Lombardy Region – €20,000 Fine (Italy, 2023)

The Lombardy Region, acting as the data controller, published personal data of approximately 732 workers on its institutional website. The data included details related to the employment relationship, legal proceedings, remuneration, length of service, qualifications, and, notably, information about a worker's health. The publication of this information was then brought to the attention of the Italian DPA by two Trade Union Associations. In response to this, the DPA requested the controller to provide clarifications. To which the controller explained that the publication occurred in the context of fulfilling transparency obligations under [https://def.finanze.it/DocTribFrontend/getAttoNormativoDetail.do?ACTION=getSommario&id=%257BFBD758F1-FC33-4DA4-89A2-4721CC605EAE%257D#:~:text=33%2520%252D,da%2520parte%2520delle%2520pubbliche%2520amministrazioni. Article 22 of Legislative Decree 33/2013]. The controller also contended that it did not process the data received from the relevant employees as their employer. Instead, it did so solely to fulfil its obligations to publish data related to transactions between legal entities. In that regard, it did not act as an employer, it could not be attributed the responsibility to guarantee the principles of data minimisation, data accuracy and transparency. The controller further emphasised that the publication took place during a pandemic emergency, affecting its capacity. Thus, the controller stated that its liability in the dissemination of the data in question could be considered mere negligence in a sporadic episode occurring in an exceptional situation. The Italian DPA declared the processing illegal. Firstly, the DPA reminded that data processing by a public entity may be carried out only if necessary for compliance with a legal obligation or for a task to be carried out in the public interest, pursuant to Article 6(1)(c) and (e) GDPR. It further noted that pursuant to Article 9(2) GDPR, the controller correctly process