Comune di Nepi – €20,000 Fine (Italy, 2024)

In 2015 the controller, a municipality, organised a public selection procedure to hire public servants. The data subject participated in this competition. The controller published on its website a list of candidates, both the ones whose application was successful and also the ones whose application was unsuccessful. The data subject, whose application was unsuccessful, asked the controller to remove her name from the website. The controller pointed out that its website is managed by an external company and that it had contact this company to have the name removed. Moreover, it argued that it had a legal obligation to publish this data, since [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art19 Article 19(1) of the law governing access to information kept by the public administration] (d.lgs. 33/2013) foresees that the final rankings of this type of competition must be published online. However, [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art8 Article 8(3) of the same law] sets a time limit of 5 years after the publication. After this time, the document should be removed from the website. On this point, the controller pointed out that it remained published even after this time limit because, in the meantime, it had changed the company providing the website management services. First, the DPA pointed out that the controller, a public administration, can normally process personal data if it can rely on the legal basis provided for by Article 6(1)(c) and (e) GDPR. The DPA noted that, on the one hand, it is true that national law sets an obligation to publish the rankings of a competition. On the other hand, this obligation concerns only the final ranking, i.e. the ranking containing the names of the hired applicants. Therefore, the controller was not obliged to publish this sort of ranking including also the unsuccessful applicants. In the case at hand, the controller published the n