Garante per la protezione dei dati personali (Italy) - 9529527: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count...")
 
No edit summary
Line 82: Line 82:
Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between the adoption of the GDPR and its coming into force.  
Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between the adoption of the GDPR and its coming into force.  
Secondly, the legal designation of ESTAR as data processor was not clear and detailed enough to be compliant with Article 28 GDPR (nor with 29 of the Italian ‘Privacy Code’ implementing the Data Protection Directive, which was in force at the time of the initial designation).
Secondly, the legal designation of ESTAR as data processor was not clear and detailed enough to be compliant with Article 28 GDPR (nor with 29 of the Italian ‘Privacy Code’ implementing the Data Protection Directive, which was in force at the time of the initial designation).
Thirdly, the process for the collection of data from GPs did not provide for sufficient technical and organisational measures, and was not designed following a risk-based approach. According to the Garante, the means used to gather and share data across the different stakeholders did not follow the security principles as per Article 5(1)(f) GDPR (ed.: the decision actually reads 5(2)(f)), highlighting ‘the absence of an assessment of the risks related to the data processing that should have been carried out in the context of the impact assessment, which does not
Thirdly, the process for the collection of data from GPs did not provide for sufficient technical and organisational measures, and was not designed following a risk-based approach. According to the Garante, the means used to gather and share data across the different stakeholders did not follow the security principles as per Article 5(1)(f) GDPR (ed.: the decision actually reads 5(2)(f)), highlighting ‘the absence of an assessment of the risks related to the data processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out’.
appear to have been carried out’.
Moreover, the information given to data subjects was lacking ‘some of the essential elements required by the regulation’ as per Articles 13 and 14 of the GDPR, such as: data retention periods, information about data subjects’ rights, contact data of data controller and data processor, a clear description of the data processing and the legal basis for the data processing. Again, the Italian DPA stressed that such requirements preceded the entry into force of the GDPR.
Moreover, the information given to data subjects was lacking ‘some of the essential elements required by the regulation’ as per Articles 13 and 14 of the GDPR, such as: data retention periods, information about data subjects’ rights, contact data of data controller and data processor, a clear description of the data processing and the legal basis for the data processing. Again, the Italian DPA stressed that such requirements preceded the entry into force of the GDPR.
Finally, the Garante found that, despite the nature of the data processed and the number of data subjects involved, no DPIA was carried out for the data processing, and that this is to be considered particularly critical as ‘some evident shortcomings concerning the adoption of adequate
Finally, the Garante found that, despite the nature of the data processed and the number of data subjects involved, no DPIA was carried out for the data processing, and that this is to be considered particularly critical as ‘some evident shortcomings concerning the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed.’
security measures could have been avoided if the risk of processing had been adequately assessed.’
The Italian DPA then declared the processing carried out by the USL unlawful ‘on the ground that it infringes Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.’
The Italian DPA then declared the processing carried out by the USL unlawful ‘on the ground that it infringes
Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.’


Since the beginning of the investigation, the USL proceeded to correct the violations of articles 13, 14, 28, and 30. Given this, and the fact that it also went back to gather only anonymous data from GPs, the Garante found that ‘the conditions for the adoption of the corrective measures referred to in Article
Since the beginning of the investigation, the USL proceeded to correct the violations of articles 13, 14, 28, and 30. Given this, and the fact that it also went back to gather only anonymous data from GPs, the Garante found that ‘the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met’. The Authority then imposed an administrative fine to the USL as per Articles 83(5)(b) and 83(4)(a) GDPR.  
58(2) of the Regulation are not met’. The Authority then imposed an administrative fine to the USL as per Articles 83(5)(b) and 83(4)(a) GDPR.  


The elements considered to determine the amount of the fine are the following: the fact that the Garante only received one report about the infringement, and that no data breach was reported; the fact that the data processing involved health data; the lack of risk-assessment, security measures, and records of processing activities, which are part of the accountability principle as per Article 5(2) GDPR; the fact that the USL showed ‘a high degree of cooperation’; the fact that regional authorities initiated a process to properly regulate the whole health care initiative. For these reasons, the Garante found an administrative fine of 100,000 Euros to be effective,
The elements considered to determine the amount of the fine are the following: the fact that the Garante only received one report about the infringement, and that no data breach was reported; the fact that the data processing involved health data; the lack of risk-assessment, security measures, and records of processing activities, which are part of the accountability principle as per Article 5(2) GDPR; the fact that the USL showed ‘a high degree of cooperation’; the fact that regional authorities initiated a process to properly regulate the whole health care initiative. For these reasons, the Garante found an administrative fine of 100,000 Euros to be effective, proportionate, and dissuasive. Finally, the DPA stated that ‘in quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.’
proportionate, and dissuasive. Finally, the DPA stated that ‘in quantifying the fine, the Garante took into particular consideration
the fact that the violations are connected to a processing operation that started shortly before the  
definitive application of the Regulation.’


