Italiaanse Autoriteit beboet schending DPIA verplichtingen
De Italiaanse Gegevensbeschermingsautoriteit (Garante per la protezione dei dati personali) legt een boete op van € 300.000 aan het national social security institute (INPS) voor de schending van artikelen 5 lid 1 onder a,c, en d, 2, 25 en 35 AVG.
Het INPS is onzorgvuldig geweest bij de bepaling wie (niet) in aanmerking komt voor financiële hulp in relatie tot de covid crisis. De INPS heeft onder andere onvoldoende rekening gehouden met het bestaan van een hoog risico. Naast de boete verplicht de GPDP het INPS op grond van art. 58 lid 2 onder d alsnog de DPIA uit te voeren alvorens verder te gaan met de verwerking.
Lees hier verder de Engelstalige samenvatting.
The Italian national social security institute (INPS) has provided financial aids to Italian citizens in order to face the Covid crisis. To access this aids, citizens were required to satisfy certain criteria. The INPS, in order to speed up the process to obtain the aid, first assessed the request only on the basis of the documentation provided in the request by the applicant, and just in a second moment, after the dispensing of the aid, carried out a more specific investigation for every applicant.
During the second phase assessment, the INPS checked whether between the requests there were parliamentarians or holders of offices in public administrations. To do so, INPS collected some personal data from open source registers and generated from this open data the personal tax code of the applicants and compared it with the one in the application. This way of calculation of the tax code can entail some mistakes. The secondary examination was carried on also for the subjects to which the aid was already been refused under the first examination. Only afterwards, the Labour ministry declared that parliamentarians and holders of administrative office would be excluded from this financial aid.
Were these activities contrary to the GDPR?
The DPA found that the fact that the second examination on parliamentarians and holders of administrative offices has been carried out before the note of Labour ministry on the exclusion of these categories from the financial aid, comported a violation of the principles of lawfulness, fairness and transparency as per Article 5(1)(a) GDPR.
The fact that the processing was not limited to who received the aid but included who had already been refused, was in violation of the principle of adequacy and minimisation as per Article 5(1)(c) GDPR.
The fact that the tax code has been generated from open data and not obtain by official sources and thus potentially erroneous, was violating the principle of adequacy as per Article 5(1)(d) GDPR.
The DPA also considered that all the previous violations constituted together the violation of privacy by default and by design as per Article 25 GDPR and the liability principle of 5(2) GDPR.
The DPA finally found out that the provision on impact assessment, as per Article 35 GDPR was also violated because the INPS has not adequately weighed the existence of a high risk, such as to require the conduct of a preliminary impact assessment on data protection, and has not adequately involved the DPO.
For these reasons and on the basis of Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of € 300 000 on INPS.
Volledige tekst (Italiaans): Provvedimento del 25 febbraio 2021  - Garante Privacy