The Data Protection Supervisor ordered the Ministry of Economic Development to pay a penalty of 75 thousand euros for not having appointed the Data Protection Officer (Rpd) by 28 May 2018, date of full application of the Gdpr, and to have disclosed personal information on the institutional website
For the first time the Authority has sanctioned a Pa for not having designated the RDP within the time limit set and have made the appointment and communication to the Guarantor of the contact data with considerable delay. Nevertheless, since May 2017, the Guarantor had started a comprehensive information activity aimed at all the Ministries, indicating the appointment of the RPD as one of the priorities to be taken into account in the process of adapting to the new legal framework of the Regulation.
The non-appointment, emerged during an investigation, opened by the Office also following some reports, with which it was established the presence on the website of the Ministry of a web page with a list of managers in which were visible and freely downloadable personal data of more than Small and medium-sized enterprises, which are recipients of the vouchers provided for in the 2019 Budget Act, should have been able to obtain advice to support the processes of technological and digital transformation.
The site also included the directorial decree with which the list was approved, containing data and information from all managers. In order to ascertain the lawfulness of the processing, the Privacy Supervisor considered that the directorial decree invoked by Mise, contrary to what it claims, does not constitute an adequate regulatory basis for the dissemination of data online.
The Authority also considered that the full publication of the curricula, without any filter, represents a disproportionate data processing, not in line with the principles of the Gdpr. To enable the company’s demand for advice to be met with the managers’ offer of advice, it would have been sufficient to use less invasive tools than the publication of data and information from all managers on the web, thus avoiding the risk of exposing them to unlegitimate uses For example, it could have been envisaged that selective access to reserved areas of the institutional site could be provided by the allocation of authentication credentials (e.g. username or password), or by means of the CAD tools, which would allow consultation only to be made by the C