NEWSLETTER N. 525 of 26 June 2024
FSE 2.0, Privacy Guarantor: proceedings against 18 Regions and 2 autonomous Provinces underway
The serious situation reported to the Prime Minister and the Minister of Health in recent days
It is urgent to intervene to protect the rights of all Italian patients involved in the processing of health data carried out through the Electronic Health Record 2.0.
With this motivation, the Privacy Guarantor has notified 18 Regions and the autonomous Provinces of Bolzano and Trento of the initiation of corrective and sanctioning procedures for the numerous violations found in the implementation of the new regulations on the ESF 2.0, introduced with the decree of the Ministry of Health of 7 September 2023.
In the previous days, the serious situation and the urgency of corrective interventions had been reported to the President of the Council of Ministers and the Minister of Health.
The results of the preliminary investigation activity on the ESF, started at the end of January, showed that 18 Regions and the two autonomous Provinces of Trentino Alto Adige – not being in line with what is contained in the decree of 7 September 2023 – have modified, even significantly, the information model prepared by the Ministry, following the opinion of the Guarantor, which should have been adopted throughout the national territory.
The discrepancies found made it clear that some rights (e.g. blackout, delegation, specific consent) and measures (e.g. security measures, differentiated access levels, data quality) introduced by the decree, specifically to protect patients, are not guaranteed uniformly throughout the country. Or they are exercisable and payable only by the beneficiaries of certain Regions and autonomous Provinces, with a potential and significant discriminatory effect on the beneficiaries.
This heterogeneity also contradicts the spirit of the ESF 2.0 reform aimed at introducing homogeneous measures, guarantees and responsibilities across the entire national territory, thus risking also compromising the functionality, interoperability and efficiency of the ESF 2.0 system.
The violations committed by Regions and autonomous Provinces, with different levels of severity and responsibility, may lead to the application of the sanctions provided for by the European Regulation.
Telemarketing, the Guarantor fines over 6 million euros to Eni Plenitude
Of the 747 contracts concluded in a “sample week”, 657 came from illicit contact
Promotional calls made without the interested party’s consent or addressed to numbers registered in the Public Registry of Opposition and lack of controls on contracts acquired through illicit contacts: the Guarantor for the protection of personal data has fined Eni Plenitude for 6,419,631 euros.
The measure comes following 108 reports and 7 complaints against the company, which complained about receiving unwanted phone calls.
During the investigation, the Guarantor also asked Eni Plenitude for the data of the purchase proposals made by the sales network and concluded with the activation of energy services, relating to a “sample week”: out of 747 contracts stipulated in the period of time identified, 657 arrived from illegitimate contact. Numbers which, if hypothetically projected over a year, would lead to 32,850 supplies activated illicitly.
In particular, the gaps regarding the control and monitoring of agencies and sub-agencies and the mixing of databases are serious. According to the Guarantor, to comply with the law it is not enough to remove the individual agent or carry out audit activities in case of anomalies, but measures are needed that prevent contracts stipulated on the basis of illicit telephone contacts from entering company systems or from taking economic advantage from illegitimate conduct.
In addition to the payment of the fine, the Guarantor imposed on Eni Plenitude a ban on any further processing of the data of complainants and whistleblowers. The company will also have to communicate to the 657 interested parties illicitly contacted the results of the procedure on the basis of a text to be agreed with the Authority, prepare controls to ensure that contracts generated by illicit contacts do not enter the company assets and guarantee compliance with the principles of processing, with particular reference to the obligations to update, delete and rectify personal data relating to customers.
Facial recognition: Guarantor fines a dealership
No to illicit attendance checks
A fine of 120 thousand euros was imposed by the Privacy Guarantor on a dealership for having violated the personal data of employees through the use of facial recognition systems to control attendance in the workplace. The Authority intervened following a complaint from an employee who complained about the illicit processing of personal data, through a biometric system installed at the company’s two production units. The complaint also complained about the use of management software with which each employee was required to record the repairs carried out on the assigned vehicles, the times and methods of carrying out the work, as well as the downtime with the specific reasons .
Numerous violations of the European Regulation by the company emerged from the inspection activity of the Guarantor, carried out in collaboration with the Special Privacy and Technological Fraud Unit of the Financial Police.
With reference to the processing of biometric data, the Guarantor reiterated once again that the use of such data is not permitted because there is no legal provision that currently provides for the use of biometric data for the detection of attendance. Therefore, the Authority recalled that not even the consent expressed by employees can be considered a suitable prerequisite of lawfulness, due to the asymmetry between the respective parts of the employment relationship.
The Authority also ascertained that for more than six years the dealership, through management software, had been collecting personal data relating to the activities of employees to draw up monthly reports to be sent to the parent company, containing aggregate data on the times taken by the workshops for the work carried out . All in the absence of a suitable legal basis and adequate information which, in the context of the employment relationship, is an expression of the principle of correctness and transparency. The Authority, in addition to sanctioning the company, also ordered it to conform the data processing carried out using the management software to the provisions of the privacy legislation.
PMI, with Olivia 15 free courses on GDPR and control tests
The tool will allow data controllers and data processors to verify compliance with privacy regulations
Data protection within everyone’s reach, through text lessons, video seminars and questionnaires to verify the skills acquired. This is Olivia, the free virtual tool, created as part of the European ARC II project of which the Privacy Guarantor is a partner, presented during the recent Privacy Symposium in Venice.
Olivia (“general data protection regulation on Virtual Assistant”) was designed to offer a training opportunity for small and medium-sized businesses and accompany them in their adaptation to the European Data Protection Regulation (GDPR). But it can represent a useful tool of knowledge for all data controllers and managers, including those in the public sector.
The platform in fact presents a series of learning modules, ranging from the basics of GDPR to the principles and legal bases of data processing, up to the conditions for the use of cookies or video surveillance systems in the workplace. But above all, the tool, by processing answers to the questionnaires made available, allows companies to verify compliance with privacy regulations.
In this regard, the documentation models proposed by Olivia regarding the data protection impact assessment (DPIA) and the assessment of legitimate interest are particularly useful, as they represent the most complex legal basis – especially for an SME – on which to found a processing, since it requires demonstrating the prevalence of the organization’s interests over the rights of the interested parties.
Completely free and available in Italian, English and Croatian, Olivia will be released permanently in September. Registered users will find on the platform the video recordings of the 10 remote seminars carried out as part of ARC II and all the presentations made by the speakers.
The ARC II project, financed by the European Commission in which the Croatian Data Protection Authority, the Privacy Guarantor and the Universities of Florence, Zagreb and Brussels (Vrije Universiteit) participate, was created to simplify compliance with the Regulation by SMEs, reduce compliance burdens and demonstrate how compliance with data protection legislation can improve business and build relationships of trust with users and customers.
THE ACTIVITY OF THE GUARANTOR – FOR THOSE WHO WANT TO KNOW MORE
The most important interventions and provisions recently adopted by the Authority
-
Covid: Privacy Guarantor opens investigation into prohibited internship in ASL Puglia – Press release of 12 June 2024
-
Scientific research: the FAQs of the Privacy Guarantor for the IRCCS – 12 June 2024
-
Address document. IT programs and services for email management in the work context and metadata processing – 06 June 2024
NEWSLETTER of the Guarantor for the protection of personal data (Reg. to the Trib. of Rome n. 654 of 28 November 2002).
Editor in chief: Baldo Meo.
Management and editorial staff: Guarantor for the protection of personal data, Piazza Venezia, n. 11 – 00187 Rome.
Tel: 06.69677.2751- Fax: 06.69677.3785
The newsletter can be consulted on the website www.gpdp.it
