Garante per la protezione dei dati personali (Italy) - 9538748
|Garante per la protezione dei dati personali - 9538748
|Garante per la protezione dei dati personali (Italy)
|Article 5(1)(f) GDPR
Article 32 GDPR
|Agenzia regionale protezione ambientale Campania
|National Case Number/Name:
|European Case Law Identifier:
|Italian DPA website (in IT)
The Italian DPA (Garante per La Protezione Dei Dati Personali) fined the Agenzia Regionale Protezione Ambientale Campania (ARPAC) €8000 for the lack of appropriate security measures to prevent data breach.
Following a data breach notification from ARPAC, the Italian DPA started a proceeding aimed at checking the security measures implemented by the notifier.
The Italian DPA found that the violation of personal data was due to the lack of an adequate security framework in line with art. 5(1)(f) and 32 GDPR. More specifically: (i) no backup or disaster recovery plan to restore the availability and access to personal data in a timely manner; (ii) no measures to ensure the ongoing confidentiality of data subjects' identity, and (iii) no process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Therefore, the Italian DPA fined ARPAC for not complying with art. 5(1)(f) and 32 GDPR. However, given the initiatives adopted by ARPAC to mitigate the risk of new breaches, the fine was of EUR 8,000 only.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9538748]. Injunction order against Agenzia regionale protezione ambientale Campania (ARPAC) - 14 January 2021 Register of measures No 5 of 14 January 2021 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA At today's meeting, attended by Prof. Pasquale Stanzione, chairman, Prof. Ginevra Cerrina Feroni, vice-chairman, Dr. Agostino Ghiglia and Dr. Guido Scorza, members, and cons. Fabio Mattei, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter the "Regulation"); HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter the "Code"); HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by Resolution No. 98 of 4 April 2019, published in G.U. No. 106 of 8 May 2019 and available on the website www.garanteprivacy.it, doc. web No. 9107633 (hereinafter 'Garante Regulation No. 1/2019') HAVING REGARD to the documentation on file; HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the Office of the Garante for the protection of personal data (web doc. no. 1098801); Rapporteur Prof. Pasquale Stanzione; WHEREAS 1. The violation of personal data. By means of notes received on XX and XX (respectively, prot. no. XX and XX), the Campania Regional Environmental Protection Agency (hereinafter, "ARPAC" or "Agency") notified this Authority of the personal data breach referred to in Article 33 of the Regulation, consisting in the loss of a device containing personal data. On the basis of what ARPAC stated in the aforementioned notes - the violation concerned the theft of an external hard disk, which took place on XX, at the premises of the U.O.C. Contaminated Sites and Remediation of the Agency; - This device contained personal data such as copies of identification documents, tax documents (CUD, F24 and 730 forms), pay slips, reimbursement files and a list containing analytical data relating to judicial proceedings; - it is not ruled out 'that the data breach was malicious', and it is considered that such breach 'entailed an unlawful removal and possible unauthorised disclosure of the data contained in the external hard disk', and therefore that it, 'by virtue of the number of data subjects, the nature, number and degree of sensitivity of the personal data breached, could determine a consequent risk for the freedoms and rights of the data subjects'; - this breach, moreover, would have compromised both the confidentiality of the aforementioned data and their availability, since 'the backup save [was] not successful, as a result of which the data [were] almost all irreparably lost'. As specified in the complaint to the Carabinieri Command made on XX, 'The data in question had been backed up on XX, therefore those saved after that date have been lost'; - the hard disk which had been stolen was 'connected to the server installed in a room to which any employee can have access', as well as the employees of ARPAC Multiservizi, an in-house company of the Agency. 2. The preliminary investigation. By means of deed no. XX of XX (notified on the same date by certified e-mail), which is deemed to be reproduced here in its entirety, the Office initiated proceedings pursuant to article 166, paragraph 5, of the Code, with reference to the specific situations of unlawfulness referred to therein, for the adoption of the measures pursuant to article 58, paragraph 2, of the Regulation against ARPAC, for breach of articles 5, paragraph 1, letter f), and 32 of the Regulation. In a note dated XX (our prot. no. XX of XX), ARPAC submitted its defence, pursuant to article 166, paragraph 6, of the Code, in which it stated, in particular, that: - as part of the more general process of compliance with the principles and rules of the Regulation, it has adopted, inter alia, 'an information security management system capable of identifying any vulnerabilities in ARPAC's data architecture, by adhering to the Consip Framework Contract relating to "Digital Identity Management and Application Security Services" -Deliberation XX of XX" (describing the services contracted), as well as, with reference to the resources on the internet network, a series of multi-level security measures (Firewall protection, security measures for individual workstations, security measures for servers); - with reference to the specific case, the server to which the stolen hard disk was connected "is normally used as a "Shared Area Server for internal use" in which the technical staff of the Analytical Area inserts, in the files of the Provisional Test Reports (Provisional Certificates of Analysis) the data resulting from the processing of analytical parameters determined in the samples under analysis. [...] From the subsequent investigation carried out [...] it was found that in the above server are also stored spreadsheets (in . xls format), methods of analysis, unsigned letters of transmission of documentation in word format, unsigned proposals for resolutions or determinations (these are mere drafts in word, of work in the study and processing phase and not "judicial data" as erroneously identified in the Data Breach Report Form), documentation accompanying the same resolutions and/or determinations, such as requests, offers and declarations of