DLP Insights

Data Protection Authority: entrusting processing to third parties requires the adoption of appropriate measures (Norme e Tributi Plus Diritto of Il Sole 24 Ore, 23 June 2022 – Enrico De Luca, Martina De Angeli)

Categories: DLP Insights, Publications, News, Publications | Tag: GDPR

23 Jun 2022

The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction of 28 April 2022, imposed on a company in charge of managing the municipal waste collection service for the Municipality of Taranto (the “Municipality”), a € 200,000 fine for having entrusted processing personal data to a sub-processor without having requested and obtained specific or general written authorisation from the Municipality – the data controller.
Following widespread waste abandonment within the area under its responsibility, the municipality entrusted an owned company the task to verify and contest any offences arising from the violation of the municipal regulations on waste disposal. The municipality and the company agreed on installing video surveillance systems at sites considered particularly sensitive, as they were the places where the illegal dumping of waste occurred more frequently.
From a report received by the Data Protection Authority, it emerged that the company disseminated, through the publication on its Facebook profile of videos and images, collected through the above video surveillance systems, from which the offending citizens were or could be identified.

Following the report received, the Authority opened a preliminary investigation which revealed that the company started processing in March 2012 under a municipal ordinance without the relationship regulated under the previous legislation.
Since November 2020, it had used a supplier (designated as data controller) for the collection of video surveillance images without the “prior specific or general written authorisation of the data controller (ed. the Municipality)” as required by art. 28 of the GDPR. In January 2022, the Municipality and the company signed an “agreement for the protection of personal data and appointment as an external data controller” under art. 28 of the GDPR. In that agreement, the Municipality specified that “upon its prior written authorisation, the company may make Municipality-owned personal data available to third parties (as sub-processors), to entrust them with part of the processing activities.”

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore

More news