Garante per la protezione dei dati personali (Italy) - 9461168

From GDPRhub
Garante per la protezione dei dati personali - 160 - 17.9.2020
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 6(1)(e) GDPR
Article 6(1)(c) GDPR
Article 28(3)(a) GDPR
Article 28(3)(h) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.09.2020
Published: 30.09.2020
Fine: 80000 EUR
Parties: Azienda Ospedaliera di rilievo nazionale “A. Cardarelli”
National Case Number/Name: 160 - 17.9.2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante [website (in IT)]
Initial Contributor: n/a

The Italian DPA fined a hospital €80,000 for publishing on its website personal data of participants of an open competition. The DPA held that the hospital was the controller for the data and thus liable for the breach.

English Summary

Facts

The hospital (the controller) organized an open competition. Due to a technical problem, the the participants' personal data, including health data, was published on the controller's website. It appears from the proceedings that a part of the controller's technical infrastructure was managed by a third party, especially for the handling of online job applications . The controller argues that it has no responsibility as the conduct is entirely attributable to the malpractice of the third party company.

Holding

The DPA held that the hospital is a controller under the GDPR.

The technical and organisational measures adopted by the controller through the service provider for the management of the candidates' applications did not prove adequate to the risks of the specific processing. The DPA mentions, in particular, the security of the data, the methods for accessing it using the "http" protocol and the methods for transmitting them to the hospital after the submission.

In this context, the controller did not provide the processor with the necessary instructions, nor did it in any way supervise or reviewe the security of the data processed by the processor under Article 28(3)(a) and (h) GDPR.

For these reasons, the responsibility of the security incident cannot be attributed "solely to the outsourcer", as argued by the controller. The controller failed to adopt adequate technical and organisational measures to ensure the confidentiality and integrity of the personal data processed through the processor's platform.

In doing so it violated, amongst the others, Articles 5(1)(a), 28 and 32 GDPR.

Comment

The decision provides elements of particular interest with regard to the relationship between controller and processor. The DPA requires the controller to actively verify compliance with the measures declared by the processor. In particular, the reference to Article 28(h) seems to suggest a proactive role in verifying compliance with the GDPR by the entrusted company.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and dr. Claudio Filippi, deputy secretary general;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

Having seen the documentation in the deeds;

Given the observations made by the Deputy Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web n. 1098801 ;

Rapporteur the lawyer. Guido Scorza;

WHEREAS

1. Reporting.

With a report received on the 20th, the disclosure of personal data of candidates in a public competition held by the “A. Cardarelli ”of Naples (hereinafter, the Company). In particular, it was shown that by accessing the URL http: // ... it was possible to view a list of alphanumeric codes, corresponding to the "registration code" of candidates for a specific competition (XX). A hypertext link was associated with each of these codes which allowed access to an area of ​​the portal which contained some documents submitted by candidates to supplement the application for participation in the competition. By typing the codes in the data entry boxes on the page accessible at the URL http: // ...,access was allowed to a mask in which the data entered by the candidates were shown with the possibility of modifying them (see, notification and service report of the XXth).

Through the URL http: // ..., it was also possible to view additional documents attached by the candidates themselves, also containing data relating to health (eg qualifications of preference and medical certification).

These circumstances were ascertained by the Guarantor's Office (see Service Report of the XXth, in documents).

2. The preliminary activity.

In response to the specific requests of the Office, with notes from the twentieth century, the Company stated that:

- the management platform used for the implementation of the competitions belongs to the company Scanshare srl (hereinafter, the "Company"), entrusted with the online application management service and the IT pre-selection phase of the competitors;

- the platform did not reside on company machines and was not managed by the Company's employees, but by the Company itself, which processed the data qualifying itself as the data controller;

- with regard to the matter being reported, the Company, from which the Company had requested a technical report on the incident, stated that "access to the folders [...] indicated was carried out within a period of a few minutes in which the platform was undergoing maintenance due to multiple simultaneous accesses by candidates ".

Subsequently, the Office carried out an investigation, pursuant to art. 58 of the Regulation and 157 and 158 of the Code, towards both the Company (the XXth) and the Company (the XXth, see the minutes of the operations carried out, in documents).

