Garante per la protezione dei dati personali (Italy) - 9468523

From GDPRhub
Garante per la protezione dei dati personali - 9468523
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 03.09.2020
Published: 03.09.2020
Fine: 2000 EUR
Parties: Comune di Casaloldo
National Case Number/Name: 9468523
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Ordinanza ingiunzione nei confronti di Comune di Casaloldo - 3 settembre 2020 [9468523 (in IT)]
Initial Contributor: Andrea S.

The Italian DPA (Garante) imposed €2000 fine on a municipal district for the unlawful processing and further disclosure of personal data related to an unsuccessful candidate, who had submitted his application for a public role through an open competition system.

English Summary

Facts

The municipal district of Casaloldo (the 'District') has organized an open competition in order to fulfill a public role. After the written exams, the District published the results and the various scores of all the applicants through its website in order to guarantee the transparency of the procedure.

One of the unsuccessful applicants made a complaint to the Garante claiming that District had made inappropriate and unlawful use of his information, with the publication of his name and his score publicly available.

The Garante promptly started an investigation in order to have more details from the District, which, following the mentioned complaint, immediately removed the information of all the unsuccessful candidates from the official website of the District.

Dispute

The Garante had to determine whether the District had correctly published information of all the candidates or it would contravene the Data Protection principles established by the Art. 5 of GDPR.

Holding

The Garante did not find a proper legal basis to disclose the information of unsuccessful candidates to the public and evaluate reasonable the disclosure of only the candidates that move forward to the final step of the open competition.

Furthermore, the Garante interpreted this to mean that all candidates would not have expected their personal data to be disclosed in the event of unsuccessful applications considered that disclosure remains beyond the candidates’ expectations. It is therefore possible that disclosing this information would cause them distress.

Comment

It may be worth noting that the Garante, during its evaluation of the potential fine to impose, took into account the constant collaboration of the District, the good faith of their behaviour and the lack of (human and financial) resources to handle the full workload of the District.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Injunction order against the Municipality of Casaloldo - 3 September 2020

Register of measures
n. 154 of 3 September 2020

GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the lawyer. Giuseppe Busia, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter "RGPD");

GIVEN the d. lgs. June 30, 2003, n. 196 containing the “Code regarding the protection of personal data (hereinafter the“ Code ”);

GIVEN the general provision n. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the web by public entities and other obliged entities", published in the Official Journal n. 134 of 12/6/2014 and in www.gpdp.it, doc. web n. 3134436 (hereinafter "Guidelines on transparency");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web n. 1098801 ;

Speaker Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

This Authority has received a complaint from the XX regarding the dissemination of its personal data contained in provisions relating to an "XX" published on the institutional website of the Municipality of Casaloldo.

Specifically, as verified on the basis of the preliminary assessment carried out by the Office, it was found that in the "Transparent Administration" section of the institutional website of the aforementioned Municipality and, in particular, in the "Competition notices" area, at url https : // ..., it was possible to view and download the following documents from the link entitled "XX":

1) Determines n. XX of the XX having as object xx

2) Document entitled XX

3) Document entitled XX

4) Document entitled XX

5) Document entitled XX

The aforementioned documents published online contained data and personal information of the subjects participating in the public selection described, including the complainant whose name appeared in the documents previously identified under nos. XX and XX, as the subject admitted to the written tests of the competition and present in the two competition tests, with indication of the scores obtained in the written tests and of non-admission to the oral test (see minutes of the commission no. XX contained in the documents cited) .

2. Applicable law.

Pursuant to the relevant regulations, "personal data" is "any information relating to an identified or identifiable natural person (" interested party ") and" the natural person who can be identified, directly or indirectly, with particular reference to an identifier is considered identifiable such as the name, an identification number, location data, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity "(Article 4, par. 1, 1, of the GDPR).

The processing of personal data must also take place in compliance with the principles indicated in art. 5 of the RGPD, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent manner towards the interested party", as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (paragraph 1, letter aec).

In this context, the processing of personal data carried out by public entities (such as the Municipality) is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task of public interest o connected to the exercise of public authority vested in the data controller "(art. 6, par. 1, lett. c and e, of the GDPR).

