Garante per la protezione dei dati personali (Italy) - 9524175

From GDPRhub
Garante per la protezione dei dati personali - 9524175
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 13 GDPR
Article 14 GDPR
Article 28(2) GDPR
Article 28(3) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 17.12.2020
Fine: 500000 EUR
Parties: Roma Capitale
National Case Number/Name: 9524175
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) fined the Municipality of Rome €500,000 for unlawfully processing personal data of users and employees through the "TuPassi" appointment booking system, in violation of Articles 5, 13, 14, 28 and 32 GDPR.

English Summary

Facts

With a previous measure (n. 81 of 7 March 2019) the Garante already declared the unlawfulness of the processing activity deployed by the Municipality of Rome via the use of the system "TuPassi".

In that occasion, the Garante found that the processing was in violation of:

  • The principles of lawfulness, fairness and transparency, f. Article 5(1)(a)
  • The obligation of providing a privacy notice to the data subjects as by Articles 13 and 14
  • The obligation to regulate the relation with the processor as by Article 28(2) and (3)
  • The obligation to adopt technical and organizational measures to ensure the security of the processing as by Article 32.

The processing involved a large amount of personal data, including sensitive ones related to bookings of various healthcare services. The system acquired and stored on the servers of the Municipality for a long period of time, numerous users' personal data relating to reservations (type of service, channel used, date and time of the reservation) and of the staff employed in the management of appointments.

The system also recorded and generated daily reports containing detailed information of the work activity (date, type of service, name of the counter attendant, call time and waiting time). All operations were carried out without the users or employees having received complete information on the processing made possible by the application. The DPA also considered the technical and organizational measures implemented by the Municipality to be inadequate insofar as they did not regulate the relationship with the service provider.

Holding

The Garante found the processing activity in violation of Articles 5, 13, 14, 28 and 32 GDPR and fined the Municipality of Rome €500,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

doc. web n. 9524175].

Injunction order against Roma Capitale - 17 December 2020

Register of measures No 280 of 17 December 2020

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

AT TODAY'S MEETING, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, "Regulation");

HAVING REGARD TO Legislative Decree No 196 of 30 June 2003 on the "Personal Data Protection Code, laying down provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, the "Code")

HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by resolution No. 98 of 4/4/2019, published in G.U. No. 106 of 8/5/2019 and at www.gpdp.it, web doc. No. 9107633 (hereinafter "Garante Regulation No. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the office of the Garante for the protection of personal data, web doc. no. 1098801;

REPORTER Prof. Pasquale Stazione;

WHEREAS

1. Unlawfulness of the processing of personal data carried out by Roma Capitale through the "Tu Passi" booking system.

By order no. 81 of 7 March 2019, adopted following a complex preliminary activity and investigations carried out pursuant to Article 58 of the Regulation and 157 and 158 of the Code, it was declared unlawful to process personal data of users and employees carried out by Roma Capitale through the "TuPassi" system, provided by Miropass s.r.l. (hereinafter, the "Company"), used since 2015 for the purpose of booking appointments and providing counter services.

With the aforementioned measure, the Guarantor has declared unlawful the processing carried out with this system for violation of Articles 5, 13, 14, 28 and 32 of the Regulation and Articles 13 and 29 of the Code, in relation to the processing carried out prior to the amendments made to the same by Legislative Decree no. 101/2018.

In particular, it appears to have been established that the processing was carried out in contrast:

- with the principles of lawfulness, fairness and transparency (Article 5(1)(a)) and with the obligation placed on the data controller to provide information to users and employees (Articles 13 and 14 of the Regulation, formerly Article 13 of the Code, prior to the amendments made to it by Legislative Decree No. 101/2018);

- with the obligation to regulate, by means of an act having the characteristics set out in Article 28, paragraphs 2 and 3 of the Regulation (formerly Article 29 of the Code, prior to the amendments set out in Leg. Decree No. 101/2018), the processing of personal data entrusted, on behalf of the owner, to the Company within the scope of the assistance and maintenance services of the "TuPassi" system;

- with the obligation to adopt technical and organisational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the nature, object, context, purpose and risks inherent in the processing for the rights and freedoms of natural persons (Article 32 of the Regulation).

