The Italian Data Protection Authority has fined the Lazio Region with a sanction of 75.000 euros for not having designed the Data Protection Officer the Cooperative Society Capodarco, to which the body has entrusted the management of the health benefits, by using the regional call center (ReCUP).
The society has processed patient’s data in a illicit way for ten years, since the 1999 to the 7th of January 2019, which is the date in which the Lazio Region, as a data controller, has appointed the Cooperative Society as data processor, after the date of the entrance in force of the European General Data Protection Regulation.
With the measure, the Italian Data Protection Authority has underlined that the societies which provide services on the behalf of the controller and consequently process personal data of users, shall be appointed as data processors. The relationship between data controller and processor shall be ruled by a contract or another juridical act, entered in a written form which, in addition to being binding for both, requires specific rules and limits which need to be processed personal data. The data processor is entitled to process personal data of the data subjects “only upon documented instruction of the controller”.
In addition, as it has been recently underlined by the EDPB, the Board which brings together the European Data Protection Authorities, the absence of a clear definition of the relationship between data controller and processor can arise problems more than the lack of a legal basis upon each processing must be founded: for example, as regard to the communication of data between data controller and processor.
After that the illicit has been detected, the Authority has sanctioned the Region with 75.000 euros of penalty and it has applied the additional penalty of the publication of the measure on the Authority’s website.
The Authority, on the other hand, considered it sufficient to admonish the owner of the Cooperative because the Capodarco Company had repeatedly represented to the Region the need to be appointed as data controller and put in place measures in accordance with privacy regulations, establishing, for example, the register of treatments.
SOURCE:FEDERPRIVACY