Garante per la protezione dei dati personali (Italy) - 9446659
Garante per la protezione dei dati personali - 9446659 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 6(2) GDPR Article 6(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.07.2020 |
Published: | |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | 9446659 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante's website (in IT) |
Initial Contributor: | Antonella Luisi |
The Italian DPA (Garante) fined a city council 2.000 euros for publishing citizens' personal data on its website without a valid legal basis and failing to comply with the principle of data minimization.
English Summary
Facts
A data subject filed a complaint with the Garante regarding the publication on the city council's website of personal data concerning him and his wife.
Dispute
The Garante considered whether the publication of the compliants' personal data was justified and grounded on a valid legal basis while complying with the transparency obligations public administration are subject to.
Holding
The Garante considered that the data processing at sake should have been grounded on compliance with a legal obligation to which the controller is subject, under Article 6 (1) (c) GDPR. In this case, the compliants' personal data remained published for several years thus exceeding the 15 days period required under Italian law for transparency purposes. The controller failing to demonstrate on which legal basis it grounded the data processing for the exceeding period of time, the Authority judged the processing unlawful on the basis of Article 6 (1) (c) (e), (2), (3) (b). Also, the Garante found that the personal data published was not adequate, relevant and limited to the fixed purpose thus breaching the principles of data minimization under article 5 (1) (c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. n. 9446659] Ordinance injunction against the Municipality of Baronissi - July 9, 2020 Register of measures n. 139 of July 9, 2020 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA In today's meeting, which was attended by Dr. Antonello Soro, President, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, members and Dr. Giuseppe Busia, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter referred to as "GPSD"); HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code"); HAVING REGARD to General Provision no. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for purposes of publicity and transparency on the web by public entities and other obligatory bodies", published in G.U. no. 134 of 12/6/2014 and in www.gpdp.it, web document no. 3134436 (hereinafter "Guidelines on transparency"); HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in OJ no. 106 of 8/5/2019 and www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019"); VIEW the documentation in deeds; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. n. 1098801; Rapporteur Dr. Antonello Soro; PRESS 1. Introduction This Authority has received a complaint regarding the publication on the institutional website of the Municipality of Baronissi of personal data and information of Mr. XX and his spouse XX. In particular, from the preliminary assessment carried out by the Office on XX, it was found that the following documents were visible and freely downloadable on the institutional website of the aforementioned Municipality, in the section Services / Historical Register: Measure prot. n. XX of XX of XX of the urban planning-construction sector having as object "XX", with attached the note of the municipal technician prot. n. XX of XX having as object "XX (url http://...). The above mentioned documents contained personal data and information of the interested parties, such as personal and residence data, identification and cadastral data of the property, information relating to the realization of illegal works and the results from the inspection report, the photographic surveys of the veranda of your apartment, etc.. 2. Applicable regulations. According to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person ("interested party") and "is considered identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as name, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, psychic, economic, cultural or social identity" (art. 4, par. 1, no. 1, of the RGPD). Personal data must be processed in compliance with the principles indicated in art. 5 of the RGPD, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent way towards the person concerned", as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (par. 1, lett. a and c). Within this framework, the processing of personal data carried out by public entities (such as the Municipality) is lawful only if necessary "to fulfil a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or related to the exercise of public authority vested in the data controller" (art. 6, par. 1, lett. c and e, of the RGPD). It is also provided that "Member States may maintain [...] more specific provisions to adapt the application of the provisions of this Regulation with regard to processing, in accordance with paragraph 1(c) and (e), determining more precisely specific requirements for processing and other measures to ensure lawful and correct processing [...]", with the result that the provisions contained in Article 6(1)(c) and (e) are applicable to the present case. 19, paragraph 3, of the Code (now repealed but in force at the time of the facts, whose content is reproduced in art. 2-ter, paragraphs 1 and 3, of the Code), where it is provided that the operation of dissemination of personal data (such as publication on the Internet), by public entities, is allowed only when required by law or regulation. The state legislation provides, in this regard, that "All the resolutions of the municipality and the province are published by publication in the register, at the headquarters of the body, for fifteen consecutive days, unless specific provisions of law" (art. 124, paragraph 1, of Legislative Decree 18/8/2000 n. 267). The Guarantor has provided specific indications to public administrations regarding the precautions to be taken for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action with its Guidelines on transparency, also with reference to publications in the online register of local authorities. In the aforesaid Guidelines, it is expressly provided that, once the time period provided for by the individual disciplines for the publication of the acts and documents in the register of local authorities has elapsed, "local authorities may not continue to disseminate the personal data contained therein. Otherwise, it would result, for the period exceeding the duration provided for by the reference legislation, a dissemination of personal data illegal because not supported by appropriate regulatory requirements [...]