The same measure prescribed "appropriate corrective actions aimed at eliminating the technical and organisational criticalities (see paras. 3.1 to 4)", ordering the body to communicate the initiatives undertaken within 90 days from the date of receipt of the measure, providing adequately documented feedback in this regard (see the provision cited above).

With the note of XX (prot. no. XX), the Office notified the measure to the Entity at the same time as the initiation of the proceedings, pursuant to Article 166, paragraph 5, of the Code, for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation, inviting the above mentioned data controller to produce to the Guarantor defensive writings or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).

In a note dated XX, prot. XX, the Entity sent its defence in relation to the notified breaches, stating, in particular, that it had "provided for the implementation of all the appropriate activities necessary to ensure the timely compliance with the regulatory requirements" and that it had proceeded "to designate the company [...] as data processor [.... ] with a measure digitally signed on XX (XX)", reserving the right to communicate, within the timeframe and in the manner provided for by measure no. 81 of 2019, "the initiatives undertaken to implement the provisions contained in the measure, with particular reference to the profiles of computer security in data traffic between the systems that make up the Tupassi architecture".

In the course of the investigation, the Entity has provided, at different times, also upon specific request of the Office (see, for instance, notes of XX, prot. XX and of XX prot. no. XX), further elements and copious documentation, not always relevant, aimed at documenting the fulfilment of the requirements set forth in order no. 81 of 7 March 2019 (see, minutes of the hearing convened ex officio at the offices of the Guarantor of XX and notes of XX, prot. no. XX, of XX, prot. no. XX and of XX, prot. no. XX).

The complete compliance of the Entity with the requirements set out in the provision of 7 March 2019, no. 81 was finally acknowledged by the Office with the note of XX, prot. no. XX.

2. Conclusions.

In light of the declarations made by the data controller in his defence, the truthfulness of which may be called to account pursuant to Article 168 of the Code, and the documentation produced by the data controller, taking into account also that the data controller has not contested the substantive aspects ascertained in order no. 81 of 7 March 2019 and notified by the Office with the notice of initiation of proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, users and employees, carried out by the Authority, are confirmed. 81 and notified by the Office with the act of initiation of the proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, of users and employees, carried out by the Entity through the "Tu Passi" system for the booking of services at the counter, for violation of Articles 5, 13, 14, 28 and 32 of the Regulation are confirmed.

Although the processing was undertaken by the Entity in the period prior to the entry into force of the Regulation (the "Tu passi" system appears to have been adopted as early as 2015), for the purposes of identifying the applicable legislation, in terms of time, it should be borne in mind that, according to the principle of legality referred to in Article 1, paragraph 2, of Law no. 689/1981, "The laws that provide for administrative sanctions apply only in the cases and times considered therein". From this follows the need to take into consideration the provisions in force at the time of the violation committed; in the case in question, given the permanent nature of the offence contested, this moment must be identified at the time of the cessation of the unlawful conduct, determined with the implementation of the measure of 7 March 2019, no. 81 and therefore in the full force of the provisions of the Regulations and the Code (as amended by Legislative Decree 101/2018).

The breach of the aforementioned provisions therefore makes the administrative sanction provided for in Article 83(4) and (5) of the Regulation applicable, pursuant to Articles 58(2)(i) and 83(5) of the Regulation itself as also referred to in Article 166(2) of the Code.

In this context, considering that the conduct has exhausted its effects, since the necessary measures have been adopted over time to comply with the provisions of the aforementioned measure, in order to make the processing compliant with the rules on the protection of personal data, as noted in the note of XX, prot. XX, there are no grounds for the adoption of further corrective measures referred to in Article 58(2) of the Regulation.

3. Adoption of the injunction order for the application of the pecuniary administrative sanction and of the accessory sanctions (art. 58, par. 2, lett. i and 83 of the Regulation; art. 166, par. 7, of the Code).

Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166 of the Code, the Guarantor has the power to "impose an administrative fine pursuant to Article 83, in addition to or instead of the [other] [corrective] measures referred to in this paragraph". 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the College [of the Guarantor] adopts the injunction order, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Art. 16, paragraph 1, of the Guarantor's Regulation No. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case in question - also considering the reference contained in Article 166, paragraph 2, of the Code - the violation of the cited provisions is subject to the application of the same administrative pecuniary sanction provided for in Article 83, paragraph 5, of the Regulation.

