CEDHCASELAW;DECISIONS;ADMISSIBILITY;ENG4
CEDH · CASELAW;DECISIONS;ADMISSIBILITY;ENG — 5 novembre 2024
- ECLI
- ECLI:CE:ECHR:2024:1105DEC002557811
- Date
- 5 novembre 2024
- Publication
- 5 novembre 2024
droits fondamentauxCEDH
Source : DILA / Judilibre · open data
Mes notes
privées · visibles par vous seulRésumé structuré
version préliminaireFaits
Non déterminable à partir du texte fourni.
Procédure
Non déterminable à partir du texte fourni.
Question juridique
Non déterminable à partir du texte fourni.
Solution
source officielleInadmissible (Art. 35) Admissibility criteria;(Art. 35-1) Exhaustion of domestic remedies;(Art. 35-3-a) Ratione personae
Résumé généré automatiquement — à vérifier avec la décision originale.
Analyse IA non disponible
Générez un résumé intelligent de cette décision
Texte intégral
.s800EAC49 { font-size:12pt } .sFE10DC93 { margin-top:0pt; margin-bottom:0pt; text-align:center } .sBB9EE52A { font-family:Arial } .s2EF17D91 { margin-top:0pt; margin-bottom:0pt; text-align:center; font-size:2pt } .s5E1364CA { margin-top:0pt; margin-bottom:12pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s339D85E6 { margin-top:0pt; margin-bottom:14pt; text-align:center; page-break-inside:avoid; page-break-after:avoid } .s5FFF0A77 { margin-top:0pt; margin-bottom:0pt; font-size:1pt } .s10950C61 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; text-align:justify } .s32563E28 { margin-top:0pt; margin-bottom:0pt } .sB9D5CABB { width:28.35pt; display:inline-block } .sA36B60A1 { font-family:Arial; font-style:italic } .s3AAE10DF { margin-top:14pt; margin-bottom:12pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s3CA22BA { font-family:Arial; text-transform:uppercase } .s6B505E72 { margin:0pt; padding-left:0pt } .s6C5BED22 { margin-left:25.5pt; margin-bottom:12pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-family:Arial; font-weight:bold } .s743F3A55 { margin-right:0pt; margin-left:0pt; padding-left:0pt } .s2044A09A { margin-left:6.51pt; margin-bottom:6pt; page-break-inside:avoid; page-break-after:avoid; padding-left:1.99pt; font-weight:normal; font-style:italic } .s9D48DD53 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; text-align:justify; font-size:10pt } .sAE6FB95D { margin-top:14pt; margin-left:32.01pt; margin-bottom:6pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; padding-left:1.99pt; font-family:Arial; font-style:italic } .s3A692EA6 { margin-top:14pt; margin-bottom:6pt; text-align:center; page-break-after:avoid; font-size:10pt } .s29100277 { font-family:Arial; font-weight:bold } .sA2548810 { margin-top:14pt; margin-bottom:0pt; text-align:center; page-break-after:avoid; font-size:10pt } .s718D1C37 { margin-top:0pt; margin-bottom:6pt; text-align:center; page-break-after:avoid; font-size:10pt } .s5E8F5A28 { margin-top:14pt; margin-left:25.5pt; margin-bottom:12pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-family:Arial; font-weight:bold } .s65DDED6B { margin-top:14pt; margin-left:42.55pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sDBC81028 { width:4.83pt; font:7pt 'Times New Roman'; display:inline-block } .s7AE800C3 { width:4.28pt; font:7pt 'Times New Roman'; display:inline-block } .s715E7C6D { margin-top:14pt; margin-left:25.5pt; margin-bottom:12pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .sF54F3725 { margin-top:0pt; margin-left:42.55pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s434D37A9 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .sCD82236A { margin-top:14pt; margin-left:51.05pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; line-height:113%; font-size:10pt } .s3970C00F { width:8.17pt; font:7pt 'Times New Roman'; display:inline-block } .s320E5A8E { width:5.95pt; font:7pt 'Times New Roman'; display:inline-block } .s2D9C6089 { margin-top:12pt; margin-bottom:12pt; text-indent:14.2pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s84651E4E { margin-top:14pt; margin-left:14.2pt; margin-bottom:3pt; text-align:justify } .s69DCC830 { margin-top:36pt; margin-bottom:0pt } .sC986E16F { font-family:Arial; color:#ffffff } .sD8AE9261 { width:36.9pt; display:inline-block } .s6B870CDD { width:153.11pt; display:inline-block } .s5A65B3DC { width:46.56pt; display:inline-block } .s44B8752F { width:177.11pt; display:inline-block }     FIRST SECTION DECISION Application no. 25578/11 Luca CASARINI against Italy   The European Court of Human Rights (First Section), sitting on 30   August   2022, 16 April and 5 November 2024 as a Chamber composed of:   Marko Bošnjak , President ,   Péter Paczolay,   Alena Poláčková,   Erik Wennerström,   Raffaele Sabato,   Lorraine Schembri Orland,   Davor Derenčinović , judges , and Ilse Freiwirth, Section Registrar, Having regard to the above application lodged on 18 April 2011, Having regard to the observations submitted by the respondent Government and the observations in reply submitted by the applicant, Having deliberated, decides as follows: THE FACTS 1.     The applicant, Mr Luca Casarini, is an Italian national, who was born in 1967 and lives in Marghera. He was represented before the Court by Ms   A.   Mascia, a lawyer practising in Vérone. 2.     The Italian Government (“the Government”) were represented by their Agent, Mr L. D’Ascia, Avvocato dello Stato . 3.     The facts of the case may be summarised as follows. 4 .     