Territorial Agency of the Puglia Region for the waste management service (AGER) – €6,000 Fine (Italy, 2024)

Garante received a complaint from an employee of the Territorial Agency of the Puglia Region for Waste Management (AGER) alleging that her performance evaluation sheet of 2019, was mistakenly recorded as a non-confidential document, making it accessible to individuals authorized to use the Agency’s protocol system, but not directly involved in the matter. The data subject also highlighted the lack of adequate information or consultation regarding data processing policies by the Agency's DPO. The data controller acknowledged that the evaluation sheet was mistakenly filed as “ordinary” instead of “confidential.” However, it provided system logs showing that only individuals directly involved in the process accessed the document. Garante considered that the data controller's mistake in filed the document as "ordinary" instead of "confidential", even with the system logs showing that only individuals directly involved in the process accessed the document, was a failure to implement sufficient organizational measures to prevent such risks. The agency appointed its DPO in 2020, significantly later than the May 25, 2018, deadline set by GDPR. This delay constituted a violation of Article 37 GDPR. Also, Garante highlighted that the data controller failed to timely publish or communicate the DPO's contact details, violating Article 13 and Article 37 GDPR. The data controller cited organizational challenges and difficulties stemming from the COVID-19 pandemic as contributing factors. For this reason, Garante fined the data controller 6,000 EUR for not having designated the DPO timely, neither informing the data subjects of the DPO's contact details and communicating these data to the DPA.