The amount of the aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, shall be determined by taking into due account the elements provided for in Article 83(2) of the Regulation.

In relation to the aforementioned elements, consideration was given to the large number of interested parties (users and employees) who have used the system over time to book and manage appointments with the offices of the Entity and the duration of the overall processing, which began in 2015. Consideration was also given to the manner in which, during the preliminary investigation, the Entity provided the elements of assessment requested by the Office, by means of numerous submissions of documentation, at times irrelevant, with inevitable repercussions on the timeliness of the definition of the procedure, also in the phase of verification of the correct compliance with measure no. 81/2019. This was also due to the operational difficulties encountered by the Data Protection Officer - who, moreover, was subject to changes during the preliminary investigation - in cooperating effectively and adequately acting as a contact person for the administration as well as a "point of contact for the authority for matters related to the processing" (Article 39(1)(d) and (e) of the Regulation), as a result of the not always appropriate organisational choices of the Entity. For the purposes of the overall commensuration of the sanction, it was also considered that in relation to the obligation to provide information to users of the "Tupassi" system, there is a specific previous sanction (cf. act of contestation of administrative violation of 23 May 2018 no. 51, defined with registration, pursuant to Article 18, paragraph 2, of Legislative Decree 101/2018, "with reference to data processing carried out until that date", see point 3.1. prov. no. 81/2019). The same violation was again ascertained, together with the other profiles, during the checks carried out in October 2018 (see, note of XX, prot. no. XX initiating the procedure, pursuant to Article 166, paragraph 5, of the Code).

On the other hand, it was considered that, as already pointed out by the Guarantor, some of the contested violations originated from the specific characteristics of the system used by the Body for the booking services, which in the "standard version", originally distributed by the supplying Company, did not allow "to configure "case by case" the typology of the processed data and the maximum retention times, and therefore to respect the principles applicable to the data processing (Art. 5, para. 1, spec. lett. a), b), c) and e) Regulation)". (cf. paragraph 5, Provv. cit.). Without prejudice to the attribution of responsibility to the data controller for the alleged infringements, this circumstance was in any case taken into account for the purposes of calculating the penalty. Account was also taken of the undertaking given by the Entity to bring its processing operations into line with the rules on the protection of personal data (regulation of the relationship with the supplier pursuant to Article 28 of the Regulation, integration of the information notice, suspension of the reporting functions, identification of the data retention periods).

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine the amount of the pecuniary sanction also taking into account the first application phase of the sanctioning provisions pursuant to Article 22, paragraph 13, of Legislative Decree 10/08/2018, no. 101, in the amount of EUR 500,000 (five hundred thousand) for the violation of Articles 5, 13, 14, 28 and 32 of the Regulation. In quantifying the sanction, the Garante has taken into particular consideration the fact that the violations are connected to processing that began before the Regulation was finally applied.

Taking into account the particular sensitivity and the number of data processed, it is also considered that the ancillary sanction of the publication of this measure on the website of the Garante, as provided for in Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply.

Lastly, it should be noted that the conditions set out in Article 17 of Regulation No. 1/2019 concerning internal procedures of external relevance, aimed at performing the tasks and exercising the powers delegated to the Garante, are met.

HAVING REGARD TO THE FOREGOING, THE SUPERVISOR

having noted the unlawfulness of the processing carried out by Roma Capitale on the grounds of breach of Articles 5, 13, 14, 28 and 32 of the Regulation in the terms set out in the grounds;

ORDERS

Roma Capitale in the person of its pro-tempore legal representative, with registered office in Rome, p.zza del Campidoglio, tax code 02438750586, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of EUR 500,000.00 (five hundred thousand) by way of pecuniary administrative sanction for the violations indicated in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of the legislative decree no. 150 of 1/9/2011), the offender has the right to settle the dispute by paying, within the term of 30 days, an amount equal to half of the fine imposed, according to the modalities indicated in the annex;

ENJOINS

Roma Capitale to pay the sum of euro 500,000.00 (five hundred thousand) in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, in accordance with the procedures indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive measures pursuant to art. 27 of law no. 689/1981;

DISPOSES

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions of art. 17 of the Regulation of the Guarantor no. 1/2019 are met.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, 17 December 2020

THE PRESIDENT Stanzione

THE REPORTER Stanzione

THE SECRETARY GENERAL Mattei