It is also provided that 'Member States may maintain [...] more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1 (c) and (e), by determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] »(Article 6, par. 2, of the RGPD), with the consequence that the provisions contained in art. 2-ter, paragraphs 1 and 3, of the Code, where it is established that the dissemination of personal data (such as publication on the Internet), by public entities, is permitted only when provided for by a law or regulation.

In this regard, it should be noted that the sector regulations applicable to the present case contained in art. 15, paragraph 6-bis, of Presidential Decree 5/9/1994, n. 487 (Regulation containing rules on access to jobs in public administrations and the methods of conducting competitions, single competitions and other forms of recruitment in public employment), provides, first of all, that they be published "in the praetorian register of relative body "the only definitive rankings of the winners of the competition at the local authorities and not also, as in the question submitted to the attention of the Guarantor, the results of the intermediate tests or the personal data of the competitors who are not successful, not admitted or who have withdrawn .

3. Preliminary assessments of the Office on the processing of personal data carried out.

From the checks carried out on the basis of the elements acquired and the facts that emerged as a result of the preliminary investigation, as well as subsequent assessments, the Office with note prot. n. XX of the XX has ascertained that the Municipality of Casaloldo by disclosing the personal data of non-winning competitors, not admitted or who have withdrawn from the competition, including the complainant - contained in the documents identified above published on the institutional website - has carried out a processing of personal data that does not comply with the relevant regulations on the protection of personal data contained in the RGPD. Therefore, with the same note the violations carried out (pursuant to Article 166, paragraph 5, of the Code) were notified to the Municipality, communicating the start of the procedure for the adoption of the measures referred to in Article 58, par . 2,

4. Defensive memories.

With the note prot. n. XX of the XX the Municipality of Casaloldo sent to the Guarantor its defense writings in relation to the notified violations.

In this regard, we remind you that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false documents or documents, is liable pursuant to art. 168 of the Code, entitled «False statements to the Guarantor and interruption of the performance of the duties or the exercise of the powers of the Guarantor».

Specifically, it was highlighted, among other things, that:

- «On XX with letter prot. n. XX the employees assigned to the publication of the documents in the IT register and in the “Transparent Administration” section were requested to immediately remove the documents published on the institutional website - SEZ. XX - relating to the intermediate procedures of the public competition subject of the complaint, containing the references to the non-winning candidates, and in particular: of the link: "XX" the following attachments have been removed from the XX:

1) XX

2) XX

- "The documents relating to the final ranking of the competition have been left for publication, which do not contain any reference to the candidates admitted, not admitted and not winners";

- "The minutes of the insolvency proceedings were published from the XX until the removal of the XX";

- "The treatment in question refers to personal data (name and surname only) [and] is to be considered minor, also in relation to the duration of the publication which covered the period of possible appeal with extraordinary appeal 6 months)";

- "The alleged violation is not characterized by the subjective element of fault nor, even less, by the subjective element of willful misconduct";

- «Within 24 hours of receipt of the communication from the Guarantor on XX […] the immediate removal from the website was ordered - SEZ. XX - of all the documents relating to the competition procedure containing references to the candidates admitted, not admitted and not winners. The documents were removed on the same date ";

- «The Municipality of Casaloldo is a small institution of less than 3000 inhabitants, with an organic endowment of personnel just sufficient to carry out the functions of competence. The internal organization of the body takes into account the limited financial, human and instrumental resources ».

5. Outcome of the investigation relating to the complaint presented.

The issue that is the subject of the case submitted to the attention of the Guarantor concerns the dissemination of personal data and information of the subjects participating in a public selection XX, including the complainant (such as identification data and results of the intermediate tests also referring to non-winning competitors, not admitted or who have withdrawn).

In the defense briefs, the Municipality confirmed the online dissemination of the aforementioned personal data including those referring to the complainant, presenting some observations which, although worthy of consideration, do not in any case allow to overcome the findings notified by the Office with the deed of initiation of the proceeding and are insufficient to allow the filing of this proceeding, however none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. This also considering that since 2014 the Authority, in the aforementioned Guidelines, has provided all public entities with specific indications on how to reconcile the transparency and publicity obligations of the administrative action with the right to protection of the personal data of the interested parties. .

