The Italian Data Protection Authority (Garante) issued on 17 December 2020 a EUR 40,000 fine against an Italian software company (Miropass s.r.l.) for GDPR violations connected to the use of its appointment booking system. The decision analyses legal responsibility of the software company in its varied roles under data protection law – those of a data controller and of a data processor.
Miropass provided to its clients (public and private entities, including health facilities) an appointment booking system (Tupassi), which allows its users to book visits at those entities. The system can be used, among other, through the Tupassi mobile app, Tupassi website, and “totems” positioned at the offices of the entities. To use Tupassi via the mobile app or website, the users had to register an account and choose from a list of available services offered to them, along with a date and time of the appointment. As a result, Miropass collected through the system personal data of the users both when they register their accounts (name, surname, fiscal code, mobile number, e-mail address, etc.), and at the time of booking the appointment (chosen facility, date, time, type of service, etc.).
In addition, the system allowed the entities to process personal data of their staff who process various user requests. Miropass also provided assistance and maintenance services, among other, via direct access to the servers of the entities.
Miropass as a data controller: failure to obtain explicit consent for health data
Garante’s position was that when user registers an account and makes appointment via the mobile app or website, Miropass acts in the capacity of a data controller. The relevant legal issue is whether the data controller has an appropriate legal basis for the processing.
In relation to the processing of non-sensitive personal data of the users at the time when they make appointments via the mobile app or the website, the legal basis for such processing is performance of a contract to which the user is a party (Art. 6.1(b) of the GDPR). Garante apparently considered an act of registering an account with the system as an act of entering into a contract with Miropass.
However, when users make appointments with providers of healthcare services, Miropass processes personal data relating to health, such as the type of health care service chosen (e.g. taking of blood samples, physiotherapy, dentistry). That category of personal data belongs to the so-called special categories of personal data, from GDPR Art. 9.1. For such data to be lawfully processed, one or more of the exceptions under GDPR Art. 9.2 from the general prohibition to process special categories of data needed to exist. Miropass could have relied only on explicit consent of the users as the exception but failed to obtain such consent. Garante therefore found that Miropass was in violation of Art. 9.
Miropass, as processor: failure to enter into a data processing agreement
During the investigation Garante established that the maintenance and assistance services which Miropass provided via direct access to the servers of the entities allowed Miropass to have access to and process the personal data of two categories of data subjects: users of Tupassi and employees of the entities – the customers of Miropass. It was the opinion of Garante that in this scenario Miropass acted as a data processor. As a result, the respective entity, as data controller, and Miropass, as the data processor, had to have in place a processing agreement pursuant to GDPR Art. 28 of GDPR.
Garante found that Miropass lacked processing agreements with a number of its clients. That meant that during provision of the maintenance and assistance services Miropass processed the personal data of the users of Tupassi and employees of the entities “in absence of an appropriate legal basis”. With that failure, Miropass was in breach of Art. 5.1(a) (lawfulness, fairness and transparency), Art. 6 (lawfulness of processing), and, when the data at issue were health-related data, Art. 9 (processing of special categoris of personal data) of the GDPR.
Non-standard link between Articles 5 and 28 of the GDPR
It results from the decision that not only data controllers, but data processors as well, have to ensure that they have a GDPR Art. 28 data processing agreement in place before commencing the processing activities.
It is clear that, under the GDPR, data controller is liable if it has no Art. 28 data processing agreement in place with the data processor. Garante did not hold that, when Miropass acted as a data processor, it was in breach of Art. 28. However, its seems that the absence of a data protection agreement was the reason why Garante found Miropass liable for “absence of an appropriate legal basis” for the processing of personal data. That part of Garante’s decision would benefit from clearer and more and detailed elaboration.
Usually, absence of a legal basis for data processing means that none of the bases from GDPR Art. 6 (Lawfulness of processing) – consent, performance of contract, legal obligation, vital interests, public interest or official authority, or legitimate interest – is present. It seems that Garante found a way to hold processors responsible for the absence of a processing agreement by stating that such absence renders the processing unlawful, in the sense of GDPR Art. 5.1(a).
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]