Comune di Offanengo – €8,000 Fine (Italy, 2024)

The data subject filed a complaint with the Italian DPA against the controller, a municipality, due to the publishing on their official website, of all deliberations concerning the data subject, containing personal data, like email correspondence between the controller and the data subject, letters concerning proceedings, the data subject´s leave calendar (annual leave, accepted and rejected days off, payment) as well as sensitive data, like the data subject´s belonging to a trade union. The controller argued that: # No personal data connected to the private life of the data subject was published, except for his name and surname in initials and their personal details were only present in one document. # The facts in question happened in the Context of the Covid-19 emergency. # The personal data published were already public for transparent communication due to national law governing access to information kept by the public administration ([https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2013-03-14;33!vig d.lgs. 33/2013]). The DPA started by considering that the GDPR applies to the case as the use of initials is insufficient to avoid the identifiability of the data subject. First, on the lawfulness of the processing, the DPA recognised that public authorities are allowed to treat data subjects´ personal data as per Article 6(1)(c) GDPR, but specified that the fact that it is a public authority doing the processing is not sufficient to fall within the scope of this provision. Second, on the processing of sensitive data, under Article 9(1) GDPR, the DPA found that, even if it not explicitly written, the fact that a document was signed by a trade union was sufficient to indirectly establish the data subject´s membership. Third, it considered that national law ([https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto.legislativo:2000-08-18;267~art124 Art.124 d.lgs. 267/2020]) provides that any publications in the online website are still