In this context, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the aforementioned Municipality is noted, as the full publication in the "Transparent Administration" section of the institutional website of Resolution no. XX of the XX - concerning "XX" - with the relative attachments containing all the minutes of the examining commission (documents previously identified in par. XX) caused the dissemination of personal data of the competing subjects who were not successful, not admitted or who withdrawn from the competition, including the complainant (such as identification data and results of the intermediate tests also referring to non-winning competitors, not admitted or who have withdrawn), in the absence of suitable regulatory conditions and, therefore, in violation of art. 2-ter, paragraphs 1 and 3, of the Code and the basic principles of processing contained in articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD (see also the provision contained in art.15, paragraph 6-bis, of Presidential Decree 5/9/1994, n. 487).

Considering, however, that the conduct has exhausted its effects, as the Municipality has declared that it has removed the disputed documents from the institutional website, without prejudice to what will be said on the application of the pecuniary administrative sanction, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the RGPD.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction (art. 58, par. 2, lett. I; 83 RGPD)

The Municipality of Casaloldo appears to have violated Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code (see also the provision contained in Article 15, paragraph 6-bis, of Presidential Decree 5/9/1994, no. 487).

In this regard, art. 83, par. 3, of the RGPD, provides that «If, in relation to the same treatment or related treatments, a data controller or a data processor violates various provisions of this regulation with willful misconduct or negligence, the total amount of the pecuniary administrative sanction does not exceeds the amount specified for the most serious violation '.

In this case, the violation of the cited provisions - also considering the reference contained in art. 166, paragraph 2, of the Code - is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the RGPD, which therefore applies to the present case.

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the RGPD as well as art. 166 of the Code, has the corrective power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of every single case ". In this context, "the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking into account the elements provided for by art. 83, par. 2, of the RGPD.

In relation to the aforementioned elements, the detected conduct in violation of the regulations on the protection of personal data had as its object the dissemination of personal data not belonging to particular categories or to criminal convictions or offenses (articles 9 and 10, of the RGPD ) of the subjects participating in a competition (about 50) and lasted for about six months. The Municipality of Casaloldo, which in any case is a small body (less than 3,000 inhabitants) "with a staffing staff just sufficient to carry out the functions of competence" has, moreover, highlighted the culpable nature of the violation and is activated to remove the personal data subject of the complaint, collaborating with the Authority during the investigation of this proceeding in order to remedy the violation and mitigate its possible negative effects. In the reply to the Guarantor, various technical and organizational measures implemented pursuant to art. 25-32 of the GDPR. There are no previous violations of the relevant RGPD committed by the Municipality of Casaloldo.

On the basis of the aforementioned elements, assessed as a whole, it is deemed necessary to determine pursuant to art. 83, para. 2 and 3, of the RGPD, the amount of the pecuniary sanction, provided for by art. 83, par. 5, of the RGPD, to the extent of € 2,000.00 (two thousand) for the violation of Articles 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the GDPR; as well as art. 2-ter, paragraphs 1 and 3, of the Code (see also the provision contained in Article 15, paragraph 6-bis, of Presidential Decree 5/9/1994, no. 487), as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.

In relation to the specific circumstances of this case, relating to the dissemination of personal data on the web in the absence of a suitable legal basis, it is also believed that the ancillary sanction of the publication of this provision on the Internet site of the Guarantor, provided for by art. . 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

found pursuant to art. 57, par. 1, lett. f), of the RGPD the unlawfulness of the treatment carried out by the Municipality of Casaloldo for the violation of articles 2-ter, paragraphs 1 and 3, of the Code and the basic principles of processing contained in art. 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD in the terms set out in the motivation;

ORDER

to the Municipality of Casaloldo, in the person of the pro-tempore legal representative, with registered office in Via Roma 8 - 46040 Casaloldo (MN) - CF 81000510206, pursuant to art. 58, par. 2, lett. i) and 83 of the RGPD, as well as 166 of the Code, to pay the sum of 2,000.00 (two thousand) euros as a pecuniary administrative sanction for the violations referred to in the motivation;

INJUNCES

to the same Municipality to pay the sum of € 2,000.00 (two thousand), according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law 689/1981.

We remind you that the offender has the right to settle the dispute by paying - again according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within the term referred to in art. 10, paragraph 3, of d. lgs. n. 150 of 1/9/2011 envisaged for the filing of the appeal as indicated below (Article 166, paragraph 8, of the Code).

HAS

the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and by art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019. It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the RGPD, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.