The protection of privacy in the Data Protection Authority’s measures in 2019.

With the RGPD on the protection of personal data, the subject of privacy has encountered a strong and new awareness that arises from precise requirements of legal certainty, harmonization and greater simplicity of the rules regarding the transfer of personal data within the European Union and beyond.

The RGPD has also foreseen the establishment of the European Data Protection Board (EDPB), which is an independent European body composed of representatives of the national data protection authorities of EU countries as well as the European Data Protection Supervisor (EDPS), whose task is to contribute to the application of data protection rules throughout the European Union and to promote cooperation between competent authorities.

In addition, a new Commission has recently been set up within the EDPB to strengthen cooperation between the different Data Protection Authorities and to ensure more effective checks on data processing carried out.

Below are some of the most significant measures issued in Italy by the Italian Data Protection Authority during the year 2019:

– the Authority has expressed its opinion on the legitimacy of the processing of personal data collected by a company through the delivery of electronic devices. These devices had to be worn on the wrist by employees who worked on the street.

These were instruments equipped with GPS. This meaning that it was possible to identify the subjects (also indirectly) and to allow the processing of personal data; this beacuse every devies had a unique identification number connected to the sweeping areas. Moreover there was a record (both in paper and digital format) on which the work shifts, the sweeping area and the identity of the worker were recorded.

The Authority has said that it is necessary to identify the time needed to keep the records and to indicate specific and exhaustive cases for which it may be necessary to access these records. The access may be allowed to reconstruct the facts that may be the subject of dispute.

– with a writ of March 2019, the Data Protection Authority expressed its opinion on a data breach.  The matter originated from a communication from a Bank in which was reported a computer intrusion. Unauthorised persons had had access to: personal and contact details, profession, level of study, identification details of an identity document as well as information relating to the employer, salary, amount of the loan, payment status, “approximate credit classification of the client” and Iban identification.

The Authority found a violation of Articles 33 Legislative Decree n. 196/2003, highlighting the presence of certain critical issues that had allowed the violation of the the security measures or prescriptive measures necessary by the Bank.

– in June 2019, the Authority expressed its opinion on the ability to self-determination in giving their consent to the collection of personal data.

The facts concerned the registration service to a website which the server required data in excess and not relevant to the purpose of the “Collection of points”; the server also required mandatory consent for the purpose of receiving promotional communications.

The Authority stated that “the capacity of self-determination of the parties is not ensured neither when a single consent is requested for several processing purposes, neither when the use of a service is subject to prior authorization to process the data provided for different purposes, such as promotional or statistical.

Any processing, therefore, that involves the identification of the data subjects requires their specific, informed and separate consent for each purpose“.

– in June 2019, the Authority expressed its opinion on the right to object to the processing for promotional purposes which, in this case, could be exercised by sending the complaint to an e-mail box belonging to a person no longer employed by the company.

The Data Protection Authority noted the unlawfulness of the processing because the data controller had not respected and observed the principle of accountability and privacy by design, which implies the need to “design and implement its systems with technical and organizational measures aimed at effectively implementing the principles of data protection (…), including adequately programming its computer systems in order to be able to verify any opposition or withdrawal of consent by its customers”.

– With a order on 11th July 2019, the Authority dealt with the appeal filed by two parties requesting to order the removal, from a television service, of images concerning documents containing personal data.

In the opinion of the Authority, some data had been processed contrary to the principle of essentiality of information and the principle of data minimization because they were excessive with respect to the purposes of information. In any case, the Authority said that there were no grounds to adopt the measures required because there was a public interest.

– In a measure of 24 July 2019, the was a declaration about the complaint filed by two parties for violation of the principles of accuracy and updating of the data.

It was a complaint concerning the request to order an internet search engine to remove a URL linked to a newspaper article containing incorrect information relating to a judicial case in which they had been involved and which had ended in favour of them.

– On September 2019, the Authority expressed his opinion on the right to be forgotten. The complaint was submitted by a person who asked to remove a URL linked to trade union events relating to one of the companies of which he was a member, considering that the news was of no current public interest since the issue had been resolved positively.

The Authority considered the complaint to be partially justified and, as a result, ordered the removal of the URL. On the other hand, with regard to other URLs, the Authority considered that there was a current public interest in the knowledge of the case because it was linked to more recent facts about which the relevant investigations were still in progress.

– October 2019, in relation to the publication on some websites of images depicting two subjects in a state of physical constraint, the Data Protection Authority decided to limit their processing because it was exceeded the limits of the right to information. The right of information must protect the rights and freedoms of individuals, in particular the right to the protection of personal data and the limit of the essentiality of information regarding facts of public interest.

– on December 2019, the Authority considered that the company that keeps an employee’s e-mail account active after the termination of the employment relationship and accesses to the e-mails in the inbox commits an offence. This because the protection of privacy also extends to the work environment.