skip to Main Content
It Has Been Sanctioned A Scholar Institute: Health Data Of An Employee Are Published Online

It has been sanctioned a scholar institute: health data of an employee are published online

This post is also available in: Italiano Español Français

The Italian Data Protection Authority comes back on the age-old question of the delicate balance between transparency obligation, in the hands of public administrations – lato sensu – and rights of data subjects, by imposing a sanction of 2.000 EUR for the illicit personal data processing with he provisions n. 255 of the 24th June 2021. This case refers to the data breach of an employee who has been published online its personal data, in the section “Administrative Transparency” of the internet website of the scholar institute, some of its personal data refers, in particular, to information connected to health status (health data).

These data have been downloaded by the same employee inside the portal of the Institute in support of an own request/application and “flagrant” by the administrative staff of the Scholar institute as accessible documents for the public and of freedom consultation.

After the signature of which public document, personal data were available both from the web page of the school and also with research engine, in particular Google, in which by adding the name of the employee the indexed result was brought the directory where file were located.

From the beginning the data subject has exercised the rights recognized by the European Regulation and by the Privacy Code by asking the immediate deletion of data by the internet portal as well as the inhibition of the public consultation.

The instance was immediately accepted by the executive of the Scholar Institute, which was proceeding to broadcast the data subject of the instance and connected to the deletion of personal data, as well as the fulfilment connected to the report of the Privacy Authority.

Subsequently, the data subject was presenting the complaint to the Authority by asking to teach the case and assess if the processing subjected to the compliant could be considered illicit by adopting all the necessary provisions.

The Authority has thought the case, by assessing the document presented and asking defensive memories to the data controller, by deciding by the exit of the investigation activity to not store the complaint but by sanctioning the Scholar Institute << for having breached the article 5, paragraph 1, letter a) and c), article 6, paragraph 1, letter c) and d) and 2 and 3, letter b) and article 9, paragraph 4 of the Regulation, as well as article 2-ter, paragraphs 1 and 3, and article 2-septies, paragraph 8 of the Code, which administrative sanction, pursuant to the article 83, paragraph 1, of the Regulation, which is effective, proportionated and dissuasive>>.

The Authority has reaffirmed important concept to which public employers shall comply in fulfilling their obligation of administrative transparency, by considering also their role of data controllers of personal data of their employees.

In the provision the Authority has recalled its guidelines connected to the “personal data processing, contents also in acts and administrative documents, carried out for advisory purposes and transparency on the website by public subjects and other obliged bodies”, by precising that it can not be operated a personal data processing, in public ambit, by using the transparency obligation as legal basis of the processing.

By considering this, the data controller shall carry out an assessment (balance) by deciding if the legal basis is suitable to not configurate an unlawful processing of personal data.

It is also important the clarification of the Authority on better protection which are necessary for the personal data concerning <<physic and mental health of a natural person, included the provision of services of health assistance, which reveal information connected to its health status>> pursuant to the article 4, paragraph 1, n.15 of the GDPR, by underling that it can not be object of public diffusion pursuant to the article 2-septies, co. 8 of the Privacy Code and article 9, paragraph 4, GDPR.

In order to provide the administrative sanction, the Authority has kept in mind the behavior adopted by the scholar institute, by appreciating in particular the cooperation, the effective termination of the unlawful processing within the term required by the law, and the specific fulfilment of the obligation connected to the unlawful processing. This has not been sufficiently enough to prevent the imposition of the administrative sanction and the publication of the provision on its internet website of the Italian DPA ex article 166, co. 7, Privacy Code and article 16, of the General Data Protection Regulation n. 1/2019.

The reasons given by the Authority lie in the fact that the active and fruitful collaboration of the complainant, as well as having demonstrated the absence of intent and gross negligence, cannot assume in any way the nature of the cause of justification of the unlawful processing of personal data but, at the most, can be evaluated to determine the proportionality of the sanction imposed pursuant to article 83, GDPR.

The increasingly frequent use of new technologies, envisaged in the field of digitization of the Public Administration, require greater attention to the processing of personal data (of employees) by public employers, as well as suitably trained and specialized personnel, capable of intercepting immediately a processing that does not comply with the requirements for the processing of personal data imposed by the European Regulation.


Back To Top