During the inspection, the representatives of the Company declared:

- to have launched a tender through the Electronic Market of the Public Administration (MEPA) "for the selection of an online service provider for the management of applications and automatic preselection of competitors for certain competitive procedures", at the outcome of which the Company was the winner (see Resolution of the General Manager no. 40 of 18 January 2018, attached to the aforementioned minutes);

- that the service entrusted consisted in the management of the applications presented by the candidates and the relative documentation; in cases where the number of applications presented was high, the company should also have taken care of the organization and management of the pre-selection tests. Furthermore, on the occasion of the publication of the calls, the Company should have prepared a specific form - to be published on the online platform, reachable at the address: http: // ... - in which candidates who had intended to submit the application could enter their personal data, qualifications, career certificates and preference criteria (such as, for example, those of disability), attaching the documents certifying the declarations made;

- that the Company has not provided any attestation of compliance with regard to the data and documents provided, which have been stored on a CD-ROM, without any protection precautions and inside which the files were "stored in folders, named with surname of the candidate and the code assigned by the procedure. The files are made available in unsigned PDF format ”(report of operations carried out, p. 3);

- the Company would have become aware of the reported event only on the occasion of the request note for elements of the Authority, following which, having not detected any anomalies on its systems, it requested clarifications regarding the Company; only at that point the Company would have provided "a technical description [...] of the event [... and] explained the security measures adopted by the supplier in relation to the procedures for access, authentication, access tracking and the configuration of the platform" ( report of operations carried out, p. 4).

During the investigation, the Company exercised its right of access to the administrative documents and inspection documents carried out by the Guarantor against the Company. The relative procedure for accessing the documents was defined by the Office with a note dated XX (prot. No. XX).

With a note dated XX (prot.n.XX), the Office, on the basis of the elements acquired in the context of the complex investigation launched, examines all the documentation acquired during the two inspections carried out and subsequently transmitted by The Entity and the Company involved, as well as the facts that emerged during the investigation and subsequent assessments made, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).

With the aforementioned note, the Office found that the processing of the personal data of the data subjects, in the manner described above, was carried out by the Company in violation of the principle of lawfulness, correctness and transparency (Article 5, paragraph 1, letter a) of the Regulation) and art. 13 of the Regulations, as no suitable information was provided to interested parties who took part in the competition; in violation of art. 28 of the Regulations, as the Company failed to regulate the relationship with the Company by means of a contract or other legal act that governs the processing carried out on its behalf by the Company; in the absence of a suitable prerequisite of lawfulness and in violation of the prohibition of disclosure of health data (articles 6, paragraph 1, letters c) and e) of the Regulation and articles 2-ter and 2-septies,paragraph 8 of the Code); in violation of art. 32 of the Regulations, for failure to adopt adequate technical and organizational measures aimed at guaranteeing the confidentiality and integrity of the personal data processed

With a note of the twentieth, the hospital has sent its defense briefs, representing, among other things, that:

- "the alleged violation must be analyzed in the concrete and effective context of the tender contract stipulated by the AO, by means of a public evidence procedure, with the company managing the IT platform that originated the security incident (so-called" data breach " ) [… As the structure of the relations between the parties] did not foresee […] any effective influence of the client public structure on the concrete functioning of the platform;

- "the same company entrusted with the service [...] expressly qualifies as the data controller as a subject who, on the whole, exercises an autonomous decision-making power on the purposes and methods of processing personal data, including the security profile" (cf. . document bearing “Functional specifications of the portal, including the architecture of the system as well as the data flows between its various components”, in documents);

- "if on a strictly formal and organizational level, the sphere of ownership of the treatment by the Hospital remains as regards the purposes of processing the candidates' data, the means of the specific treatment [...] are, in fact, removed from the its sphere of availability and the power of direct and / or continuous control "also because" the site http: // ... [...] does not reside on company machines, nor is it managed by internal staff "(see internal note of XX addressed to the Data Protection Officer and the Administrative Director, of the XX in acts);

