Garante per la protezione dei dati personali (Italy) - 9542096

From GDPRhub
Garante per la protezione dei dati personali - 9542096
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Article 58(2)(i) GDPR
Article 58(2) GDPR
Article 77 GDPR
Article 83 GDPR
Article 83(5) GDPR
Codice in materia di protezione dei dati personali (Testo coordinato)
Regolamento n. 1/2019. Procedure interne aventi rilevanza esterna, finalizzate allo svolgimento dei compiti e all'esercizio dei poteri demandati al Garante per la protezione dei dati personali, nonche' all'adozione dei provvedimenti correttivi e sanzionatori
Legge n. 689 del 24/11/1981
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.01.2021
Published: 03.03.2021
Fine: 2000 EUR
Parties: Poliambulatorio Talenti S.r.l.
Anonymous
National Case Number/Name: 9542096
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of €2,000 on Poliambulatorio Talenti S.r.l., an outpatient clinic, for failing to respond to a data subject's access request within the time limits imposed by Article 12(3) GDPR.

English Summary

Facts

On 19 September 2019, the data subject requested Poliambulatorio Talenti S.r.l. to access his and his two minor daughters' personal data. On 23 October 2019 he filed a complaint with the Garante as he had not received a response from the polyclinic yet. On 18 November 2019, the DPA invited Poliambulatorio Talenti to comply with the request within 20 days. Two days later, the polyclinic replied to the data subject and apologized.

Following the polyclinic’s answer, the data subject complained to the Supervisory Authority that in the forms related to one of his daughters’ consent to the processing of personal data, and to receive reports from the clinic via email, there was the name of a male individual. The Garante hence asked Poliambulatorio Talenti for clarifications, in particular concerning the possibility of a data breach, and concerning the measures implemented to ensure the accuracy and confidentiality of personal data.

In response to the request for information, the healthcare facility clarified that the reason for the incorrect name entered in the system was due to the fact that the male individual shared the same surname as the mother of the complainant's minor daughters. The polyclinic also stated that there was no communication of the personal data of the complainant’s daughters to said male individual, or to anyone, since the data is kept only in paper form and is accessible only by authorised internal personnel.

In subsequent documentation sent to the Garante, Poliambulatorio Talenti argued that the delay in replying to the data subject was due to issues with the hardware system, and that the inaccuracy in the name entered in the system was caused by “a material mistake due to the decision to copy by hand the data of the minor's mother”. During a hearing, the clinic also asked the Garante to close the case, or apply the lowest possible fine.

Holding

The Garante found that the defensive statements were not enough to overcome its initial findings and close the proceedings. On the other hand, since the access request was fulfilled 62 days after its submission, the DPA found a violation of Article 12(3) in relation to Article 15 GDPR. The Garante hence applied an administrative fine as per Article 83(5) GDPR. The amount of such fine was set at €2000, taking into account the negligent nature of the delay, the fact that the polyclinic cooperated with the Supervisory Authority, and the lack of “previous relevant infringements”, or “previous provisions” as per Article 58 GDPR, ascribed to Poliambulatorio Talenti.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more detail.

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY'S MEETING, which was attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and Mr. Guido Scorza, components, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, "Regulation");

HAVING REGARD to Legislative Decree no. 196 of June 30, 2003, containing the "Personal Data Protection Code", with provisions for the adaptation of the national system to the Regulation (hereinafter, "Code");

HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution No. 98 of 4/4/2019, published in G.U. No. 106 of 8/5/2019 and at www.gpdp.it, web doc. No. 9107633 (hereinafter "Regulation of the Guarantor No. 1/2019");

Having regard to the documentation on file;

Having regard to the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No. 1/2000;

Guido Scorza, lawyer;

PREMISES

1. The Complaint

On September 19, 2019, Mr. XX exercised, against Poliambulatorio Talenti S.r.l. with registered office in Rome, via Padre Semeria, 33 C.F. 1961330584/ P.IVA 01021921000, (hereinafter the "health facility"), the right of access to personal data under Article 15 of the Regulation, in relation to the processing of both his personal data and the personal data relating to his two minor daughters.

This request was not followed by any response within the terms indicated by Article 12(3) of the Regulation and, following this, the interested party, on 23 October 2019, submitted a formal complaint to this Authority.

2. Preliminary Activity.

By memorandum no. 39690 of November 18, 2019, the health facility was formally invited by the Office to comply with the complainant's requests within 20 days of receipt of said invitation.

