In recent weeks, the Italian Data Protection Authority has sanctioned a hospital company and the supplying company for serious violations of the provisions of the GDPR and the Privacy Code.
The hospital company and the supplying company that ran the registration platform to participate in a public selection have been guilty of unlawful disclosure of personal data, including those relating to the state of health, concerning candidates in an open competition. In particular, the Guarantor sanctioned:
• the lack of management of relations with third parties;
• failure to respect conservation time;
• failure to provide information note to data subjects;
• failure to implement adequate security measures>>.
On the issue, Greta Gioia , Data Protection consultant for the Kirey Group Privacy Division, spoke to clarify some aspects of the measure and outline what are the measures that companies must take to avoid incurring the risk of sanctions.
Greta, first of all, a curiosity of many people: the Guarantor Authority did not stop even during the pandemic?
<<No, on the contrary: it is continuing with its inspection activities to verify the compliance of all the Data Controllers (companies, bodies, public bodies) with the legislation to protect personal data, considered today a precious asset>>.
We often hear about these terms and the security measures to be taken. But companies wonder how they can concretely manage the requirements provided by the GDPR.
<<First, the data subjects must be informed of the processing with an appropriate information note prepared pursuant to art. 13 GDPR. Secondly, the Data Processor must be appointed by means of an appropriate appointment act. The appointment act is not just a formal document. It serves to contract all the security measures and instructions that the Data Processor is required to comply with and for which he assumes responsibility in case of any violations due to his non-compliance and/ or deficiencies. In the case of the aforementioned measure, the third supplier was not officially appointed>>.
What are the fundamental elements that cannot be missing from the nomination act?
<<On this issue, the discipline is clear: the appointment act must always specify the object of the processing, the duration, the nature, the purpose, the type of personal data processed, the categories of data subjects, the obligations of the parties and the rights of the Controller>>.
Let’s now move on to another point on which doubts often arise. How long can companies retain the acquired data?
<<In this specific case, the term is the cessation of the provision of the service>>.
Let’s turn to the numbers. How are the penalties quantified?
<<These are very often important figures, which can have a considerable impact on a company’s budget. In this case, the sanction established amounts to € 80,000.00 for the Holder and € 60,000.00 for the third company>>.
So what are your recommendations to companies?
<<What I would say to companies is to set up a proper organizational model to increase the security of company data and meet the requirements of current legislation. To do this, you must rely on a specialist who can implement a project of compliance and/or advice in accordance with the GDPR and the Privacy Code>>.