A recent decision of the Italian privacy authority revealed a considerably broad definition of personal data and how the opinion from the DPO can help to reduce GDPR fines.
On July 2, 2020, the Italian data protection authority (the Garante) issued a decision that provided clear instructions on the extension of the definition of personal data and as to the role of the DPO as an advisor to the data controller concerning the adoption of privacy-related measures and whose contribution can lead to a reduction of GDPR fines.
The dispute that led to the decision of the Italian privacy authority
The case concerns an employee of a Tuscan municipality who had been dismissed after several years of service because, at the time of application for the role, her profile was incompatible with the requirement of the absence of criminal convictions and criminal proceedings. In particular, the employee had already been subject to an ongoing criminal proceeding and had suffered a non-final criminal conviction. But such circumstances did not result in the self-certification provided by the same employee in which she declared that she met all the requisites required to hold the position.
Following the outcome of the investigation conducted by the disciplinary proceedings office of the Municipality, the entity had dismissed her and rectified the minutes with which the assignment of the role was finalized. The employee had thus appealed to the Italian Regional Administrative Court to request the annulment of the municipal resolution, followed by the publication in the online register of the act of instruction by the Municipality of a lawyer for the court defense. The document containing the instruction included, inter alia, the initials of the employee’s name and surname and references to the content of the municipal resolution of dismissal, including, therefore, the failure to meet the requirement of the absence of convictions and criminal proceedings.
These circumstances led the employee to file a complaint with the Italian data protection authority for breach of her data protection rights.
The position of Italian data protection authority on the definition of personal data
The Italian data protection authority held that there was
- indirect identifiability of the person concerned through the initials of her name and surname by an indefinite number of subjects such as, for example, family members or colleagues, also in consideration of the size of the Municipality (about 13749 inhabitants) and its staff (84 permanent workers); and
- an unjustified disclosure of data relating to convictions and criminal proceedings, as they can be traced back to the person concerned and inferred from the content of the municipal determination.
As such, even though there wasn’t the actual name of the individual in the challenged document, but just her initials, the Garante was of the view that – based on the peculiarities of the case – the processing of personal data had occurred. Besides, even though the document did not mention the actual crime for which the individual was convicted, the reference to the lack of fulfillment of the requirement relating to the absence of criminal convictions led to the processing of personal data relating to criminal convictions and offenses as per article 10 of the GDPR.
Based on the above, the Italian privacy authority issued a pecuniary administrative fine of € 4,000.
The relevance of the opinion of the DPO according to the Italian privacy authority
In determining the amount of the pecuniary GDPR fine, an essential role was played by the entity’s decision, in its capacity as data controller, to request the opinion of the DPO before the publication of the challenged document and the fact that the entity had complied with that opinion.
The Italian privacy authority considered this aspect a mitigating circumstance for calculating the GDPR fine, revealing the good faith of the Municipality.
My feedback on the case
This decision is interesting because it illustrates how the definition of personal data is “dynamic” and must be contextualized to specific situations. An individual’s initials, which, in an ordinary context, may not be considered personal data, may become personal data in a situation where the number of people involved and the peculiarities of the issue imply that the individual is likely to be identifiable.
Similarly, the relevance granted by the Italian privacy authority to the opinion from the DPO emphasizes how – in light of the principle of accountability – formalizing the DPO’s opinion and adopting conduct in line with the DPO’s instructions may also affect the value of any sanction subsequently imposed.
This last point is pivotal for the data protection compliance program of businesses. Frequently, companies do not keep track of DPO’s opinions, don’t have minutes of meetings with the DPO, and don’t have a detailed internal procedure that sets up the roles and responsibilities of all the different actors which are part of the internal data protection compliance organization of the company. On the contrary, as shown in the above-mentioned decision, such a level of formality can reduce liability exposure in case of challenges.
On a similar topic, it can be interesting the article “Guidelines on the GDPR by the Italian Data Protection Authority.”
Image Credit Best Picko