suppliers", as well as copies of the identity documents of the legal representatives of the latter; - inside the device there were also 'personal data of the employees authorised to access the hard disk in question, which is in any event protected by a password, as well as those of their families, [which] have never been requested by ARPAC. In fact, it should be noted that such data have been improperly stored directly by the abovementioned staff and on their own initiative on that shared medium in their personal files'; - all the interested parties identified above (legal representatives of suppliers, employees, their families and external collaborators) would have been contacted in order to be informed 'of the theft/loss, for their own protection', through communications made by email, 'urging them to activate every possible precaution aimed at protecting themselves from potential negative consequences due to the violation suffered'; - moreover, "in order to mitigate, from an organisational point of view, further and potential similar episodes", as well as "pending the implementation of Resolution no. XX of XX adhering to the previously mentioned Consip Framework Contract", special physical security measures were also adopted. "At the same time, all staff were urged not to use all the agency IT tools and not for personal purposes, as per the ICT Regulations"; - Finally, 'further investigations carried out have not revealed any negative consequences, which seem highly unlikely, with regard to the possible improper use of personal data of both employees and outsiders'. With regard to some aspects not yet clarified, in response to the request for information sent by the Office, pursuant to art. 157 of the Code, on XX (prot. no. XX), ARPAC provided the requested feedback, with notes of XX and XX (respectively, prot. no. XX and XX): - enclosing a copy of the notices of infringement sent to the persons concerned pursuant to Articles 33 and 34 of the Regulation (dated XX); - producing the "self-declaration of the employees concerning the voluntary storage of their personal data on the hard disk" (dated XX), in which they acknowledge "the improper use of the data and the damage that could be caused by it"; - confirming that the aforementioned physical security measures had been put in place; - describing the 'implementation of the security measures that the SINF Service has intended to adopt, with particular reference to the aspects concerning the analysis of the risks and the measures envisaged to eliminate or at least mitigate them', which is currently in progress; - transmitting, by courier, a CD containing "a copy of the Test Reports relating to the year XX in .pdf format and a copy of the respective spreadsheets in excel format (work sheets), contained in the Hard Disk object of subtraction, as clear evidence that the same do not contain personal data relating to criminal convictions and offences or to related security measures, referred to in Article 10 of the Regulation"; - finally, communicating the request made to the Command of the Carabinieri, aimed at acquiring information about the possible developments of the investigations started on the matter. 3. Outcome of the investigation. Article 5(1)(f) of the Regulation lays down the principle of integrity and confidentiality, according to which personal data shall be 'processed in a way that ensures appropriate security of personal data, including protection, by appropriate technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage'. In implementation of this principle, the subsequent art. 32 states that "Having regard to the state of the art and the cost of its implementation, and having regard to the nature, subject-matter, context and purposes of the processing, as well as to the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, inter alia, where appropriate: (a) pseudonymisation and encryption of personal data; (b) the ability to ensure, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore in a timely manner the availability of and access to personal data in the event of a physical or technical incident; (d) a procedure to regularly test, verify and evaluate the effectiveness of technical and organisational measures to ensure the security of processing" (para. d) a procedure to regularly test, verify and evaluate the effectiveness of the technical and organisational measures to ensure security of processing' (para. 1) and that 'In assessing the appropriate level of security, special consideration shall be given to the risks presented by the processing, resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed' (para. 2). The case in question concerns, therefore, a personal data breach, meaning a "breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or access to the personal data transmitted, stored or in any case processed" (art. 4, no. 12), of the Regulation), since there has been "an unlawful removal and possible unauthorised disclosure of the data contained on the external hard disk", as notified by ARPAC to this Authority pursuant to art. 33 of the Regulation. With regard to the aforementioned legal framework, it emerged that the reported personal data breach was made possible by the absence of the necessary measures to ensure a level of security appropriate to the risk, as required by Article 32 of the Regulation. Indeed, the documentation in the file shows that they had not been adopted: - measures necessary to allow the continuity, on a permanent basis, and the restoration of the availability of personal data stolen, since it was recognized, by ARPAC, as the backup operations were not successful and therefore, even if only considering those recorded until the XX, "the data [have] almost all been irreparably lost"; - techniques capable of ensuring the non-identifiability of the data subjects to whom the personal data contained in the device referred, in order to limit the risk of their consultation by persons not duly authorised (such as pseudonymisation or encryption of data), also taking into account that any employee could have access to the premises where the stolen device was kept; - procedures for regularly testing, verifying and evaluating the effectiveness of technical and organisational measures to ensure the security of processing. The arguments put forward by the data controller in its defence refer to the measures adopted after the episode that caused the loss of the hard disk, or in any case in the course of preparation at that time. The initiatives described, although worthy of consideration in the terms that will be set out below, do not eliminate the fact that, at the time when the loss of the device containing the personal data occurred, adequate technical and organisational measures had not been adopted to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk. For these reasons, on the basis of the elements acquired and the facts that emerged during the preliminary investigation, it is established that ARPAC, in relation to the facts under examination at the time of the loss of the hard disk, was responsible for the violation of Articles 5(1)(f) and 32 of the Regulation. 