On November 20, 2019 this facility, provided a response apologizing to the complainant "(...) for not having processed in time the (...) request to exercise (the rights under) art. 15 of Reg. EU 2016/679 and (informing him), possibly for the future, (...) (to have) prepared, starting from the (previous) year, an internal procedure that (...) allows to respond to requests to exercise the rights of interested parties through the signing of a special form in acceptance, which (...) allows to record the request and respond promptly", and also attaching the relevant documentation. On the same date, it informed the undersigned Authority of this response.

Subsequently, on November 27, 2019, the complainant wrote to this Authority complaining that, among the documentation sent by the aforementioned structure and, precisely, in that concerning the consent to the processing of data, as well as the consent to send the reports by e-mail - both relating to the minor daughter of the complainant - appeared a name that the complainant reported to be the name of a man, " (...) but from the reverse tax code that reads in brackets after that name (...) it appears (...)" that this name was referred to a female individual.

By email dated December 9, 2019, the complainant, representing to this Authority that he had asked the Company for an explanation of this irregularity, stated that he was dissatisfied with the response received on November 28, 2019.

With a request for information sent to the healthcare facility with note prot. no. 19148 of May 26, 2020, pursuant to art. 157 of the Code, clarifications were requested regarding the aforementioned inaccuracies and whether, in particular, other parties, without any legitimacy, had become aware of information regarding the complainant's minor daughter, as well as clarifications regarding the measures implemented and used to guarantee the accuracy and confidentiality of personal data, in particular health data.

In a note dated June 4, 2020, the healthcare facility, in response to the request for information, stated that the inaccuracy of the subscriber's personal details on the documents relating to the minor child was due to the incorrect transcription on the aforementioned consent forms of the name of another patient with the same surname as the mother of the complainant's minor daughters; Furthermore, it was represented that, in a communication sent to the complainant, it had been represented that "the forms, containing the consents and information regarding the minor (...) have not been communicated in any way (to the person whose name appears on the forms) or to any other person as these are forms kept in paper format internally and to which only authorized internal subjects have access" and (...) therefore, apart from the transcription error, there has been no leakage of the minor's data".

In addition, the health facility represented that (...) the staff has been adequately informed on how to proceed and, above all, consent forms have been prepared and made available (distinct for: consents to the processing of data for the purposes indicated in the informative report / consent to the sending of reports by e-mail / consents to the venous sampling) through which it is clearly possible to enter the data of the minor/guardian and of the parent/guardian who will have to sign on his behalf", illustrating, finally, the technical-organizational security measures adopted within the Outpatient Clinic and attaching the documentation certifying the appointment of the person responsible for data protection and the relative communication to the Guarantor.

With memorandum no. 22936 of June 22, 2020, the Office, on the basis of the elements acquired, notified the health facility, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulations, inviting the aforesaid owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of November 24, 1981).

With the above-mentioned note, the Office stated that it had ascertained that the healthcare facility had only responded to the request for access to the data made by the interested party following the invitation made by the Office as part of the procedure relating to the claim submitted by the latter, pursuant to art. 77 of the Regulation, i.e. after 62 days from the date on which the interested party had exercised his or her right; this, in violation of art. 12, par. 3, in relation to art. 15 of the Regulation.

With regard to the notified violation, the health care facility sent its defensive memoranda with a note dated June 25, 2020, representing that "the critical profiles that involved Poliambulatorio Talenti Srl as Data Controller concerned the failure to comply with the provisions of art. 12, paragraph 3, which requires the Owner to provide the interested party with information about the right exercised within one month; this deadline was not met due to problems with the hardware system that (...) led to the change of the PC (so) it was not possible to view the email [relating to the request for access submitted by the interested party] within the prescribed time" and asking to be heard by the Authority.

With regard to the inaccuracy "of the personal data concerning the subscriber of the documents relating to the minor (...), it was a material error due to the decision to copy by hand the data of the minor's mother (...) on the consent document generated by the management software. The problem arose from the impossibility of inserting in this software the personal data of the minor and the personal data of the signatory parent separately. In manually reporting this data on the consent form, a material error was made, which led to the data being copied from the top line of the management software, relating to Mr. XXX (having the same surname as the mother of the minor daughter of the complainant). There was no communication of the data of the minor (...) to Mr. XXX."

