DATA PROTECTION
Court of Auditors: the privacy officer and not the mayor is liable for the fiscal damage caused by sanctions imposed by the Privacy Guarantor on the municipality.
The subject of Judgment No. 1/2024 of the Jurisdictional Section of the Court of Auditors of Bolzano is the compensation of the undue pecuniary loss suffered by the municipality as a consequence of the sanction imposed by the Garante for several violations of the regulations on personal data. The adjudicating collegium had been called upon to ascertain the existence of the prerequisites of accounting liability in respect of the mayor as legal representative in charge of the entity's data processing and in respect of the official in charge of the administrative procedures concerning the protection of personal data.
With reference to the mayor, the judging panel points out that the duties and related responsibilities of the data controller are identified by the European and national legislator in a broad manner, in order to protect the injured private party vis-à-vis the data controller-legal person.
However, at the time when the liability must reverberate on the natural person who is the legal representative of the entity, one cannot fail to take into account the size of the entity, the multiplicity of tasks assigned to a mayor of a provincial capital, the technical nature of the subject matter and, above all, whether or not a potentially suitable organisation has been set up. Having assessed these elements, the Board considers that the requirement of serious misconduct does not exist, since the mayor relied on the work of the person in charge and of the appointees and could not actually be called upon to deal personally with the technical aspects of privacy protection.
Different considerations, on the other hand, are made by the College in relation to the position of the official in charge of administrative procedures concerning the protection of personal data. In fact, he had the task of approving the outlines of mandatory acts and guidelines and the security policy document, as well as preparing amendments to the regulation for the processing of sensitive and judicial data.
Following Decree No. 14/S/2018 of 24 May 2018, he then took on the role of Privacy Manager, i.e. internal coordinator of GDPR compliance activities.
It follows that the contested obligation to take action to verify the compliance of the internal regulatory framework with the regulatory framework introduced by Legislative Decree No 151 of 4 September 2015, as well as a general duty of supervision, may be deemed to exist against him. Hers is therefore an omissive conduct attributable to the damage suffered by the municipality following the imposition of a sanction.
The judicial body therefore held that the contested omissions were clearly attributable to the occurrence of the conduct subject to sanction, which could have been avoided. Likewise, the psychological element of serious misconduct can be deemed to exist, given that the episodes taken into consideration by the Supervisor are not individual.
In conclusion, the panel of judges considers that the claim for damages brought against the official in charge of the administrative proceedings concerning the protection of personal data is worthy of acceptance, whereas the claim brought against the mayor should be excluded.
Source: Il Sole 24 Ore - by Corrado Mancini
With reference to the mayor, the judging panel points out that the duties and related responsibilities of the data controller are identified by the European and national legislator in a broad manner, in order to protect the injured private party vis-à-vis the data controller-legal person.
However, at the time when the liability must reverberate on the natural person who is the legal representative of the entity, one cannot fail to take into account the size of the entity, the multiplicity of tasks assigned to a mayor of a provincial capital, the technical nature of the subject matter and, above all, whether or not a potentially suitable organisation has been set up. Having assessed these elements, the Board considers that the requirement of serious misconduct does not exist, since the mayor relied on the work of the person in charge and of the appointees and could not actually be called upon to deal personally with the technical aspects of privacy protection.
Different considerations, on the other hand, are made by the College in relation to the position of the official in charge of administrative procedures concerning the protection of personal data. In fact, he had the task of approving the outlines of mandatory acts and guidelines and the security policy document, as well as preparing amendments to the regulation for the processing of sensitive and judicial data.
Following Decree No. 14/S/2018 of 24 May 2018, he then took on the role of Privacy Manager, i.e. internal coordinator of GDPR compliance activities.
It follows that the contested obligation to take action to verify the compliance of the internal regulatory framework with the regulatory framework introduced by Legislative Decree No 151 of 4 September 2015, as well as a general duty of supervision, may be deemed to exist against him. Hers is therefore an omissive conduct attributable to the damage suffered by the municipality following the imposition of a sanction.
The judicial body therefore held that the contested omissions were clearly attributable to the occurrence of the conduct subject to sanction, which could have been avoided. Likewise, the psychological element of serious misconduct can be deemed to exist, given that the episodes taken into consideration by the Supervisor are not individual.
In conclusion, the panel of judges considers that the claim for damages brought against the official in charge of the administrative proceedings concerning the protection of personal data is worthy of acceptance, whereas the claim brought against the mayor should be excluded.
Source: Il Sole 24 Ore - by Corrado Mancini
