Bank of Italy – Violation Found (Italy, 2022)

During a recruitment procedure, an employee of the Bank of Italy (the controller) accidentally sent an email to 500 participants, where the email address of each of the candidates was clearly visible. By using the carbon copy (CC) instead of the blind carbon copy (BCC) option, the employee disclosed the email addresses of the job applicants to one another. The email in question contained general information including a feedback request. The employee did not inform the office in charge of data protection and the participants did not raise any complaints. Consequently, in the immediate aftermath of the event, the Bank could not activate a data breach procedure, which provides for the involvement of the DPO and other staff members responsible for compliance with the GDPR and the relevant national legislation. When the controller became aware of the breach, it sent another email to the job applicants instructing them to delete the email containing the visible addresses and not to use them or disclose them to third parties. The controller also argued that the event was an isolated one and it did not reflect the organisational measures that the Bank of Italy applies to the protection of personal data. The Italian DPA investigated the matter. The Italian DPA held that the Bank violated the provisions of Article 5(1)(a) and Article 6 GDPR. The DPA held that the email addresses were personal data because the participants could be identifiable through the said email addresses (Article 4(1) GDPR). By disclosing such information, the Bank of Italy had realised a processing operation (Article 4(2) GDPR) in lack of any legal basis. However, the DPA considered the fact that the controller implemented measures on a technical and organizational level and that this it was the first violation. Moreover data disclosed did not fall under special categories of data pursuant to Article 9 GDPR. Therefore, the DPA concluded that the circumstances of the infringement qualified it as