Garante per la protezione dei dati personali (Italy) - 9451734

From GDPRhub

The Italian DPA decided on July 9th 2020 to impose on the school "Crucoli Torretta" a fine of € 2,000. The school uploaded on their website a list of students (minors) containing lots of personal information, also special categories of data, and failed to comply with Art. 5, 6 and 9 GDPR and Art. 2-ter and 2-septies of the Italian Privacy Code.

Garante per la protezione dei dati personali - 9451734
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(2) GDPR
Article 6(3) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 9(4) GDPR
Art. 2-ter of the Italian Privacy Code
Art. 2-septies of the Italian Privacy Code
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.07.2020
Published:
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: 9451734
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Website of the Italian DPA (in IT)
Initial Contributor: Davide C.

English Summary

Facts

The school "Crucoli Torretta" wrongly uploaded on their website a list containing personal data of the students applying for the school project named POR Calabria funded by the Region of Calabria. More specifically, this list contained, among others, information related to their financial status, disabilities and their insufficient educational situation. However, the school has replaced the list with a new one containing the score gained by each student only.

Dispute

Holding

The Italian DPA hold that the school made an unlawful dissemination of personal data, infringing the principles of data minimization, lawfulness fairness and transparency. Moreover, they founded that the school, as a public body, did not rely on an adequate legal ground under art.6(1), let. c) and e) GDPR. Lastly, they carried out a dissemination of sensitive data - i.e. disabilities of the students - of vulnerable subjects (i.e. minors), that is strictly forbidden by the GDPR (art. 9) and the Italian Privacy Code (art. 2-septies(8)).

However, since such unlawful data processing operations were made by mistake and the school has replaced the list and therefore removed the unnecessary information above, the Italian DPA issued a minor fine of EUR 2,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

IL GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

In today's meeting, which was attended by Dr. Antonello Soro, President, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, members and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter RGPD);

HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code");

HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in OJ no. 106 of 8/5/2019 and www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Given the documentation in deeds;

Given the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. n. 1098801;

Speaker Prof. Licia Califano;

PRESS

1. Introduction.

The Authority has received some reports with which it was represented that the Istituto Comprensivo Statale "Crucoli Torretta" of Crucoli, would make public, through dissemination on the institutional website, a ranking of students who have applied to participate in the XX, publishing a series of information relating to the same including "data on dispersion, insufficiencies, isee, disability etc.".

2.  The preliminary activity.

From the preliminary investigation carried out from the Office in date XX it has emerged that the aforesaid classifications, turned out visible and freely downloadable to the url: https://... and, in particular to the address: https://...

In this regard, the School Institute has responded to the request for information of this Authority (note prot. n. XX of XX) with the note prot. n. XX of XX.

Specifically, in response to the request for information of this Department, the school director of the Institute, represented, in particular, that

- The Administrative Assistant "Mr. (...), as part of the performance of the service referred to the assignment (...), has erroneously published on the school's website and in the register, the provisional and final rankings referring to the recruitment of students participating in the above mentioned POR Calabria Project, elaborated in the procedural phase and to be kept exclusively to the office acts because they contain sensitive data related to the students participating and related to the economic situation, the insufficient didactic-educational situation and disability (...) and instead of publishing, correctly, the rankings containing only the final score assigned to each student (...)";

- "the rankings (...) have been replaced on the Institute's website (...) with rankings containing only the total score assigned to the students (...).

The Office, on the basis of the verifications carried out and of the elements acquired, also through the documentation sent by the School Institute, and of the facts that emerged as a result of the preliminary activity, as well as of the subsequent evaluations, has ascertained that the school, by publishing on the institutional website, at the url: https://... and, in particular, at the address: https://... , the rankings relating to students participating in the selection, with clear personal information not necessary with respect to the purposes pursued with the publication, including the indication of the score obtained by the students according to certain indexes such as: early school leaving, inadequacies, Isee as well as data relating to the health of a person concerned, has led to an undue disclosure of personal data.

Therefore, we proceeded to the notification of violations, provided for by Article 166, paragraph 5, of the Code, to the School Institute, communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations and inviting the Institute to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by the Authority, within 30 days (Article 166, paragraphs 6 and 7, of the Code, and Article 18, paragraph 1, by Law No. 689 of 24/11/1981).

In particular, the Office considered that the publication of the above mentioned rankings was in violation of the regulations on the protection of personal data, resulting in the processing of personal data:

a) not in compliance with the principles of "lawfulness, correctness and transparency" and "data minimization", in violation of art. 5, par. 1, letter a) and c) of the Regulation;

b) in the absence of a legal requirement, for the publication of personal information not necessary with respect to the purposes pursued with the publication, including the indication of the score obtained by pupils according to certain indexes such as: early school leaving, deficiencies, Isee as well as data relating to the health of a person concerned, in violation of art. 6, par. 1, letter c) and e), par. 2 and par. 3, letter b) of the Regulation and art. 2-ter, paragraphs 1 and 3, of the Code;

c) in violation of the prohibition of dissemination of health data (art. 9, par. 1, 2, 4, of the Regulation referred to in art. 2-septies, paragraph 8, of the Code).