4. Conclusions. In the light of the aforementioned assessments, taking into account the statements made by the data controller during the preliminary investigation - the truthfulness of which may be questioned pursuant to art. In the light of the above mentioned assessments, taking into account the statements made by the data controller in the course of the preliminary investigation - the truthfulness of which may be called to account pursuant to Article 168 of the Code - it should be noted that the elements provided by the data controller in the defence briefs, as well as in the elements provided following the subsequent request for information, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the closure of the proceedings, since none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by ARPAC is noted, for not having adopted adequate technical and organisational measures to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk, in breach of Articles 5(1)(f) and 32 of the Regulation. Violation of the aforementioned provisions makes the administrative sanction provided for by Article 83, paragraph 5, of the Regulation applicable, pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58(2)(i) and 83 of the Regulation; Article 166(7) of the Code). Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166(7) of the Code, the Guarantor has the power to impose administrative fines and accessory sanctions. Article 58(2)(i) and 83 of the Regulation, as well as Article 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] shall adopt the injunction, whereby it shall also order the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Guarantor pursuant to Article 166(7) of the Code" (Article 16(1) of the Regulation of the EDPS). 16(1) of the Garante's Regulation No. 1/2019). In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case at hand, the violation of the cited provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation. The amount of the fine imposed must be determined on the basis of the circumstances of each individual case, taking due account of the factors referred to in Article 83(2) of the Regulation. In relation to the aforementioned elements, it was also considered that the violation concerned personal data which, in terms of quality and quantity, were not particularly important - moreover, according to what was stated, in part improperly stored by the data subjects themselves - and from which special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded. In addition, the Agency has taken favourable account of the fact that some of the data were improperly stored by the data subjects themselves - and that special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded, and only emerged as a result of an allegedly criminal act carried out by persons to be identified (in relation to which the Agency immediately lodged a complaint with the authorities competent to ascertain any criminal liability). Furthermore, the technical and organizational measures that the Agency has declared to have already predisposed in a transitory way and those in course of predisposition have been favourably considered, as well as the full cooperation shown towards the Authority in furnishing elements for the reconstruction of the event and for the mitigation of the possible negative effects of the violation (including the communication of the violation to the interested parties according to Art. 34 of the Regulation). On the basis of the aforementioned elements, assessed as a whole, the amount of the fine shall be set at €8,000.00 (eight thousand) for the breach of Articles 5(1)(f) and 32 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to Article 83(1) of the Regulation, to be effective, proportionate and dissuasive. Taking into account that the violation has emerged on the occasion of a presumably criminal conduct which could have criminal aspects, given the complaint submitted by the Agency to the competent authorities, it is also considered that the accessory sanction of the publication of this measure on the website of the Garante, provided for in Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply. Finally, it should be noted that the requirements of Article 17 of the Regulation of the Guarantor No 1/2019 are met. ALL OF THE ABOVE THE GUARANTOR noted the unlawfulness of the processing carried out by the Regional Environmental Protection Agency Campania (ARPAC) for violation of Articles 5(1)(f) and 32 of the Regulation, in the terms set out in the grounds, ORDER the Agenzia regionale protezione ambientale Campania (ARPAC), in the person of its legal representative pro tempore, with registered office in Naples, Via Vicinale S. Maria Del Pianto - Centro Polifunzionale, Torre 1, Tax Code 07407530638, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation, to pay the sum of EUR 8,000.00 (eight thousand) as a pecuniary administrative sanction for the violations indicated in the grounds. It should be noted that the offender, pursuant to article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; INITIATES to the aforesaid Agency, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of EUR 8,000.00 (eight thousand) in the manner indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law 689/1981; PROVISIONS a) pursuant to Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Guarantor no. 1/2019, the publication of this measure on the website of the Guarantor, considering that the prerequisites set out in Article; b) pursuant to Article 17 of the Regulation of the Guarantor No 1/2019, the annotation in the internal register of the Authority of the violations and measures adopted, pursuant to Article 58, paragraph 2, of the Regulation, with this measure. Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the measure itself, or within sixty days if the applicant resides abroad. Rome, 14 January 2021 THE PRESIDENT Stanzione THE REPORTER Stanzione THE SECRETARY GENERAL Mattei