The Taxpayer Information Service ( Servizio per le informazioni sul contribuente – Serpico ) is a database of the Tax Registry ( Anagrafe tributaria ) which, as provided in Article 1 of Presidential Decree no. 605 of 29 September 1973 (“Decree no. 605/1973”), stores data and information from declarations and complaints addressed to the offices of financial authorities and from related investigations, as well as data and information that may be relevant for tax purposes (see paragraphs 13 and 20 below). According to the evidence submitted by the applicant and not contested by the Government, it includes information on gas, water, electricity and telephone expenses, interest expenses on liabilities, social security contributions, bank transfers, data on vehicle registration in the public register of automobiles, sports club memberships, and taxpayers’ travel expenses, among others. 5 .     On 19 October 2010 the applicant, a political activist and member of the “No Global” movement, learned from a newspaper article that F.D., an officer of the Revenue Police ( Guardia di finanza ), had unlawfully extracted information concerning him from the Tax Registry, in particular, from the Taxpayer Information Service database, and had passed it to G.A., a journalist working for a well-known Italian magazine. The article also reported that F.D. was accused of having repeatedly accessed the database to collect information concerning public persons at the request of G.A., who then used that information to publish articles on them. 6 .     On 21 January 2011 the applicant lodged a criminal complaint against F.D. and G.A. with the Milan public prosecutor’s office. 7 .     Meanwhile, in response to reports lodged by the Revenue Police on 23   February, 14 July and 17 September 2010, criminal proceedings had been opened in respect of F.D. and G.A. on suspicion of having unlawfully accessed the Taxpayer Information Service database. The indictment listed three hundred and twenty-eight injured parties, including the applicant. 8.     On 8 March 2011, at the end of a plea-bargaining procedure, the Brescia preliminary hearings judge sentenced F.D. and G.A. to suspended sentences of two and one years, respectively. 9.     In the judgment, the Brescia preliminary hearings judge stated that while F.D. had the right to access the Taxpayer Information Service database in his capacity as a military officer working in the operations room of the Revenue Police, investigations had shown that in the years 2008 and 2009 he had accessed the database 1,372 times without any justification related to the fulfilment of his duties. The access had been aimed at wrongfully acquiring financial information on prominent figures in the Italian judiciary and cultural, political and institutional spheres, and had been carried out at the request of an unauthorised person, G.A., who had used the information in articles for the magazine he worked for and other newspapers belonging to the same editorial group. 10.     It was explained in the judgment that access to the database by military personnel working in operations rooms was recorded on a special internal register which registered the call sign of the squad and the location, place and time of each access. Analysis of those data had shown that the unlawful access had been carried out using F.D.’s personal password and at a time when he was physically present in the operations room. On 11   February 2010 the head of the operations room had reported F.D.’s unlawful activities. 11.     The Revenue Police subjected F.D. to disciplinary measures. On 18   October 2010 they suspended him from duty as a precautionary measure and on 21 April 2011 he was stripped of his rank and put at the disposal of another service as a common soldier. 12.     On 1 March 2013 the Brescia preliminary investigations judge discontinued the criminal proceedings subsequently brought by the applicant on the basis that F.D. had already been sentenced on the basis of the same facts by the judgment of 8 March 2011. RELEVANT LEGAL FRAMEWORK AND PRACTICE Relevant domestic law Presidential Decree no. 605 of 29 September 1973 (Provisions concerning the Tax Registry and the Taxpayers’ Tax Identification Number) 13 .     Article 1 of Presidential Decree no. 605/1973 sets forth the functions of the Tax Registry. It reads as follows: “1.     The Tax Registry collects and organises on a national scale data and information from declarations and complaints addressed to the offices of financial authorities and from related investigations, as well as data and information that could be relevant for tax purposes. 2.     The data and information collected are communicated to the Ministry of Finance bodies in charge of assessment and inspection activities relating to tax enforcement and, in particular, for the purpose of assessing overall fiscal capacity and any subsequent rectifications of declarations and assessments ...” Decree-Law no. 201 of 6 December 2011 (Urgent provisions for economic growth, equity and consolidation of public accounts), converted into law on 22 December 2011 (Law no. 214/2011) 14.     At the date of 28 December 2011, section 11 of Decree ‑ Law no.   201/2011 read as follows: “... 2.     