By note of the XX (prot. n. XX), the Regent School Manager sent the defensive briefs, specifying, in particular, that: The specific and objective elements of assessment in relation to the alleged violations are provided by the declaration of the D.S. Regent a.s. 2018/2019 prof. XX, by Dr. XX who at the time of the violation held the position of RDP and the documentation present in the documents that has already been transmitted by the I.C. di Crucoli to the Guarantor in response to the request for information:

- "within the selection of the students participating in the POR Calabria Project under examination, two rankings had been produced on the basis of the parents' requests: the first one was elaborated in the procedural phase and to be held exclusively to the office records containing sensitive data related to the participating pupils regarding the economic situation, the insufficient didactic-educational situation and disability and which was preparatory to the definition of the total score to be given to each pupil; The second, to be published in the official register was the one containing only the total score assigned to each pupil, therefore without the columns relating to the partial scores assigned for each of the variables related to the risk of early school leaving, the income situation and disability." From the acts is an error in the publication of the ranking, drawn up in two versions, in one of these sensitive data were indicated and this by mistake was published. (as per the attached declaration of the Administrative Assistant (...)).  In addition, in the declaration of the D.S. regent a.s. 2018/2019 (...): "the publication of the first ranking instead of the second, should not be considered a culpable act of voluntary violation of privacy but was only a mere material error due to the enormous administrative workload resulting from the situation below and the consequent presence of a DSGA in charge of the regency, the Istituto Scolastico Comprensivo di Crucoli";

- Following the communication by PEC of the Guarantor of Privacy (...) the RDP (...) on date XX has provided by PEC the indications for rectification to adapt the processing of data to the criteria of lawfulness and minimization, and on date XX from the site of the Institute was removed the ranking in which there were categories of particular data;

- The D.S. regent a.s. 2018/2019 (...) emphasizes that: "With reference to art. 83 paragraph 2 letters f), i) and j) of the Regulation, which provided to initiate, promptly, a formal disciplinary procedure against the aforementioned administrative assistant (...) closed and sanctioned with a verbal warning also sent to USR Calabria";

- the Institute following the communication by PEC of the Privacy Guarantor of XX (...) has produced the requested news with written answer to the Guarantor transmitted on XX XX XX and has provided for the removal of the ranking;

3. Result of the investigation relating to the complaint submitted. Applicable regulations.

According to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person ("interested party")". (art. 4, par. 1, no. 1 of the Regulations). Furthermore, "a natural person is considered identifiable if he or she can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his or her physical, physiological, genetic, psychic, economic, cultural or social identity" (ibid.).

The processing of personal data carried out in the public domain is lawful only if such processing is necessary "to fulfil a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or connected with the exercise of public authority vested in the data controller" (art. 6, par. 1, letter c) and e)).

The European law also provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to treatment, in accordance with paragraph 1(c) and (e), determining more precisely specific requirements for treatment and other measures to ensure lawful and correct treatment (...)" with the result that the provision contained in Art. 2-ter of the Code, according to which the operation of dissemination of personal data (such as publication on the Internet) in the public domain is allowed only when provided for by a law or, in cases provided for by law, by regulation.

In this framework, the processing of personal data must be carried out in compliance with the principles indicated in art. 5 of the Regulation, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent way towards the person concerned" as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (par. 1, lett. a) and c).

In any case, the dissemination of data relating to health (art. 9, par. 1, 2 and 4, of the Regulation, art. 2-septies, paragraph 8, of the Code,), i.e. "personal data concerning the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health" (art. 4, par. 1, no. 15; recital no. 35, of the Regulation), remains absolutely forbidden.

4. Conclusions.

In the light of the above evaluations, taking into account the statements made by the data controller in the course of the investigation, the truthfulness of which may be called to account in accordance with Article. 168 of the Code, and considering that, with reference to the case in point, the defensive pleadings produced by the Institute have not produced elements such as to determine the filing of the proceedings, the preliminary assessments of the Office are confirmed, and the unlawfulness of the processing of personal data carried out by the Istituto comprensivo statale "Crucoli Torretta" for having disclosed, through the publication on the institutional website, the rankings of the students participating in the selection, with clear personal information not necessary with respect to the purposes pursued with the publication, including the indication of the score obtained by the students according to certain indexes such as: school dropout, insufficiencies, Isee as well as data relating to the health of a person concerned, thus determining an undue dissemination of personal data.

This publication has therefore occurred in violation of the legislation on the protection of personal data and, specifically:

a) in violation of the principles of "lawfulness, correctness and transparency" and "data minimization", as per art. 5, par. 1," (par. 1, letter a) and c) of the Regulation;

b) in the absence of a legal requirement for the publication of personal information not necessary with respect to the purposes pursued with the publication, including the indication of the score obtained by pupils according to certain indexes such as: early school leaving, deficiencies, Isee as well as data relating to the health of a person concerned, in violation of art. 6, par. 1, letter c) and e), par. 2 and par. 3, letter b) of the Regulation and art. 2-ter, paragraphs 1 and 3, of the Code;

c) in violation of the prohibition of dissemination of data relating to health (art. 9, paragraphs 1, 2, 4, of the Regulation and art. 2-septies, paragraph 8, of the Code).

