A municipality – Complaint Upheld (Italy, 2025)

A town council published personal data of a town councilor (the data subject) on its website. The data included the data subject’s CV and a declaration that no causes of incompatibility prevented his election as councilor. After resigning from office, the data subject filed a complaint, claiming that the publication of his personal data on the municipality’s website was illegal. The municipality was considered to be the controller for the purpose of the complaint. In its defense, the controller claimed that the publication of the data was lawful under the legal basis of 6(1)(c) GDPR (legal obligation). Specifically, the controller argued that national law (specifically, [https://www.gazzettaufficiale.it/eli/id/2013/04/19/13G00081/sg Article 20 d. lgs. 39/2013]) required it to publish the data subject’s information and to keep it available for three years despite his resignation from office. During the investigation, the DPA incidentally found that the controller had appointed a DPO but had not communicated their contact details to the DPA. The DPO upheld the complaint and issued a warning. = The DPA clarified that the provisions invoked by the controller, only required the publication of information about administrative officers, not political officers. In this regard, the DPA referred to the guidance from Italy’s anti-corruption authority. On these grounds, the DPA held that the controller unlawfully published the subject’s data. The DPA considered this a violation of Articles Article 5 GDPR and Article 6 GDPR, Article 2-ter of Italy’s data protection code, and two provisions of Italian administrative law (Articles 7-bis and 14 d. lgs. 33/2013). Additionally, the DPA found that the controller violated the principle of data minimisation (5(1)(c) GDPR) by processing data that were not necessary for the purpose of administrative transparency. = The DPA held that the controller violated Article 37(7) GDPR by failing to communicate the contact details of its DPO. Th