As from 1 January 2012, financial operators are obliged to periodically communicate to the Tax Registry the transactions involving the [financial] relationships referred to in Article 7 § 6 of Presidential Decree no. 605 of 29 September 1973, and any information relating to the relationships mentioned above necessary for tax inspections, as well as the amount of the financial transactions referred to in the provision above. The data communicated are filed in the special section of the Tax Registry provided in Article 7 § 6 Presidential Decree no. 605 of 29 September 1973, and subsequent amendments. 3.     By order of the Director of the Revenue Agency, after consulting the trade associations of financial operators and the Data Protection Authority, the procedures for the communication mentioned in § 2 shall be established, extending the obligation to communicate also to further information related to the relationships strictly necessary for tax inspections. The order shall also provide for adequate technical and organisational security measures for the transmission and storage of the data, which shall not exceed the maximum time-limits provided for income tax assessment.” 15.     The order of the Director of the Revenue Agency of 25   March   2013 specified that the data referred to in section 11 of Decree-Law no. 201/2011 should have been deleted by 31 December of the sixth year after the year to which the communication referred. 16.     Section 11 of Decree-Law no. 201/2011 was amended by section 16 ‑ quater , subsection 1, of Decree-Law no. 119 of 23   October   2018, converted into Law no. 136 of 17 December 2018, which currently sets the maximum legal time-limit for storage of those data at ten years. Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code) 17 .     The relevant provisions of the Personal Data Protection Code, which was in force at the material time, read as follows: Article 3: Principle of necessity of data processing “Information systems and computer programs shall be configured to minimise the use of personal and identification data so as to avoid processing them when the purposes pursued in each case can be achieved by means of, respectively, anonymous data or appropriate methods which allow the person affected to be identified only when necessary.” Article 7: Right of access to personal data and other rights “1.     The person concerned has the right to obtain confirmation of the existence of personal data concerning him or her, and to have them communicated to him or her in an intelligible form. 2.     The person concerned has the right to obtain information concerning: (a)     the origin of the personal data; (b)     the purposes and methods of processing; (c)     the logic applied in the event of electronic processing; (d)     the identification of the data controller, the data processor and the representative appointed in accordance with Article 5 § 2; (e)     the persons or entities or categories thereof to whom the personal data can be communicated ... 3.     The person concerned has the right to obtain: (a)     the updating, rectification or, if requested, integration of personal data; (b)     the deletion, anonymisation or blocking of access to data processed in breach of the law, including data whose conservation is not necessary in relation to the purposes for which they were collected and subsequently processed; ...” Article 11: Arrangements for the processing and categorisation of data “1.     Personal data subject to processing are: (a)     processed lawfully and fairly; (b)     collected and recorded for specific, explicit and legitimate purposes, and further processed in a manner that is compatible with those purposes; (c)     accurate and, where necessary, kept up to date; (d)     relevant, complete and limited to what is necessary in relation to the purposes for which they are collected or subsequently processed; (e)     kept, in a form that allows the identification of the person concerned, for a period not exceeding the time necessary to achieve the objectives for which the data have been collected and subsequently processed. ...” Article 12: Codes of ethics and good conduct “1.     The Data Protection Authority shall promote within the categories concerned, in compliance with the principle of representativeness and taking into account the guiding criteria of the recommendations of the Council of Europe on personal data processing, the issuance of codes of ethics and good conduct for specific sectors, verify that they comply with laws and regulations, in particular, through the examination of stakeholders’ observations, and contribute to ensure their dissemination and compliance with them. ... 3.     Compliance with the provisions contained in the codes referred to in paragraph   1 shall constitute an essential condition for the lawfulness and correctness of personal data processing carried out by private and public entities. ...” Article 15: Damage arising from data processing “1.     A person who causes damage to a third person as a consequence of the processing of his or her personal data must compensate the person concerned under Article 2050 of the Civil Code. 2.     The person concerned is also entitled to obtain compensation for non-pecuniary damage resulting from a breach of Article 11.” Article 18: Principles applicable to processing by public entities “... 