. In this regard, for example, the permanence on the web of personal data contained in the deliberations of local authorities beyond the term of fifteen days, provided for by art. 124 of the aforementioned Legislative Decree no. 267/2000, may constitute a violation of the aforementioned art. 19, paragraph 3, of the Code [n.d.r. now reproduced in art. 2-ter, paragraphs 1 and 3, of the Code], where there is no different legislative or regulatory parameter that provides for its dissemination [...]. In this case] if the local authorities want to continue to maintain the acts and documents published on their institutional website, for example in the sections dedicated to the archives of the acts and/or the regulations of the authority, they must make the appropriate arrangements for the protection of personal data. In such cases, therefore, it is necessary to obscure in the published records the data and information suitable to identify, even indirectly, the subjects concerned" (part two, par. 3.a). 3. Preliminary assessments of the Office on the processing of personal data carried out. From the verifications carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation activity, as well as the subsequent evaluations, the Office with note prot. n. XX of XX has ascertained that the Municipality of Baronissi by disseminating - at least until the preliminary verification carried out by the Office on XX - the personal data of the complainants, contained in the documents identified above published on the institutional website, has carried out a processing of personal data that does not comply with the relevant discipline on the protection of personal data contained in the RGPD. Therefore, with the same note were notified to the Municipality the violations carried out (pursuant to art. 166, paragraph 5, of the Code), communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 5, of the Code. 2, of the RGPD and inviting the above mentioned Municipality to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within 30 days (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by Law n. 689 of 24/11/1981). 4. Defensive pleadings and hearing. With the note prot. n. XX of XX the Municipality of Baronissi sent to the Guarantor its defensive writings in relation to the violations notified. In this regard, it is recalled that, unless the fact does not constitute a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of duties or exercise of powers of the Guarantor". Specifically, it has been highlighted, among other things, that: - "Preliminarily it is reiterated that the publication of the Ordinance de qua (see Provv. Prot. n. XX of XX) concerning personal data and information - freely visible and downloadable on the institutional website of the Municipality of Baronissi (Servizionline/Albo Pretorio) - has occurred beyond the time prescribed by law for a mere technical error and a misunderstanding related to the internal organization of this Municipality". - "A scrupulous and diligent obligation towards the regulations on transparency then guided the organization of the Municipality and the personnel in charge, considering the publication of the common data relating to the ordinance in question to be due and necessary". - "In the background, a conduct based on good faith and respectful of the context in which this error is manifested [...]". - "the Municipality of Baronissi has provided to adopt specific guidelines on general principles and issued directives on the processing of personal data, if the purposes of publicity and transparency of administrative action emerge, representing also the multiple hypotheses in which the activity of the public administration, rectius of the Municipality of Baronissi, can balance the requirements of transparency under the prescribed rules, those of publicity in conjunction with the rules to be observed on the processing of personal data, especially in terms of relevance and necessity of treatment (principle of minimization)". - "In order to ensure that the contents of the aforementioned ordinance fulfil the obligation prescribed by law without violating the precepts imposed by Regulation (EU) 2016/679, Legislative Decree 196/2003 and Legislative Decree 101 of 2018, the Municipality of Baronissi has undertaken to remove the aforementioned ordinance from its institutional site. In this regard, the Local Authority has organized itself, after the time prescribed by law to comply with the obligations of transparency and publicity, to make available on the Archives section of the Municipality the administrative acts and documents but accessible only at the request of the interested party". - The body "has issued very precise instructions aimed at modifying the information contained in the administrative acts issued and issued, avoiding the insertion of personal data that are not relevant and in excess of those required, in order to comply with the constraints of the law". 5. Outcome of the investigation relating to the complaint submitted The subject matter of the case submitted to the attention of the Guarantor concerns the dissemination of data and personal information of the complainants (such as personal and residence data, identification data and cadastral data of the property, information relating to the realization of illegal works and results from the inspection report, photographic surveys of the veranda of the apartment subject to the surveys) contained in the measure prot. n. XX of the Municipality and its annex containing the note of the municipal technician prot. n. XX. The Municipality in the defensive memoirs confirmed the online dissemination of personal data of the complainants, justifying it in the light of "a mere technical error" and "a misunderstanding regarding the internal organization [of the] Municipality", as well as an incorrect assessment regarding the application of the provisions on transparency and protection of personal data. Some observations in this regard, although worthy of consideration, do not allow in any case to overcome the findings notified by the Office with the act of initiation of proceedings and are insufficient to allow the filing of these proceedings, since none of the cases provided for in Article 11 of the Regulation of the Guarantor No. 1/2019. This is also considering that since 2014, the Authority, in the Guidelines on transparency, has provided all public entities with specific indications on how to balance the obligations of transparency and publicity of administrative action with the right to protection of personal data of those concerned. In this framework, the preliminary assessments of the Office are confirmed and it is noted that the processing of personal data carried out by the Municipality of Baronissi is unlawful, as the full publication on the institutional website of the document prot. n. XX of XX of the urban-building sector of the Municipality of Baronissi concerning "XX", with all data and information in clear text of the interested parties, has produced a dissemination of personal data of the complainants: a. were not necessary with respect to the purpose of