- "the sanctioning procedure initiated by the Guarantor must take into account the effective division of responsibility" between the Company and the Company and "the effective influence rate exercisable by each" as well as "the real level of control of the telematic flows that sees the outsourcer awarded to assume a largely predominant role in the concrete management of the platform on which they are uploaded online by competitors "and" to screen the two spheres of imputation relating to "effective" positions ", also in light of art. art. 83, paragraph 2, lett. d) of the Regulations and art. 3 of Law 689/1981; this is because "the security incident [...] caused, in an accidental manner, an unauthorized disclosure of the data entered by the participants in the competition on the platform" but "does not appear to be reconnectable,neither in objective terms (material causation), nor in subjective terms (reproach of the culpable conduct), to the sphere of treatment of which it is the effective owner […] ";

- “the duration of the contested violation corresponds to a time frame which, although it cannot be historicized with certainty, certainly appears to be limited to within the month of XX”; in particular, on this point it was highlighted "the rate of neglect and bad faith in which the contractor incurred in the feedback provided to the exponent, due to the evident contradiction with what was declared [...] in the note of the XX with which he reassured the AO both on the observance of the GDPR internally, and on the very short time interval in which the violation would have ended, given that access to the folders would have been possible, according to the administrator [of the company ...], in a period of time of a few minutes in which the platform was under maintenance due to multiple simultaneous accesses by candidates ";

- for these reasons "relying on the guarantees provided by the contractor, especially with regard to the minimum duration of the data breach detected", the Company had found the Guarantor in the same terms and then was instead denied "by the statements made by the software development manager of [... company] in the minutes of the operations carried out by the Guarantor at the outsourcer "which states that" the online management platform for applications to participate in competitions for XX had undergone a maintenance intervention - consisting in transferring the web server of the platform on a machine with higher performance - between the XX and XX; on XX, only following the request for information sent by the Guarantor, the outsourcer verified accessibility from the outside from folder "XX"and he remedied it on the same date through the same respondent, in his capacity as system administrator "(see minutes of the 20th, in documents);

- "such a long duration of the data breach that occurred (equal to 25 days of online accessibility of the folders) [... would] have been silenced by the contractor from the client [... who would] only become aware of it later [of the year of the right of access to the documents in the file with the Guarantor…] if reported in good time to the client, it would have allowed the AO to orient itself differently with regard to the disclosure requirements towards the interested parties and the consequent active amendment provided for by art. 33 GDPR for data breach situations "which, therefore, would be" attributable solely to the outsourcer ";

- for the reasons stated, with regard to the violation of art. 32 of the Regulations, "the Client had no possibility of preventing the event that occurred since it was not placed, ex ante, in the conditions to exercise any form of supervision over the work of the contractor";

- with regard to the other contested violations (articles 13 and 28 of the Regulation), "in recognizing the censored violations", the Company specified that "the dynamic process of compliance of the entire public health facility with the new legislation on protection of personal data [...] requires a timing of sequential compliance and an organizational compliance effort which, in relation to the company size and internal work processes, did not allow to guarantee total company compliance, on the well-known deadline of May 25, 2018, date of full effective application of the GDPR. In particular, in the present case, in which the assignment of the telematic management service of the competitions launched by the AO dates back to before 25 May 2018 (see excerpt of DG Resolution no.40 of 18 January 2018 in annex XX) ".

During the hearing, held at the Guarantor on the XXth date, the hospital company highlighted the sensitivity of the new company management towards data protection, illustrating how "the new management is continuing to implement an overall adaptation project to the Regulations [… also participating in the] “Soresa” project to apply the Regulations uniformly in all healthcare companies ”. In reiterating that "the violation of personal data occurred due to the inexperience and negligence of the supplier", he also stated that, also due to the fact that the Company continued to have "an uncooperative attitude and refuses to assume the role of data processor, as well as to remedy the previous deficient process with the necessary formalities "the Company reserves the right to protect its interests in judicial offices and that, in any case, the existing contractual relationship with the Company would have ceased on the 20th.

