Local authorities need to assess with particular attention if, based on the legislation, can let public personal data, sometimes also particularly confidential, included into deliberes and other documents. It was said by the Italian DPA in some sanctions adopted the 2 July 2020 towards a Region, of two Municipalities and a Union of Municipalities.
The first measure is about a Region which has published on its website a document about the execution of a civil judgement related a debit matured from the body. To the protest of reportings, the administration has answered by justifying the online publication based on some accounting dispositions.
In the specific case, the DPA has remembered that personal data included in these documents can be used for control by the Court of Auditors on off-balance-sheet debts, but also the standards mentioned did not prevent the data sharing.
Keeping in mind the offered cooperation of the body and the verification commitment of technical and organizational measures adopted by the staff in order to respect the privacy, the DPA has fined the Region with a sanction of 4.000 euros.
The DPA has greeted the claim against the due local bodies, a Municipality and a Municipal community to which it belongs, that have published on their respective websites, into the transparent administration section or into the online register, administrative acts referred to the complainant, by sharing also personal data related to criminal convictions and crimes. During the investigation, the two administration has supported that the publication was compulsory according to the transparency legislation and on legal disclosure of documents and that, in any case, the data subject was hardly detectable, because into the administrative act were reported only the serial number or the initial of the name and surname.
One of the two administration, among the other things, affirmed that the publication has been endorsed by the DPO (Data Protection Officer) of the body. The DPA has noticed that mentioned legislation did not avoid the share of personal data, among which related to criminal convictions and crimes.
The data subject can easily be identified by colleagues, relatives and other subject in a local way. The Municipality and the Municipal Union have received two sanctions of 4.000 and 6.000 euros.
The last measure is about a Municipality which has sent by email to some local newspapers a “decree of citation” with data referred to criminal events and a security and prevention measures, of five person, among them three witnesses cited to appear. The local body has justified the document sharing in order to protect its image and exercise the legitimate right to criticize against some attacks published on the news.
Also in this case, the DPA has notice that the communication of this data has been not justified by the supposed “execution of a task connected to the exercise of public powers” o from another legal base, like Transparency. The Municipality was then fined 2,000 euros.
The DPA, in approving the measures and the related sanctions, reiterated to the local authorities that the processing of personal data made by public entities is only permissible if necessary to fulfil a legal obligation to which the controller is subject or for the execution of a public interest task or related to the exercise of public powers of which the controller is concerned. He added that the dissemination of personal data (such as publication on the Internet) by public entities is only permitted when required by a legislation or regulation.
In any case, the local authority is obliged to comply with the principles set out in the European Regulation on the Protection of Personal Data, in particular, those of law, fairness and transparency and minimization, under which personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is treated.
SOURCE: FEDERPRIVACY