On 17 September 2020, Italian data protection authority (Garante) rendered two related decisions, one against a hospital in Naples, and the other against an IT company, concerning a data breach which affected two thousand applicants for positions in the hospital. The decisions underlie the importance of transparency in the processing of personal data, proper identification of the legal basis for processing, and proper identification of roles and responsibilities of the data controller and data processor. Also, this is another in a series of cases, decided by data protection authorities in the EU, in which the failure of data controller to adopt adequate technical and organizational measures to ensure the confidentiality and integrity of the personal data features prominently.
In January 2018, a Naples Hospital of national importance, “Antonio Cardarelli”, engaged the company Scanshare to manage online job applications, including by conducting pre-selection tests where the number of applications submitted was high. The management platform used for the processing of applications belonged to Scanshare.
In a period not specified in the Garante decisions, the data of the candidates, including in some instances their health data, were freely accessible online, due to an erroneous system configuration. Any user of the portal could during that period access a list of codes, assigned to the job candidates, and then, through simple additional steps, access the documents presented by the participants. It was even possible to modify the personal data entered by the job applicants. The incident apparently happened because the high number of concurrent sessions, resulting from the numerous accesses by candidates, generated DOS (denial of service), and when Scanshare’s technicians attempted to repair the system they accidentally removed from the appropriate location a file with configurations allowing access to the data from outside.
In such a manner, the data of more than 2,000 candidates were exposed for a period of 25 days.
The home page of the platform and a Portal Management Manual contained a brief document which stated that the user of the platform gave consent to the processing of personal data and that the data would be processed at the Human Resources of the Hospital and at the company providing the IT platform. The document did not contain any reference to a complete information on the data processing or to other supplementary document.
- Job candidates need to receive complete data processing notice
The candidates did not receive the information necessary to ensure fair and transparent processing. A brief document published on the home page of the platform and in the Portal Management Manual was insufficient for the Hospital to fulfil the obligation to provide the data subjects with all the information required by GDPR Art. 13. The processing, therefore, was not in compliance with the principle of transparency (GDPR Art. 5(1)(a)).
- Consent is not valid basis for processing when the controller performs a task of public interest
Garante emphasized that the consent of the data subject, cannot, as a rule, constitute a valid prerequisite for lawfulness of the processing of personal data when there is “an evident imbalance between the data subject and the controller” (recital 43 of the GDPR), especially when this is a public authority that acts in the performance of a “task of public interest or connected to the exercise of official authority” (a legal basis for data processing, under GDPR Art. 6(1)(e)). The processing of data, in this case, has legal basis in the specific sector regulations that regulate access to jobs in public administrations and the procedures for carrying out public competitions (Art. 6(1)(e)), and not in the consent of the data subjects.
- Importance of properly identifying one’s role in the processing chain
The Hospital argued that Scanshare was the data controller because it had autonomous decision-making power concerning the purposes and means of processing of the personal data and owned the management platform. Garante refuted that argument and concluded that Scanshare was a data processor. The Hospital was the data controller because it determined the purposes of the processing, the methods of management of the data, as well as the main terms of the performance of the service on the part of Scanshare. The status of the Hospital as the data controller had direct impact on the Hospital’s responsibility for the data breach.
- Data processing agreement is a must
The Hospital and the processor failed to enter into a data processing agreement. As a result, Scanshare processed the data of the data subjects at its discretion, rather than “on the documented instruction of the controller”, as GDPR Art. 28(3)(a) requires. In this way, the Hospital violated Art. 28 GDPR, and Scanshare was in breach of Arts. 5 (principle of lawfulness), 6 (lawfulness of processing), and 9 (prohibition of the processing of special categories of data).
- Controller is primarily responsible for implementation of technical and organizational measures
Garante found both the Hospital and Scanshare responsible for violations of GDPR Art. 5(1)(f) (principle of integrity and confidentiality) and GDPR Art. 32 (security of processing). The responsibility of the Hospital stems from the general rule under GDPR that it is primarily the responsibility of the data controller to implement appropriate technical and organizational measures to guarantee that the processing is carried out in accordance with GDPR (Art. 5 (2)). Here, Garante also drew a direct link between the Hospital’s failure to regulate the relationship with Scanshare, on the one hand, and the failure to ensure confidentiality and integrity of the data processed, on the other hand. In the absence of a data processing agreement, the Hospital did not give instructions to Scanshare regarding security of the data and did not carry out supervisory or auditing activities.
Garante imposed a fine in the amount of EUR 80,000 against the Hospital, and, separately, EUR 60,000 against Scanshare.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]