Comune di Siracusa – €5,000 Fine (Italy, 2024)

The Italian DPA conducted an investigation into the compliance of the Municipality of Siracusa (the controller) with data protection laws, pursuant to Article 58(1)(b) GDPR. During the investigation, it was discovered that the controller had failed to fulfil its obligation to designate a DPO and communicate their contact details to the DPA. Considering the findings, the DPA informed the controller of the start of a sanctioning procedure under Article 58(2) GDPR. The DPA also invited the controller to provide its defence in writing. The Italian DPA noted that Article 37(7) GDPR not only mandates the controller to publish the contact details of the DPO but also to communicate them to the DPA. Furthermore, it cited the “[https://ec.europa.eu/newsroom/article29/items/612048/en Guidelines on Data Protection Officers]”, adopted by the Article 29 Working Party, which outline the requirements for designating a DPO and communicating their contact details to the DPA. The Italian DPA even established in another [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9589467 document] the dedicated online procedure for entities to use in communicating the DPO's contact details. This procedure served as the solely authorised channel for such communications and was designed to ensure the efficient and secure transfer of information between entities and the DPA. Therefore, although the controller had published the contact details of the DPOs on its website, it had not officially communicated this information via established procedures to the DPA, violating Article 37(7) GDPR. The controller's attempts to rectify the situation, such as contacting the DPA by phone and submitting the contact details of the DPOs through the designated online form, were deemed insufficient by the DPA since the details were provided after the start of the proceedings. As a consequence, the DPA imposed a pecuniary administrative sanction of €5,000 on the controller for its failur