On 14th January 2021, the Italian Data Protection Authority (the "Garante") sanctioned the Lazio Region ordering the payment of € 75,000.00 for i) failure to appoint the supplier as data processor under Article 28 GDPR ii) breaching the accountability principle (Register of decision no. 9 of 14th January 2021).
Background
Since 1999, the Lazio Region had entrusted the regional call centre service (ReCUP) to a supplier ( “Company A”), without designating Company A as data processor even before the GDPR came into force.
Between 2003 and 2005, Lazio Region entrusted a different company (“Company B”) with the development, organization, and management of the regional information system, including the call centre service.
Between 2005 and 2006, Lazio Region transferred the contract entered into with Company A to Company B and appointed Company B as data processor. From a legal standpoint, Company A would therefore have been a sub-processor, though none of the agreements between the parties reflected this.
In 2018, Company B designated the call centre operators (i.e., Company A employees) as authorized persons, under Article 30 of the Italian Data Protection Code in force at the time being, but without entering into a data processing agreement with Company A.
The Italian DPA’s assessment
Below are the main points noted by the Garante:
The application of the administrative fine
The Garante decided to set the fine at € 75,000 for the violation of the accountability principle (Article 5, Paragraph 2, Letter a of the GDPR) and for failure to designate Company A as data processor under Article 28 GDPR.
This administrative sanction has been imposed in light of the elements provided for in Article 85, paragraph 2, of the GDPR, in relation to which the Garante noted in particular that: