Azienda Ospedaliera di rilievo nazionale “A. Cardarelli” – €80,000 Fine (Italy, 2020)

The hospital (the controller) organized an open competition. Due to a technical problem, the the participants' personal data, including health data, was published on the controller's website. It appears from the proceedings that a part of the controller's technical infrastructure was managed by a third party, especially for the handling of online job applications . The controller argues that it has no responsibility as the conduct is entirely attributable to the malpractice of the third party company. The DPA held that the hospital is a controller under the GDPR. The technical and organisational measures adopted by the controller through the service provider for the management of the candidates' applications did not prove adequate to the risks of the specific processing. The DPA mentions, in particular, the security of the data, the methods for accessing it using the "http" protocol and the methods for transmitting them to the hospital after the submission. In this context, the controller did not provide the processor with the necessary instructions, nor did it in any way supervise or reviewe the security of the data processed by the processor under Article 28(3)(a) and (h) GDPR. For these reasons, the responsibility of the security incident cannot be attributed "solely to the outsourcer", as argued by the controller. The controller failed to adopt adequate technical and organisational measures to ensure the confidentiality and integrity of the personal data processed through the processor's platform. In doing so it violated, amongst the others, Articles 5(1)(a), 28 and 32 GDPR.