Interestingly, despite having found violations of several articles, the Garante stated that the fine was due to the violation of ‘Articles 13 and 28 GDPR.’
Interestingly, despite having found violations of several articles, the Garante stated that the fine was due to the violation of ‘Articles 13 and 28 GDPR.’

Revision as of 12:32, 6 February 2021

Garante per la protezione dei dati personali - 9529527
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 13 GDPR
Article 14 GDPR
Article 28 GDPR
Article 30 GDPR
Article 35 GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.12.2020
Published: 27.01.2021
Fine: 100000 EUR
Parties: Azienda Unità Sanitaria Locale Toscana Sud Est
National Case Number/Name: 9529527
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei DaGarante per la Protezione dei Dati Personaliti Personali (in IT)
Initial Contributor: AS

The Italian DPA imposed a fine of 100,000 euros on a local public healt body amid the violation of several GDPR provisions. The data processing involved the sharing of patients’ data across several health care stakeholders.

English Summary

Facts

The case involves the processing of citizens’ health data by Azienda Unità Sanitaria Locale Toscana Sud Est (hereafter simply ‘USL’), a local public health body, as part of a broader initiative from Tuscany Region related to the monitoring of chronic diseases in the population. The facts – as emerged from an initial notice received from a general practitioner (hereafter ‘GP’), the following investigation from the Italian DPA, and the information provided by the public body – read as follows.

In the context of the above-mentioned public health approach, health data was shared among several public healthcare stakeholders, including general practitioners (GPs) and public clinics, coordinated by the USL. Initially, GPs sent to the USL only aggregated data pertaining to specific diseases. Until 2018, however, the USL asked GPs to fill in an Excel file with the names of the patients and their pathologies. After having gathered patients’ consent, GPs filled in the file, embedded it in a password-protected zip archive, and shared it with ‘district physicians’ via a USB drive stick. The file was then copied on the district physician’s PC and sent via email to a district physician who is competent for the whole area, who eventually sent it via the same mean to an administrative body named ‘ESTAR’. ESTAR is a data processor which manages a ‘data warehouse’ and makes data form the program available to the USL, for monitoring purposes, via a ‘data mart’. Before entering the data warehouse, data were pseudonymised using an existing regional identifier.

Dispute

Holding

As a result of the investigation, the Garante found several violations of the GDPR. Firstly, the USL had not documented its processing activities as required by Article 30 GDPR, despite the two years between the adoption of the GDPR and its coming into force. Secondly, the legal designation of ESTAR as data processor was not clear and detailed enough to be compliant with Article 28 GDPR (nor with 29 of the Italian ‘Privacy Code’ implementing the Data Protection Directive, which was in force at the time of the initial designation). Thirdly, the process for the collection of data from GPs did not provide for sufficient technical and organisational measures, and was not designed following a risk-based approach. According to the Garante, the means used to gather and share data across the different stakeholders did not follow the security principles as per Article 5(1)(f) GDPR (ed.: the decision actually reads 5(2)(f)), highlighting ‘the absence of an assessment of the risks related to the data processing that should have been carried out in the context of the impact assessment, which does not appear to have been carried out’. Moreover, the information given to data subjects was lacking ‘some of the essential elements required by the regulation’ as per Articles 13 and 14 of the GDPR, such as: data retention periods, information about data subjects’ rights, contact data of data controller and data processor, a clear description of the data processing and the legal basis for the data processing. Again, the Italian DPA stressed that such requirements preceded the entry into force of the GDPR. Finally, the Garante found that, despite the nature of the data processed and the number of data subjects involved, no DPIA was carried out for the data processing, and that this is to be considered particularly critical as ‘some evident shortcomings concerning the adoption of adequate security measures could have been avoided if the risk of processing had been adequately assessed.’ The Italian DPA then declared the processing carried out by the USL unlawful ‘on the ground that it infringes Articles 5(2)(f), 13, 14, 28, 30, 32 and 35 of the Regulation.’

Since the beginning of the investigation, the USL proceeded to correct the violations of articles 13, 14, 28, and 30. Given this, and the fact that it also went back to gather only anonymous data from GPs, the Garante found that ‘the conditions for the adoption of the corrective measures referred to in Article 58(2) of the Regulation are not met’. The Authority then imposed an administrative fine to the USL as per Articles 83(5)(b) and 83(4)(a) GDPR.

The elements considered to determine the amount of the fine are the following: the fact that the Garante only received one report about the infringement, and that no data breach was reported; the fact that the data processing involved health data; the lack of risk-assessment, security measures, and records of processing activities, which are part of the accountability principle as per Article 5(2) GDPR; the fact that the USL showed ‘a high degree of cooperation’; the fact that regional authorities initiated a process to properly regulate the whole health care initiative. For these reasons, the Garante found an administrative fine of 100,000 Euros to be effective, proportionate, and dissuasive. Finally, the DPA stated that ‘in quantifying the fine, the Garante took into particular consideration the fact that the violations are connected to a processing operation that started shortly before the definitive application of the Regulation.’

Interestingly, despite having found violations of several articles, the Garante stated that the fine was due to the violation of ‘Articles 13 and 28 GDPR.’

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.