2.     Any processing of personal data by public entities shall be permitted for the performance of their institutional duties only. 3.     In processing the data, the public entity shall comply with the requirements and limits established by the present Code, also having regard to the nature of the data, statutes and regulations. 4.     Without prejudice to what is provided for in Part II for health professionals and public health bodies, public entities do not have to request the consent of the person concerned. 5.     The provisions of Article 25 on data communication and dissemination shall be complied with.” Article 19: Principles applicable to processing of data other than sensitive and judicial data “1.     Processing by a public authority of data other than sensitive and judicial data shall be permitted, without prejudice to what is provided for by Article 18, paragraph 2, even in the absence of a provision of law or regulation expressly providing for it. 2.     Communication [of the data] by a public entity to other public entities is allowed when provided for by a statute or regulation. In the absence of such a rule, communication is allowed when it is necessary for the performance of institutional duties ... 3.     Communication by a public entity to private persons or public economic entities and dissemination by a public body shall only be allowed when provided for by a statute or regulation.” Article 25 § 1: Prohibition on communication and dissemination “Communication and dissemination are forbidden ..: (b) for purposes other than those indicated in the notification of data processing, where required.” Article 29: Data processor “... 2.     If designated, the processor is chosen from among persons who by virtue of their experience, abilities and reliability, provide an adequate guarantee of full compliance with the provisions in force on data processing, including on security measures. ... 4.     The tasks entrusted to the data processor shall be specified in writing by the data controller. 5.     The processor shall carry out the processing in accordance with the instructions given by the data controller who, by means of periodic monitoring, shall ensure full compliance with the provisions set out in paragraph 2 and with his or her instructions.” Article 30: Persons in charge of data processing “1.     Processing may only be carried out by persons acting under the direct authority of the controller or the processor and in compliance with the instructions received. 2.     The appointment shall be made in writing and shall specify the scope of the processing permitted. The same applies to the documented assignment of the physical person to a unit, for which it is indicated, in writing, the scope of the treatment allowed to operators of that unit.” Article 31: Security obligations “Personal data which are being processed shall be stored and checked, including in relation to knowledge acquired as a result of technical progress, the nature of the data and the specific features of processing, in such a way as to minimise, through the adoption of appropriate and preventive security measures, the risks of the destruction or loss, even accidental, of the data, unauthorised access, unlawful processing or any processing not in accordance with the purposes for which they were collected.” Article 34: Personal data processing carried out by means of IT tools “1.     Personal data processing carried out by means of IT tools is allowed provided that the following minimum measures are implemented, in compliance with the technical regulation included in Annex B [to the present Code]: (a)     digital authentication; (b)     implementation of authentication credentials management procedures; (c)     use of an authorisation system; (d)     periodic updating of the scope of the permitted data processing in relation to each person in charge of processing, managing and maintaining IT tools; (e)     protection of IT tools and data against unlawful data processing, unauthorised access and specific computer programs; (f)     adoption of procedures for storing back-up copies, restoring the availability of data and systems; (g)     maintaining an up-to-date security policy document; ...” Article 39: Reporting obligations “1.     The data controller must communicate in advance to the Data Protection Authority the following events: (a)     communication of personal data by a public entity to another public entity not provided for by a statute or regulation, carried out in any form including by agreement; ... 2.     Processing subject to reporting under paragraph 1 may begin forty-five days after receipt of the communication, unless the Data Protection Authority decides otherwise at a later date.” Processing by police forces ... Article 53: Scope and data-processing controllers “1.     The following Articles of this Code shall not apply to the processing of personal data that is carried out either by the Data Processing Centre at the Public Security Department or by the police in respect of data that are intended to be transferred to that centre under the law, or by other public bodies or public security entities for the purpose of protecting public order and security, or the prevention, detection or suppression of offences as expressly provided for by laws that specifically refer to such processing: (a)     Articles ... 