Comune di Villasimius – €4,000 Fine (Italy, 2024)

The controller, a municipality, organised a public selection procedure to hire the head of one of its units. The data subject took part in this procedure and shared personal data with the controller, such as her CV, her birth date and her graduation mark. The controller published on its website the minute of the board meeting evaluating the candidates. This document contained the abovementioned personal data. The data subject requested the controller to erase her personal data. However, the controller did not reply. Therefore, the data subject filed a complaint with the DPA. The controller pointed out that after the DPA’s notice it removed the document from the website. Moreover, it noted that the data subject sent the erasure request not to the DPO email address, but to the personal email of the general secretary of the municipality in a time when that role was vacant. Finally, the controller argued that it published the document in order to comply with its transparency obligations. First of all, the DPA pointed out that a public authority may only process personal data under Article 6(1)(c) or 6(1)(e) GDPR. In the case at hand, the controller argued that it was under a legal obligation to publish the evaluation of the data subject in order to comply with the transparency obligations set by national administrative law. However, the DPA noted that, while a previous version of the applicable law prescribed the publication of the document at hand, the one in force at the moment of the violation (e.g. [https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33~art19 Article 19(1) d.lgs. 33/2013]) sets an obligation to publish only the final ranking, i.e. only the name of the person which was successfully selected. Therefore, the DPA found a violation of Article 5(1)(a) and 6 GDPR. Finally, the DPA noted that the controller did not timely answer the data subject’s erasure request and did so only when the DPA initiated the proceeding. Ther