3. Outcome of the preliminary investigation.

The personal data protection discipline provides that public subjects, if they operate in the performance of insolvency, selective or otherwise evaluative procedures, preliminary to the establishment of the employment relationship, may process the personal data of the interested parties (Article 4, No. 1 , of the Regulation), also relating to particular categories of data, if the processing is necessary "to fulfill a legal obligation to which the data controller is subject" (think of specific obligations under national legislation "for recruitment purposes", art. 6, par. 1, lett. c), 9, par. 2, lett. b) and 4; 88 of the Regulation) or "for the performance of a task in the public interest or connected to the exercise of public authority vested in the data controller" (Article 6, paragraph 1, letter e), of the Regulation) .

The national legislation has also introduced more specific provisions to adapt the application of the rules of the Regulation, determining, with greater precision, specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing (Article 6, par. 2, of the Regulation) and, in this context, has provided that the processing operations, and among these the "dissemination" of personal data, are permitted only when provided for by a law or, in the cases provided for by law, by regulation (Article 2-ter, paragraphs 1 and 3, of the Code).

In this context, with regard to the particular categories of personal data, including those relating to health (in relation to which a general prohibition of processing is envisaged, with the exception of the cases indicated in art.9, paragraph 2 of the Regulation and, in any case a regime of greater guarantee than other types of data, in particular, as a result of art. 9, par. 4, as well as art. 2-septies of the Code), the processing is allowed, to fulfill specific obligations "in labor law […] to the extent authorized by law […] in the presence of appropriate guarantees ”(Article 9, paragraph 2, letter b), of the Regulation).

In any case, the dissemination of data relating to health is prohibited (art. 2-septies, paragraph 8, of the Code, see also art. 9, paragraphs. 1, 2, 4, of the Regulation), ie "personal data relating to the physical or mental health of a natural person, including the provision of health care services, which disclose information relating to his state of health "(Article 4, paragraph 1, no. 15; recital no. 35 of the Regulation).

Even in the presence of a specific regulatory provision that legitimizes the dissemination or communication of personal data, the data controller is required to comply with the principles of "lawfulness, correctness and transparency", "purpose limitation", "minimization" as well as "integrity and confidentiality "of data and" accountability "(Article 5 of the Regulation).

3.1. The information to the interested parties and the legal basis of the processing.

In the light of the elements acquired and the statements made during the investigation, it emerged that the candidates for the specific insolvency procedure in question did not receive from the Company the information necessary to ensure correct and transparent treatment. In fact, in none of the phases of registration for the competition and online compilation of the relative applications for participation, the essential elements required by art. 13 of the Regulation.

The brief document published on the home page of the platform, also contained in the Portal Management Manual, only states that “the user gives consent to the processing of personal data pursuant to Legislative Decree no. 196/2003, the data provided will be collected and processed at the Human Resources UOC of AORN Cardarelli, as well as at the company providing the IT platform, exclusively in the context of the procedure for which this declaration is made "(see note of 'Company prot. N. XX of the XX). This document, which does not contain any reference to a complete information or other supplementary document, possibly available in another section of the site, cannot be considered sufficient,for the purpose of fulfilling the obligation to provide interested parties with all the information required by the data protection regulations (articles 13 and 14 of the Regulation; see on this point the Sentence of the European Court of Human Rights of 5 September 2017 -Appeal no. 61496/08 - Barbulescu case v. Romania, spec. n. 140). Nor does any type of information appear to have been provided to the participants through alternative methods (for example, by sending, by the Company or the Company, an e-mail confirming registration for the purposes of participating in the competition).

For these reasons, the processing appears to have been carried out in violation of the obligation that requires the data controller to provide the data subjects with prior information, in accordance with the provisions of art. 13 of the Regulations, also in compliance with the "principle of transparency" (Article 5, letter a) of the Regulations).

Again with reference to the transparency and correctness of the processing, it is specified that the reference, in the aforementioned document, to "consent to the processing of data", as a condition of lawfulness of the processing, is not relevant in this case.

