as "final and total scores in percentage, attributed to the Executives/Managers, relating to the result allowance for the year 2018".

The administration has made the communication to the other interested parties (art. 5, paragraph 5, Legislative Decree no. 33/2013), who objected, highlighting the strictly personal content of the required documentation and the inappropriateness of the relative communication to third parties given the potential dissemination. A counterinterested party also pointed out that the cognitive requirements instrumental to the pursuit of the purposes of civic access, with reference to managers, would already be met by the obligations to publish online the total emoluments received by public finance and the data relating to performance evaluation and distribution of bonuses to personnel (Article 14, paragraph 1-ter; and 20, of Legislative Decree no. 33/2013).

The Municipality granted partial access, allowing the display of the "part concerning final and total scores" (providing the link to the institutional website on which these data were published), but instead denied access to the "copy of the evaluation form filled in by the Mayor in 2019, on the organisational behaviour of the Managers for the year 2018", as "all the counter-interested parties have communicated their opposition to the [...] request, given the purely personal content of the evaluation forms in question, of which it was not considered appropriate for it to be made known to third parties and, potentially, even disseminated".

The applicant for civic access subsequently submitted a request for review to the person in charge of transparency of the partial acceptance measure (art. 5, paragraph 7, of Legislative Decree no. 33/2013), considering it not legitimate and insisting in his requests.

OBSERVES

1. Introduction

The issue submitted to the attention of the Guarantor concerns the display, through the institution of civic access, of the scores attributed to the Managers and/or Directors of the Municipality, relating to the result indemnity for the year 2018, as well as a copy of the individual evaluation forms referred to them "relating to organisational behaviour". The records show that the scores were provided, but civic access to the evaluation forms was denied.

In this regard, it should be noted that, in accordance with industry regulations, "anyone has the right to access data and documents held by public administrations, in addition to those that are subject to publication under this decree, in compliance with the limits relating to the protection of legally relevant interests in accordance with Article 5-bis" (Article 5, paragraph 2, Legislative Decree no. 33/2013).

In relation to the profiles of competence of this Authority, it should be noted that the cited 5-bis provides that civic access must be refused, among other things, "if the refusal is necessary to avoid a concrete prejudice to the protection [of] personal data protection, in accordance with the legislative discipline on the subject" (paragraph 2, letter a). Personal data means 'any information relating to an identified or identifiable natural person ('data subject')' and 'identifiable' means 'the natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as name, an identification number, location data, an online identifier or to one or more factors characteristic of his physical, physiological, genetic, mental, economic, cultural or social identity' (Article 4(1) PPRD).

That being said, it must be borne in mind that among the assessments to be made with regard to the possible display of personal data (or documents containing them) through the institution of civic access must be taken into account that - unlike the documents to which access has been given under Law No. 241 of 7/8/1990 - the data and documents received as a result of a request for civic access become "public and anyone has the right to know them, to use them free of charge, and to use and re-use them in accordance with Article 7", although their further processing must in any case be carried out in compliance with the limits deriving from the legislation on the protection of personal data (Article 3, paragraph 1, of Legislative Decree no. 33/2013). Consequently, it is also in the light of this amplified publicity regime that the existence of a possible concrete prejudice to the protection of the personal data of the subjects against whom the data is processed must be assessed, on the basis of which to decide whether or not to refuse access to the data, information or documents requested.

Moreover, it is necessary to respect, in any case, the principles of the RGPD of "purpose limitation" and "data minimisation", according to which personal data must be "collected for specified, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with those purposes", as well as "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (art. 5, par. 1, letter b and c).

With particular reference to the case in question, it should be recalled that the State legislation on transparency already provides for specific obligations to publish on the institutional websites of public administrations data and information relating to the "organization" and "activity of public administrations", sanctioning, among other things, the disclosure of the total emoluments received from public finance by managers and the data relating to the performance evaluation and distribution of bonuses (see Articles 14, paragraph 1-ter and 20 of Legislative Decree no. 33/2013).

In this context, it is considered that, without prejudice to the aforementioned publication obligations, the Municipality of Campi Bisenzio - in accordance with the regulations in force and the indications contained in the ANAC Guidelines on civic access, in accordance with the previous guidelines of this Authority - has correctly rejected civic access to the "copy of the assessment forms completed by the Mayor in 2019, relating to the organizational conduct of the Managers / Directors for the year 2018". (See opinions contained in the following measures: No 421 of 11/7/2018, www.gpdp.it, web doc. No 9037343; No 142 of 8/3/2018, ivi, web doc. No 8684742; No 574 of 29/12/2017, ivi, web doc. 7658152. See also further opinions on the subject of civic access to economic and career progression assessments and assessments of workers: n. 466 of 11/10/2018, ivi, web doc. n. 9063969; n. 421 of 11/7/2018, ivi, web doc. n. 9037343; n. 142 of 8/3/2018, ivi, web doc. n. 8684742; n. 574 of 29/12/2017, ivi, web doc. n. 7658152).

This is because the relative ostentation, also considering the particular regime of publicity of the data and information received through the institution of civic access (see art. 3, paragraph 1, Legislative Decree no. 33/2013), could determine an unjustified and disproportionate interference in the rights and freedoms of the executives involved, causing the latter precisely that concrete prejudice to the protection of personal data protection provided by art. 5-bis, paragraph 2, letter a), of Legislative Decree no. 33/2013.

In fact, taking into account the type and nature of personal data and information, including detailed information, contained in the evaluation forms referred to the individual managers of the Municipality, a possible acceptance of civic access could have negative repercussions on the professional, personal, social and relational level, both inside and outside the working environment of the latter, exposing them to possible relational difficulties with colleagues and creating potential prejudices from external users with whom they could come into contact in the exercise of their functions. It is also necessary to take into account the reasonable expectations of confidentiality of the other parties involved in relation to the processing of their personal data at the time the data were collected by the Municipality, as well as the unpredictability, at the time the data were collected, of the consequences deriving from the possible knowledge by anyone of the data requested through civic access (see par. 8.1 of the ANAC Guidelines on civic access, cit.).

In any case, the possibility remains that the personal data for which civic access has been denied may be made ostensible, where the applicant, possibly reformulating the request in accordance with the different rules on access to administrative documents (Articles 22 et seq. of Law No. 675/1998, paragraph 8.1 of the Guidelines on Civic Access, cited above). 241 of 7/8/1990), reasons in the request for the existence of a "qualified" interest and the administration deems to exist, in the light of what reported by the applicant, "a direct, concrete and current interest, corresponding to a situation legally protected and connected to the document to which access is requested" which may otherwise allow the ostentation of the requested documentation.

ALL THIS BEING SAID, THE GUARANTOR

expresses an opinion in the above terms on the request of the Transparency Manager of the Municipality of Campi Bisenzio, pursuant to art. 5, paragraph 7, of Legislative Decree no. 33/2013.

Rome, 29 July 2020

THE PRESIDENT
This appropriation

THE REPORTER
Cerrina Feroni

THE SECRETARY GENERAL
Busia