an unnamed data subject – €3,000 Fine (Italy, 2022)

The municipality of Monte Sant'Angelo is the controller. The data subject is an excluded candidate from a competition procedure. The municipality published the results for a competition procedure on its website. The information included the names of the candidates who were excluded from the procedure. The web page was indexed on search engines. An excluded candidate asked the municipality to remove their name from the website. The municipality rejected the request. It claimed that public disclosure of the information was mandatory under Italian law (legislative decree 33/2013https://www.gazzettaufficiale.it/eli/id/2013/04/05/13G00076/sg). The candidate later submitted a complaint to the Italian DPA. The controller removed the data subject's name from its website after receiving an information request from the DPA. The DPA held that the controller violated Article 5(1)(a) (principle of lawfulness) and 6 (lawfulness of processing) GDPR by processing personal data without a legal basis. Specifically, the controller violated paragraphs (1)(c), (1)(e), (2), and (3) of Article 6. The DPA noted that legislative decree 33/2013, (and Italian administrative law in general) only require public administrations to publicly disclose the identity of the winners of competition procedures. The controller was under no legal obligation to disclose the name of the data subject, who was excluded from the procedure. The DPA pointed out that its own guidelineshttps://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3134436 and case lawhttps://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9581028https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9681778https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9732406 endorse the same approach. The DPA also held that the controller violated Article 2-ter(1)(3)https://www.gazzettaufficiale.it/dettaglio/codici/datiPersonali/1_0_1 of the Italian Privacy Cod