The consent of the interested party, in fact, cannot, as a rule, constitute a valid prerequisite of lawfulness for the processing of personal data when there is "an evident imbalance between the interested party and the owner" (see recital 43 of the Regulation), especially when this is a public authority that acts in the performance of a "task of public interest or connected to the exercise of public powers" (Article 6, paragraph 1, letter e) of the Regulations; Guidelines on consent pursuant to EU Regulation 2016/679 - WP 259 - of 4 May 2020) or in the context of activities related to the establishment and management of employment relationships (eg "for recruitment purposes", art. 88 of the Regulation). These circumstances exist in the present case.

For these reasons, the processing of data, also relating to particular categories of personal data, contained in documentation certifying titles of preference, precedence or reserve of places, as well as in declarations made pursuant to l. 104/92, being aimed at the recruitment of personnel by a public entity, finds its legal basis in the specific sector regulations that regulate access to jobs in public administrations and the procedures for carrying out public competitions (cf. in particular, Legislative Decree 30 March 2001, n.165 and Presidential Decree 9 May 1994, n.487) and not in the consent of the interested parties (cons. 43, art.88, paragraph 1 of the Regulations; see also Opinion 2 / 2017 on the processing of data in the workplace, adopted by the Working Group art.29 adopted on 8 June 2017, WP 249).

3.2. Failure to define the role played by the Company in the processing of personal data of candidates in the competition.

In the light of the documents in place, it appears that the hospital has entrusted the company providing the IT platform with the activity concerning the processing of personal data of candidates for the competitive exam in the phase of collection and management of applications and in that of pre-selection of candidates , as well as the technical assistance and maintenance service.

For the purposes of compliance with the legislation on the protection of personal data, it is necessary to precisely identify the subjects who, for various reasons, can process personal data and clearly define their respective powers, in particular that of data controller and data processor and of the subjects that operate under the direct responsibility of the latter (Article 4, paragraph 1, point 7 of the Regulations and Articles 28 and 29 of the Code).

In particular, the owner is the subject on whom the decisions regarding the purposes and methods of processing the personal data of the interested parties fall as well as a "general responsibility" on the treatments put in place (see art. 5, par. 2 so-called "accountability "And 24 of the Regulations), even when these are carried out by other subjects" on his behalf "(cons. 81, art. 4, point 8) and 28 of the Regulations).

The relationship between owner and manager is governed by a contract or other legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to give instructions to the manager and provides, in detail, which is the subject matter. the duration, nature and purposes of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the owner. The Data Processor is therefore entitled to process the data of the interested parties "only on the documented instruction of the owner" (Article 28, paragraph 3, letter a) of the Regulation).

The Regulation also governed the obligations and other forms of cooperation to which the data controller is required when acting on behalf of the owner and the scope of their respective responsibilities (see articles 30, 33, par. 2 and 82 of the Regulation) .

According to art. 24 of the Regulation, taking into account the nature, scope, context and purposes of the processing, as well as the risks with different probabilities and gravity for the rights and freedoms of natural persons, it is primarily up to the data controller to put adequate technical and organizational measures are in place to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulations. These measures should also be reviewed and updated as necessary.

As is clear from the documents, the hospital has processed the personal data of the candidates, as owner, assuming the corresponding responsibilities; this is also confirmed in the document, published on the initial page of the platform, where it was highlighted that "the data provided will be collected and processed at the Human Resources Department of AORN Cardarelli, as well as at the company providing the IT platform, exclusively in the context of procedure for which this declaration is made "(see note of the Company prot. no. XX of XX).

The decision to outsource some phases of the bankruptcy procedure called for the recruitment of new health personnel to be employed in their own structures derives from a precise choice of the hospital; the supplier company has therefore processed the personal data of the candidates as part of an instrumental service aimed at managing certain phases of the competition procedure (in particular, acquisition of the requests to participate and management of the pre-selection phase of the candidates to be admitted to the competition). The functions carried out by the Company therefore involved the processing of the personal data of candidates of which the hospital is still the owner,having determined the purposes and having indicated the methods of management of the various phases of the procedure as well as the main terms of the execution of the service (Articles 6 et seq. of the "Notice of call on the" Electronic Market / Online Purchases Public Administration of procedure negotiated ").
Nevertheless, the relationship with the Company has not been properly regulated, pursuant to art. 28 of the Regulation, as shown by the documentation in the documents and as confirmed also by the hospital.