In this context, considering, in any case, that the conduct has exhausted its effects, since the school has declared to have removed the ranking from the school site, a circumstance verified by the Office, the conditions for the adoption of corrective measures, as per art. 58, par. 2, of the Regulation, are not met.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction (art. 58, par. 2, letter i; 83 Regulation)

Violation of Articles 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), par. 2 and par. 3, letter b); 9, par. 1, 2, 4, of the Regulation; Articles 2-ter, par. 1 and 3 and 2-septies, par. 8, of the Code is subject to the application of the pecuniary administrative sanction pursuant to Article 83, par. 5, letter a) of the Regulation.

In this regard, Art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, with intent or negligence, various provisions of this Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation".

In the case in point, the violation of the above provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation, which therefore applies to the case in point.

The Guarantor, pursuant to art. 58, par. 2, letter i); 83 of the Regulation as well as art. 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] adopts the injunction order, by which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019).

The aforementioned fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for in Article 83, paragraph 2, of the Regulation.

In relation to the above elements, it was considered that the conduct found, in violation of the rules on the protection of personal data, had as its object the disclosure of personal data not necessary for the purposes underlying the publication of the rankings, including the indication of the score obtained by pupils on the basis of certain indexes such as: early school leaving, deficiencies, Isee as well as data relating to the health of a person concerned. This information, while not directly providing information relating to the level of school difficulties in which minors, the Isee indicator and the health of those listed in the ranking, reveals, in any case, that some of the children enrolled in these rankings have school difficulties, economic and health problems. Moreover, the diffusion, although referred to a small number of subjects, has concerned particularly vulnerable people such as minors.

On the other hand, it was considered: the culpable nature of the conduct since the publication is due to a mere error of an administrative assistant; that the Institute has taken action to remove the personal data of the persons concerned as soon as the request for information was received and has therefore cooperated with the Authority during the investigation of this proceeding in order to remedy the violation and mitigate its possible negative effects; that the school has initiated a series of actions aimed at implementing technical and organizational measures. Furthermore, there are no previous violations of the relevant Regulations committed by the school.

Due to the above elements, assessed as a whole, also taking into account the phase of first application of the penalty provisions pursuant to art. 22, paragraph 13, of Legislative Decree 10/08/2018, n. 101, it is considered necessary to determine the amount of the financial penalty, provided for by art. 83, paragraph 2, letter a) of the Regulation, in the amount of € 2. 000.00 (two thousand) for violation of Articles 5, paragraph 1, letter a) and c); 6, paragraph 1, letter c) and e), paragraph 2 and paragraph 3, letter b) of the Regulation; 9, paragraphs 1, 2, 4, of the Regulation, Articles 2-ter, paragraphs 1 and 3 and 2-septies, paragraph 8, of the Code, as a pecuniary administrative sanction deemed effective, proportionate and dissuasive in accordance with Article 83, paragraph 1, of the Regulation.

In relation to the specific circumstances of this case, it is also considered, also in consideration of the particular vulnerability of the data subjects involved; of the type of data subject to unlawful disclosure; that the accessory sanction of the publication of this measure on the website of the Guarantor, provided by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor no. 1/2019, should apply.

Finally, it should be noted that the conditions set out in Article 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS BEING SAID, THE GUARANTOR

Declares, pursuant to art. 57, par. 1, letter f), of the Regulations, and 144 of the Code, the unlawfulness of the processing of personal data carried out by the Istituto Comprensivo Statale "Crucoli Torretta", for violation of articles. 5, par. 1, lett. a) and c); 6, par. 1, c) and e), par. 2 and par. 3, lett. b); art. 9, par. 1, 2, 4, of the Regulations; art. 2-ter, par. 1 and 3 and 2-septies, par. 8, of the Code, in the terms set out in the grounds;

ORDER
to the Istituto Comprensivo Statale "Crucoli Torretta", with registered office in Via Nicholas Green snc, 88812 - Crucoli (KR) - C.F. 91021270797, in the person of the pro-tempore legal representative, to pay the sum of euro 2. 000.00 (two thousand) as an administrative fine for the violations indicated in this measure; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, through the payment, within thirty days, of an amount equal to half of the penalty imposed;

ORDER

to the same Institute, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 2,000.00 (two thousand), according to the methods indicated in the attachment, within 30 days of notification of this measure, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law No. 689/1981;

ORDER

Pursuant to art. 166, paragraph 7, of the Code, the publication of this measure on the website of the Guarantor and considers that the requirements of art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

In accordance with Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, it is possible to appeal against this measure before the ordinary judicial authorities, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself or within sixty days if the ap