Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Abruzzo Environmental Protection Agency €8,000 for unlawful processing of data related to criminal convictions and offenses

The Italian data protection authority ('Garante') issued, on 10 March 2022, its decision in Case No. 82, in which it imposed a fine of €8,000 on the Abruzzo Regional Environmental Protection Agency ('the Agency'), for violations of Articles 5(1)(a), 5(1)(c), 6, and 10 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 2-ter and 2-octies of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), following a complaint submitted by a former employee of the Agency.

Background to the case

In particular, the Garante noted that, according to the complaint, a resolution of the Director General of the Agency had been published on the Agency's institutional website in its entirety, without any prior anonymisation of the complainant's personal data, and, moreover, was indexed on search engines. More specifically, the Garante outlined that the resolution in question contained information relating to a legal matter concerning the employment relationship between the complainant and the Agency, with references to events related to criminal proceedings involving the complainant, for which the same had been acquitted.

Further to this, the Garante explained that it had notified the Agency of the initiation of the procedure for the adoption of an administrative sanction, inviting the same to present its defence briefs and to ask to be heard.

Findings of the Garante

Further to the above, at the end of the investigation carried out and based on the defence briefs presented by the Agency, the Garante considered that, contrary to what the Agency had argued, the online disclosure of the complainant's personal data could not be justified by the circumstance that it was deemed necessary for the performance of a contract or for the implementation of pre-contractual measures, and thus lacked a legal basis. In fact, the Garante highlighted that public authorities may not rely on contractual or pre-contractual necessity as legal basis for the dissemination of personal data.

In addition, the Garante rejected the Agency's argument that the information contained in the resolution did not constitute personal data relating to criminal convictions and offenses, in consideration of the fact that the criminal proceedings had ended with the acquittal of the complainant. In this regard, the Garante pointed out that, as stated by the Court of Justice of the European Union ('CJEU'), information relating to judicial proceedings against a natural person constitute data relating to offences and criminal convictions, irrespective of whether or not the proceedings end with a conviction.

Separately, with regard to the circumstance that the personal data of the complainant had already been made manifestly public by the same as a result of press articles prior to the resolution in question, the Garante reiterated that public authorities may disclose personal data only in cases provided for by of law or regulation, notwithstanding the fact that the same data has already been disclosed by the data subjects.

Therefore, the Garante held that the disseminated personal data of the complainant, also relating to criminal convictions and offences, by the Agency was in violation of Articles 5(1)(a), 5(1)(c), 6, and 10 of the GDPR and Articles 2-ter and and 2-octies of the Code.

In light of the violations occurred, the Garante imposed an administrative fine. In quantifying the same, the Garante took into account the fact that the violations took place despite the guidelines issued by the Garante to aid public authorities, the considerable period of time over which the complainant's personal data was disseminated, and the particular sensitivity of the personal data published. Conversely, the Garante considered favourably, among others, the fact that only one data subject was affected.

Outcomes

In conclusion, the Garante imposed the aforementioned fine and ordered the publication of the decision on its website as an ancillary sanction. In addition, the Garante highlighted that the Agency has 30 days to settle the dispute by paying an amount equal to half of the sanction imposed and that, within the same timeframe, it may also lodge an appeal before the ordinary judicial authority.

You can read the decision, only available in Italian, here.