On November 11, 2020 a hearing was held pursuant to art. 166, paragraphs 6 and 7, of the Code and art. 18, paragraph 1, of law no. 689 of November 24, 1981. On this occasion, the health facility reiterated what had already been represented in the defense briefs, requesting that the proceedings be archived or, alternatively, that a penalty be applied to the lowest possible extent.

3. Personal data protection regulations

Articles 12 et seq. of the Regulation, concerning the "rights of the data subject", provide for the data subject's right to obtain from the data controller the information requested pursuant to articles 15 to 22 of the Regulation itself (in this specific case, pursuant to article 15 and Recital 63), without undue delay and, in any case, within one month of receiving the request at the latest. This, unless there is one of the cases of limitation of the rights of the interested party, exhaustively indicated in art. 23 of the Regulation and 2-undecies of the Code, which are not relevant to the case in question.

4. Outcome of the preliminary investigation

In the light of the above evaluations, it is noted that the statements made by the data controller in the defensive writings ˗ for the truthfulness of which one may be called to account pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceedings and are insufficient to allow the dismissal of these proceedings, not occurring, moreover, any of the cases provided for by art. 11 of the Regulation of the Guarantor No 1/2019.

In the case complained of, since the healthcare facility provided feedback to the exercise of the right of access to personal data - made by the complainant on September 19, 2019 - on November 20, 2019, i.e. after 62 days from the date of submission of such request for access and, therefore, well beyond the one-month period provided for by Article 12 of the Regulation, the Office's preliminary assessments regarding the ascertained violation of Article 12, paragraph 3, in relation to Article 15 of the same Regulation are confirmed.

Violation of the above provisions makes the administrative penalty provided for by art. 83, paragraph 5 of the Regulations applicable, as also referred to in art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures pursuant to art. 58, paragraph 2, of the Regulations do not apply.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (art. 58, paragraph 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).

The Supervisory Authority, pursuant to articles 58, paragraph 2, letter i), and 83 of the Regulations as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each case" and, within this framework, "the Board [of the Supervisory Authority] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Supervisory Authority pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Regulation of the Garante).

In this regard, the violation of the cited provisions is subject to the application of the pecuniary administrative sanction provided by Article 83, paragraph 5, of the Regulation.

The amount of the fine imposed must be determined on the basis of the circumstances of each individual case, taking into account the principles of effectiveness, proportionality and dissuasiveness set out in art. 83, paragraph 1 of the Regulations, in the light of the factors set out in art. 83, paragraph 2 of the Regulations in relation to which the infringement is to be punished. 2, of the Regulation, in relation to which the culpable nature of the untimely response provided by the healthcare facility is taken into account, caused by technical problems with the hardware system, as well as the fact that the facility has cooperated with the Authority during the preliminary investigation of the present procedure and that there are no previous relevant violations committed by the facility itself or previous measures referred to in art. 58 of the Regulation against the same.

On the basis of the above elements, taken as a whole, the amount of the fine should be set at 2,000.00 (two thousand) euros for the violation of art. 12, paragraph 3, in relation to art. 15 of the Regulations.

It is also considered that the ancillary sanction of the publication on the website of the Guarantor of this measure, provided for in art. 166, paragraph 7, of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019 should be applied.

It should be noted, finally, that the requirements of art. 17 of Regulation no. 1/2019 concerning the internal procedures having external relevance, aimed at the performance of tasks and the exercise of powers delegated to the Guarantor.

ALL THIS PREMISED THE SUPERVISOR

noted the violation of art. 12, par. 3, in relation to art. 15 of the Regulation by Poliambulatorio Talenti S.r.l. in the terms set out in the grounds;

ORDERS

Poliambulatorio Talenti S.r.l. in the person of its pro-tempore legal representative, with registered office in Rome, via Padre Semeria, no. 33 C.F. 1961330584/ P.IVA 01021921000 in accordance with art. 58, par. 2, lett. i), and 83, par. 5, of the Regulations and 166, paragraph 2, of the Code, to pay the sum of €2000.00 (two thousand) as a fine for the violation indicated in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half the fine imposed;

URGES

the same health facility to pay the sum of € 2,000.00 (two thousand), in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the procedures indicated in the annex, within 30 days of notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of law no. 689/1981;

PROVISIONS

the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code;

the annotation of this measure in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and of the measures adopted in compliance with art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulations, art. 152 of the Code and 10 of Legislative Decree no. 150 of September 1, 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, January 14, 2021