Two recent decisions of the Italian data protection authority (Garante), one from January 2023 and the other from February 2023, lay down basic principles that the data controllers should follow when sending bulk emails.

First Garante case

i) Facts of the case

An employee of a hospital from Padova accidentally sent an email to 19 patients waiting for heart transplantation who were potential participants in a clinical study. The email informed the fragile patients that they could fill in and sign the forms for participation in the study and email them back. The employee used the CC option instead of BCC, so the email address of all patients was made known to all others. The hospital notified Garante of the breach.

ii) Hospital arguments

The hospital argued that: (i) only seven email addresses allowed identification of the recipient; (ii) no data subject have complained due to the mistake; (iii) the Director of Cardiac Surgery sent a remedial email asking the patients to delete previously sent email; (iv) the hospital had a Regulation on the use of IT tools, email and Internet in place and carried out training courses to the employees on these matters; and (v) the employee who usually deals with similar matters was absent, so this was an honest mistake.

iii)Garante’s reasoning

Garante found that personal data about the state of health data, defined in Article 4(15) of the GDPR as “data concerning health”, deserve enhanced protection, and that the controller did not act in accordance with the principle of integrity and confidentiality when processing the data. Some mitigating circumstances included the fact that the controller reported the breach, the measures taken by the Hospital after the breach, and the fact that the email was sent mistakenly in an effort to spare the recipients from health risks that would arise if the recipients were to deliver the forms in person, during the Covid-19 pandemic. The imposed fine was not significant (EUR 5,000).

Second Garante case

i) Facts of the case

There were 5,500 participants in a public competition organized by the Bank of Italy (“Bank“), a state regulatory authority in the financial sector. An employee of the Bank wanted to send an email to all participants and divided recipients into eight groups. Seven emails were sent by using the BCC option in an email, and only one, due to the mistake of the employee, was sent by using the TO option, so consequently the recipients could see the email addresses of other recipients. The email reached around 500 recipients.

ii) Bank’s arguments

The Bank of Italy argued that the mistake of the employee was of sporadic nature since seven emails were sent by using the BCC option, and only one by using the TO option. The content of the email was of general nature since it concerned only the details of the tests of the candidates. Also, email addresses do not necessarily reveal the identity of the person using it (and therefore they do not include personal data, in the opinion of the Bank) because sometimes they do not include the name and surname of the recipient. After the incident, the Bank took mitigating measures, as well as additional organizational and technical measures to ensure that external transmission of data is properly done: (i) sent another email asking the recipients to delete the previous one, and not to disclose it to third parties, or to use email addresses of the other recipients; (ii) reminded all employees to use BCC, instead of CC when sending bulk emails; (iii) in the personnel selection unit, limited to three the number of employees entitled to send emails; and (iv) introduced “four eyes control” principle whereby the unit manager or his deputy were to review each email before the sending.

iii) Garante’s reasoning

According to the Garante, the breach of GDPR did occur because the recipients were not authorised to know who the other participants in the public competition were and yet they became familiar with this information. In numerous cases, email addresses contain personal data, i.e., name and surname of the recipient, or other data which makes the participant identifiable. Because the Bank processed the personal data without a legal basis, it violated Article 5(1)(a) (the principle of lawfulness) and Article 6 of the GDPR.

Garante considered it important that the unlawful processing did not concern special categories of data and did not involve knowledge of other specific circumstances relating to the participants’ family or personal conditions. Also, the Bank has taken steps to introduce further technical and organizational measures to prevent the occurrence of similar events in the future. These mitigating circumstances led Garante to only warn the Bank of the breach, without imposing a fine.

Comparison with a case decided by UK ICO

The decisions of Garante are consistent with the stance taken by the UK Information Commissioner’s Office (ICO)  in a June 2022 decision.

i) Facts of the case

An employee of the Gender Identity Clinic (“Clinic”) sent two bulk emails (one to 912 and the other to 869 email addresses) to the participants of the art competition involving the clinic patients. The employee used the TO option, instead of the BCC option, by mistake. The email contained an image-based advertisement for the competition. The employee tried to recall emails, but unsuccessfully. The Clinic reported the breach to ICO. After the incident, the Clinic sent an apology email requesting the recipients to delete the email and posted on the website a notification that there was a breach.

ii) ICO’s reasoning

ICO found that most of the email addresses contained either the first name or last name or initials of the recipient and therefore the addresses represented personal data because further research on any of the email addresses would allow for the identification of a person via search engines, links to social media sites or similar. Since the Clinic provided gender-related services, the data should have been processed with special care. While an email address is not a special category data, the nature of data processed by the Clinic makes the data sensitive. ICO found that the Clinic failed to take appropriate security of the personal data and failed to use appropriate technical and organisational measures to ensure appropriate security of the personal data as required by Article 5(1)(f) and Article 32 of the GDPR. Examples of such measures, mentioned by ICO, included the following: (i) using an alternative and more appropriate method of sending the emails, for example by procuring software with the capability of sending individual emails (email-per-email); (ii) applying a maximum number of emails to be sent at once; and (iii) introduced double check procedure, that an email to be sent by one staff member is checked by another.

Lessons learned

Using TO and CC options when sending bulk emails is not permissible. Data controllers should pay special attention when processing personal data about the data subject’s state of health. Prevention measures that data controllers may take include introducing software that can send email-per-email, “four eyes control”, and others. If despite the measures taken the breach occurs, the conduct of the data controller after the breach is relevant. Mitigating measures, such as emails requesting that the recipients delete the initial email, are relevant when determining the fine.