The aforementioned “Notice of call on the“ Electronic Market / Public Administration Network Purchases ”of negotiated procedure through Request for Offer (RdO) no. XX (concerning "Management of online applications and computer preselection for the admission of competitors to some public competitions announced by the AOR" A. Cardarelli ") and the" Deliberation of the General Manager n. 40 of January 18, 2018 on the definitive award of the negotiated procedure carried out by means of a Request for Offer (RdO9 n. 1808823- Scanshare Company "(see documentation in deeds) do not have the specific characteristics of the legal act that defines the role of the Manager, as they do not contain the elements envisaged by article 28 of the Regulation (see spec. par. 3).

It is therefore ascertained that the hospital has failed to regulate the relationship with the company, which has carried out the processing of the candidates' data on its own behalf and in its own exclusive interest, in violation of art. 28 of the Regulation.

3.3. Dissemination of personal data of candidates for the competition procedure.

In the present case, the preliminary investigation made it possible to verify that, for reasons related to the inexperience in the processing of data by the service provider used by the hospital for the management of the procedure, a dissemination of personal data of candidates in the competition in the absence of a suitable prerequisite of lawfulness. Taking into account that the disclosure also involved data relating to health, with respect to which the regulations on the protection of personal data, due to the particular sensitivity of this category of data, expressly provide that "they cannot be disclosed" (art . 2-septies, paragraph 8 of the Code), the processing of which the Company is the owner appears to have been carried out in violation of articles 5, lett. a), 6 par. 1, lett. c) and e) of the Regulations and articles2-ter and 2-septies, par. 8 of the Code.

3.4. The security of the treatment.

According to the Regulation, the data must be "processed in such a way as to guarantee adequate security of personal data, including protection, by means of adequate technical and organizational measures, from unauthorized or illegal processing and from accidental loss, destruction or damage "(Article 5, par. 1, letter f), of the Regulation).

In this regard, art. 32 of the Regulation establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, the object of the context and the purposes of the processing, as well as the risk of varying probability and natural persons, the data controller and the data processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk "and that" in assessing the adequate level of security, special risks are taken into account presented by the treatment that derive in particular [...] from the unauthorized disclosure [... of] personal data transmitted, stored or otherwise processed ".

Due to the "general responsibility" of the data controller (Article 5, paragraph 2 of the Regulation), the same is required to "implement adequate and effective measures [and ...] demonstrate the compliance of the processing activities with the [... ] Regulation, including the effectiveness of the measures "(cons. 74, articles 4, point 7) and 24 of the Regulation) and, in this context, for the purpose of preparing the technical and organizational measures that meet the requirements established by the Regulation, the owner can also use a manager to carry out some processing activities, to whom he / she gives specific instructions, also from the point of view of security (see cons. 81 of the Regulations).

From the checks carried out, the technical and organizational measures adopted by the hospital, through the service provider, for the management of the competition procedure - in particular, the methods for collecting and managing the applications for participation from candidates, data security to the same referred to, the methods of accessing the data via the "http" protocol and the methods of transmission of the same to the hospital at the end of the presentation of the applications - have not, on the other hand, proved to be suitable for guaranteeing a level of security adequate to the risks of the specific treatment. This has contributed, however, to create the conditions for the occurrence of the security breach, which is the subject of the report, with the consequent unlawful dissemination of personal data, also relating to health, of the interested parties,furthermore entailing the possibility, for anyone who had accessed the URL for data entry, to modify certain personal data provided by other interested parties when completing the applications (as verified by the office during the first checks, cf. . service report of the XX, in acts).

Similarly, the methods adopted for sending data to the Company - at the expiry of the terms of the competition or after the possible preselection test - cannot be considered adequate either in terms of the accuracy of the data processed (Article 5, paragraph 1, letter d) of the Regulation), nor in terms of safety and integrity (Article 5, paragraph 1, letter f) of the Regulation).