the treatment, with particular reference to the disclosure of the date and place of birth, residence, identification data and cadastral data of the property, information relating to the realization of illegal works, in violation of the principle of minimization and, therefore, the basic principles of treatment contained in Articles 5, paragraph 1, letter c) of the RGPD; b. has lasted for more than fifteen days provided for in Article 124, paragraph 1, of Legislative Decree no. 267/2000 for the publication in the register, in the absence then - for the period exceeding - of appropriate legal requirements for the dissemination of personal data and, therefore, in violation of art. 19 paragraph 3 of the Code (in force at the time of the facts and whose content is now reproduced in Article 2-ter, paragraphs 1 and 3, of the Code), as well as the basic principles of treatment contained in Articles 5, paragraph 1, letter a and c; 6, paragraph 1, letter c and e, paragraph 2 and paragraph 3, letter b, of the RGPD. Considering, however, that the conduct has exhausted its effects, since the personal data of the complainants described above are no longer accessible at the url address indicated above, without prejudice to what will be said about the application of the administrative fine, the conditions for the adoption of further corrective measures under Article 58, paragraph 2, of the RGPD are not met. 6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Art. 58, par. 2, letter i; 83 RGPD) The Municipality of Baronissi appears to have violated articles 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), par. 2 and par. 3, letter b), of the RGPD; as well as art. 19, par. 3, of the Code, in force at the time of the illegal conduct. In this regard, Art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction shall not exceed the amount specified for the most serious violation". In the present case, the violation of the above mentioned provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the RGPD, which therefore applies to the present case. It should also be taken into account that, although the document subject of the complaint, published online, dates back to May 2017, for the determination of the applicable rule, from a temporal point of view, it must be recalled in particular the principle of legality set forth in Article 1, paragraph 2, of Law no. 689/1981 which states that "Laws providing for administrative sanctions apply only in the cases and times considered". This determines the obligation to take into account the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the alleged offence - must be identified at the time of cessation of the illegal conduct, which occurred after the date of 25/5/2018 when the RGPD became applicable. From the acts of the investigation it has emerged that the illegal online dissemination has continued at least until the preliminary verification carried out by the Office on the date of the XX. The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD and Article 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case". In this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019). The above mentioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking due account of the elements provided for in Article 83, paragraph 2, of the RGPD. In relation to the aforementioned elements, the conduct found to have been carried out in violation of the regulations on the protection of personal data has involved the disclosure of personal data not belonging to special categories or to criminal convictions or crimes (Articles 9 and 10 of the RGPD) of two persons involved. The dissemination has lasted for several years, but the administration has taken steps to obscure the personal data subject of the complaint, working with the Authority during the investigation of this procedure in order to remedy the violation - whose character, according to what the Municipality, appears to be of a culpable nature - mitigating the possible negative effects. In the response to the Guarantor were also described several technical and organizational measures put in place pursuant to Articles 25-32 of the RGPD. There are no previous violations of the relevant RGPD committed by the Municipality of Baronissi. Because of the above elements, assessed as a whole, it is considered necessary to determine the amount of the financial penalty, provided by art. 83, par. 2 and 3, of the RGPD, in the amount of € 2,000.00 (two thousand) for the violation of articles. 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD; as well as art. 19, par. 3, of the Code, as a pecuniary administrative sanction considered effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD. In relation to the specific circumstances of this case, relating to the violation of the principle of data minimization and the dissemination on the web of personal data in the absence of a suitable regulatory basis, it is also considered that the accessory sanction of the publication of this measure on the website of the Guarantor, provided by Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019. It is also considered that the conditions set out in art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS BEING SAID, THE GUARANTOR found the unlawfulness of the processing carried out by the City of Baronissi in the terms indicated in the statement of reasons pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD ORDER to the Municipality of Baronissi, in the person of the legal representative pro-tempore, with registered office in Piazza della Repubblica, 1 - 84081 Baronissi (SA) - C.F. 80032710651 to pay the sum of € 2,000.00 (two thousand) as a fine for violations referred to in the grounds; INGIUNGE to the same Municipality to pay the sum of euro 2.000,00 (two thousand), according to the modalities indicated in the attachment, within 30 days from the notification of the present measure, under penalty of adopting the consequent executive acts according to art. 27 of the law n. 689/1981. Please note that this is without prejudice to the right for the offender to settle the dispute by paying - again in the manner indicated in the Annex - an amount equal to half of the penalty imposed, within the period referred to in Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011 provided for the lodging of the appeal as indicated below (Article 166, paragraph 8, of the Code). AVAILABLE the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor No. 1/2019, and it is also considered that the requirements of art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to Article 78 of the RGPD, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, this measure may be appealed against before the ordinary judicial authorities, under penalty of inadmissibility, within thirty days from the date of notification of the measure itself or within sixty days if the applicant resides abroad. Rome, 9 July 2020 THE PRESIDENT Soro THE REPORTER Soro THE SECRETARY GENERAL Busia