In a recent decision, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) considered having requested an opinion from the DPO (Data Protection Officer) in relation to disclosure of an employee’s personal data when assessing (downward) the amount of a sanction for an instance of unlawful data processing.
- The case at stake
An employee of the Municipality of Greve in Chianti (“Municipality”) was dismissed following an investigation conducted by the Disciplinary Proceedings Office (Ufficio Procedimenti Disciplinari), based on which she appeared to be involved in ongoing criminal proceedings. This circumstance meant she did not meet the requirements of the selection procedure for her job, proved by means of self-certification, and consequently the dismissal was ordered as a disciplinary measure. The employee filed a complaint with the Administrative Regional Tribunal (TAR) to request cancellation of this measure.
Meanwhile, the Municipality published on its website, in the online register (Albo Pretorio Online) section, administrative acts relating to the employee, identified by the initials of her first and last names; these acts also disclosed personal data relating to criminal convictions and crimes. In light of this, the employee filed a complaint with the Garante for alleged unlawful data processing.
- The proceedings before the Garante
In the course of the investigation, the Municipality based its defense, among other things, on the following arguments:
- only the employee’s initials were published on the website, so a third party would not have been able to identify the employee – or at least, only her colleagues could have done so because of (i) their involvement in the disciplinary proceedings, (ii) their personal knowledge of the employee, or (iii) the protocol office being notified of the appeals. In any case, these colleagues are bound to keep this information confidential;
- publication of administrative acts in the Albo Pretorio Online is required by law, specifically under the rules legally requiring acts on the part of a public entity to be made known (pursuant to Article 15 of Legislative Decree No. 33/2013 and Article 124 of Legislative Decree No. 267/2000);
- no reference to criminal convictions or crimes was included in the published administrative acts, which referenced only the matter of the proceedings before the TAR;
- the Municipality acted in a diligent and fair way, asking the opinion of the DPO, who at first considered publication of the employee’s initials an adequate measure to protect confidentiality and only later suggested removing them; once the Municipality received this second opinion, it promptly complied with it.
- The Garante’s decision and some considerations
Notwithstanding the arguments made by the Municipality, the Garante considered the data processing at stake unlawful and ordered the Municipality to pay an administrative sanction in the amount of EUR 4,000.
The Garante looked positively on the fact that the Municipality had taken steps to involve its DPO and to comply in good faith with his opinion, and it took this circumstance into account when determining the amount of the sanction and lowered the amount. The Garante has not indicated how much impact the DPO’s involvement had in establishing the amount of the sanction; however, we can glean an idea from a similar case against another local entity. In this case, the Garante ordered the party to pay an administrative sanction of EUR 6,000, one third higher than the sanction in the Greve in Chianti case. Therefore, it seems that in establishing the amount of the sanction for a GDPR breach, involving the DPO in the relevant data protection matter was taken as a demonstration of diligence in complying with the law and, as such, as a tangible application of the accountability principle. On the other hand, one might well wonder if this could give rise to possible actions by the party against the DPO, who (initially) provided poor advice on which the company then based its (consequently unlawful) behavior.
Lastly, the Garante’s considerations about the definition of “personal data” and the identifiability of the data subject should be noted. Indeed, the Garante said that “identification means not only the possibility of recovering a person’s name and/or address, but also potential identifiability through identification, correlation and deduction (Working Group Article 29, Opinion 05/2014 on Anonymisation Techniques, WP216), the mention of the initials of the surname and first name of the complainant within the determination was, in fact, suitable to allow identification, at least by employees of the Municipality and family members or acquaintances of the complainant, also in view of the size of the Municipality (about 13,749 inhabitants) and its staff (84 permanent workers […]).”
Considering that the information published on the Municipality’s website referenced a previous act of the Municipality, the employee was easily identifiable. Moreover, since 2014, the Garante has clarified that the publication online of an employee’s initials rather than his or her full name is not sufficient to anonymize the personal data concerned, in particular when this information is published together with other data facilitating identification of the data subject. In such cases, it is necessary to remove any data completely.
The Garante’s decision is available at this link.