With regard to the first profile, the hospital has not, in fact, adopted any formal procedure, nor any type of control, suitable for guaranteeing the integrity and correspondence between the data entered on the platform by the candidates and the data actually received. This is to be considered with particular attention also due to the fact that any discrepancy between the documents presented by the candidates and those examined by the hospital could have determined serious prejudicial effects for the interested parties, such as, for example, the possible exclusion from participation in the competition or the failure to recognize any qualifications of preference, compared to other candidates.

With regard to the second profile, it is noted that the methods of data transmission and delivery of documents relating to candidates, carried out by sending a CD-ROM without protection mechanisms (password or encryption of the data contained), do not have allowed to adequately protect personal data from unauthorized access (eg by consulting or copying the data contained in the IT support). Any such unauthorized access, if they had occurred, would not have been identifiable or traceable in any way, not even with ex post controls.

Moreover, precisely also as a consequence of the failure to regulate the relationship with the service provider (see above par.3.2), the hospital has not given him the necessary instructions, also with regard to the methods with which it should have provision of all the information necessary to demonstrate compliance with the obligations in the processing of data (Article 5, paragraph 2 and Article 24 of the Regulation), nor does it appear to have in any way carried out supervisory or auditing activities regarding the security of the data processed , on its own behalf, by the Company (Article 28, paragraph 3, spec. letters a) and h) of the Regulation). Nor does it note, for the purposes of a possible exclusion of liability of the hospital, that “the outsourcer awarded [had] a predominant role in the actual management of the platform”.

For these reasons, contrary to what was claimed in the defensive briefs, the security incident that occurred cannot be considered "attributable solely to the outsourcer" and the hospital instead was responsible for the failure to adopt adequate technical and organizational measures the confidentiality and integrity of personal data processed with the aid of the platform managed by the Company, in violation of articles 5, paragraph 1, lett. f) and 32 of the Regulations.

4. Further investigations by the Office.

During the checks carried out by the Office on the circumstances to be assessed pursuant to art. 83, par. 2, of the Regulation for the purpose of quantifying the sanction applicable to the specific case, it emerged that, in the "Transparent Administration" section of the hospital, section "XX" by accessing the URL http://www.ospedalecardarelli.it/ .. ., numerous acts and documents are published (e.g. rankings, administrative appeals, resolutions) relating to the same competition procedure and containing personal data, also relating to particular categories and health, of the participants in the competition (see service report of the XX, in acts).

Without prejudice to the assessments regarding the lawfulness of this disclosure of data which will be the subject of an independent procedure, it was found that, among the personal data published, there are also the unique registration codes for the competition associated with each candidate and, in some cases, even the tax codes of the same. By inserting these codes in the appropriate mask at the address: https: // ... through the form "XX", it has been ascertained that the detailed data provided when submitting the application by individual candidates are still present and accessible on the platform managed by the Company.

This shows that, also due to the failure to regulate relations with the company providing the service, the hospital has in fact lost full control over the personal data that it was required to process in the performance of its functions, since even "after the provision of the services relating to the processing is terminated "(Article 28, paragraph 3, letter g) of the Regulations) and despite the fact that the contractual relationship with the Company has ceased on the 20th, the same continues to store, process and render however accessible, in the manner described above, the data of the participants in the competition through its platform.

5. Conclusions.

In light of the aforementioned assessments, it is noted that the statements made by the data controller in the defensive writings ˗ for the veracity of which one may be called to answer pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the dismissal of this procedure, however, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019.

The processing of the data of the interested parties, which occurred in violation of the regulations regarding the processing of personal data, began with the publication of the competition in the Official Gazette on the 20th, the date from which candidates could submit their application for participation in the competition; the violation of personal data that led to the online dissemination of personal data occurred between the 20th and 20th centuries; the termination of relations with the Company occurred in the 20th. It is therefore noted that the treatments in question were carried out in full force of the provisions of the Regulation and the Code; for the purpose of determining the applicable regulatory framework, from a temporal point of view (Article 1, paragraph 2, of Law no. 689 of November 24, 1981), these constitute in fact the provisions in force at the time of the committed violation.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Company is noted, as the processing of the personal data of the candidates in the competition organized by the same, occurred in violation of Articles 5, par. 1, lett. a), 6 par. 1, lett. c) and e), 13, 28 and 32 of the Regulation and art. 2-ter and 2-septies of the Code which provides for the specific prohibition of dissemination of health data.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 4 and 5 of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the same Regulation as also referred to by art. 166, paragraph 2, of the Code.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulations; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, taking into account art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine as provided for by art. 83, par. 5, of the Regulation.

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular delicacy of personal data unlawfully processed and disseminated (including data relating to health, Article 4, paragraph 1, No. 15 of the Regulation) was considered as well as, with regard to the security incident that occurred, the duration of the online stay (25 days) and the number of interested parties involved (all candidates in competition XX, i.e. over 2000 interested, as also results from resolution no. XX, to date still available on the Company's website, with the which the candidates who passed the pre-selection test and the participants exempted from this test were admitted to the competition pursuant to art. 20 ln 104/1992. It was also considered that, as verified, the termination of the relationship with the Company did not put an end to the overall treatment which, at present, is, in part,still in progress. These circumstances highlight the harmfulness of the conduct, since the circumstance, alleged by the hospital in the defense writings, cannot be taken into consideration for this purpose, that “no instance of exercise of the rights pursuant to art. 15 and ss. GDPR, nor warning, complaint (formal or informal), request for compensation and / or legal action are brought against the AO as a result of the event "(see note XX, cit.).as a consequence of the event "(see note XX, cit.).as a consequence of the event "(see note XX, cit.).

From the point of view of the severity and duration of the violation, of the damage to the parties concerned as well as the degree of responsibility of the Company, it was also considered that, due to the subsequent conduct of the Company, consisting in the publication on its institutional website of numerous deeds and documents containing personal data of the participants in the competition procedure (profiles in relation to which the Authority reserves the right to initiate independent proceedings) and, as a result, the simultaneous availability on the network of the tax codes and the unique codes associated with each candidate , it is still possible for anyone to consult the data provided by the participants when registering for the competition.

On the other hand, it was considered that the hospital, although it did not proceed with the notification pursuant to art. 33 of the Regulations (due to the lack of information provided by the Company) collaborated with the Authority during the investigation of this proceeding, not being held responsible for the partial and inaccurate information that, in a first phase, it provided to the 'Authority "relying on the guarantees provided by the contractor, especially in relation to the minimum duration of the data breach detected" and the causes of the security incident that occurred (up to the month of XX, the Company in fact trusted, on the basis of the feedback provided until then by the Company, that the IT incident had been resolved within "a few minutes", see note of the XX, cit.). Furthermore, there are noprevious relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, assessed as a whole, it is therefore deemed necessary to determine the amount of the pecuniary sanction, also taking into account the phase of first application of the sanctioning provisions, pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, to the extent of € 80,000 (eighty thousand) for the violation of Articles 5, par. 1, lett. a), 6 par. 1, letters c) and e), 13, 28, 32 of the Regulation and 2-ter of the Code, as well as art. 2-septies, paragraph 8 of the Code. In quantifying the sanction, the Guarantor took particular account of the fact that the violations are connected to a treatment started immediately after the definitive application of the Regulation.

Taking into account the particular delicacy of the data disclosed, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares, pursuant to art. 144 of the Code, the unlawfulness of the processing carried out by the Antonio Cardarelli National Relief Hospital, for violation of articles 5, par. 1, lett. A), 6 par. 1, lett. C) and e), 13, 28, 32 of the Regulation and 2-ter of the Code, as well as of art.2-septies, paragraph 8 of the Code, within the terms set out in the motivation;

ORDER

to the National Relief Hospital "Antonio Cardarelli", in the person of the pro-tempore legal representative, with registered office in Naples (80131), Via A. Cardarelli, n. 9, CF 06853240635, pursuant to articles 58, par . 2, lett.i), and 83, par. 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of 80,000.00 (eighty thousand) euros as a fine for the violations indicated in the motivation ; it is represented that the offender, pursuant to Article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

INJUNCES

to the same Company to pay the sum of 80,000.00 (eighty thousand) euros, in the event that the dispute is not settled pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of adoption of the consequent executive acts pursuant to art. 27 of Law 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal to the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 17 September 2020