12, ... 18[, 19] ... and ... 39 ...; ... 2.     A decree of the Minister of the Interior ... shall identify processing operations referred to in paragraph 1 carried out using IT tools, and the relevant data controllers.” Article 54: Data-processing methods and data flows “1.     In cases where public security authorities or police forces are permitted, in compliance with statutes or regulations in force, to acquire data, information, deeds and documents from other individuals, that acquisition may also be carried out by means of IT tools. To this end, the bodies or offices concerned may avail themselves of agreements aimed at streamlining consultation, by means of IT tools, public registers, lists, records and databases, in accordance with the related provisions and principles set out in Articles 3 and 11. The Ministry of the Interior issues standard agreements, with the agreement of the Data Protection Authority, and sets out connection and access procedures, with the aim of ensuring selective access only to those data that are necessary for the purposes [of the protection of public order and safety, and the prevention, detection or prosecution of criminal offences]. ... 4.     Police bodies, offices and headquarters periodically verify the requirements under Article 11 including with regard to data processed without using IT tools, and keep them up to date ...” Article 141: Remedies “1.     The person concerned may file with the Data Protection Authority: (a)     a detailed complaint in accordance with Article 142 in order to report an infringement of personal data-processing rules; (b)     where it is not possible to file a detailed complaint within the meaning of letter (a) above, a report requesting an investigation by the Data Protection Authority into whether those rules have been complied with; ...” Article 142: Filing of complaints “1.     Complaints must include a description, as detailed as possible, of the facts and circumstances on the basis of which the complaint is being made, of the provisions allegedly infringed and of the measures requested, as well as the identity of the controller, the processor, if known, and the claimant. ...” Article 143: Complaint procedure “1.     Further to the preliminary investigation, if the complaint is not manifestly ill-founded and the conditions for issuing a decision are met, the Data Protection Authority, even before taking a final decision: (a)     may, before ordering the measures under letter (b) or the prohibition or ban provided in letter (c), invite the data-processing controller ... to stop the behaviour spontaneously; (b)     order the data-processing controller to take appropriate measures or those which are necessary to make the data processing compliant with the regulations in force; (c)     order to stop or prohibit, entirely or in part, data processing which is unlawful or unfair as a result of the failure to adopt the necessary measures under (b), or when, taking account of the nature of the data, the data-processing methods or the effects that those methods may have, there is a concrete risk that a serious prejudice may arise for one or more persons concerned; (d)     may prohibit the data processing of single individuals or categories of individuals in full or in part, which goes against any relevant interest of the community. 2.     The measures under paragraph 1 are to be published in the Official Gazette of the Italian Republic if the addressees are not easily identifiable owing to their number or the complexity of investigations.” Article 152: Standard judicial authorities “1.     A standard judicial authority ( autorità giudiziaria ordinaria ) has jurisdiction to settle all disputes concerning the application of the provisions contained in the present Code, including those relating to the decisions of the Data Protection Authority concerning personal data protection or its failure to issue them. 2.     In order to institute proceedings concerning all disputes mentioned in paragraph 1 above, an appeal shall be lodged with the registry of the court serving the place of residence of the person whose [personal data] are being processed. 3.     The court will decide [a case] sitting in a single-judge composition. ... 12.     In the judgment the judge, also by way of derogation from the prohibition provided by Article 4 of Law no. 2248 of 20 March 1865, annex E), when it is necessary also with regard to a decision taken by the public data-protection controller or processor, grants or rejects the appeal, in whole or in part, prescribes the necessary measures, rules on compensation for damages, if any, and charges the unsuccessful party with the costs of the proceedings. 13.     A judgment is not subject to an appeal on the merits before a second-instance court; however, it may be subject to an appeal on points of law before the Court of Cassation. ...” Article 153: The Data Protection Authority “1.     The Data Protection Authority operates in full autonomy and independence of decision and assessment. 2.     The Data Protection Authority is a collegial body composed of four members, two of which elected by the Chamber of Deputies and two elected by the Senate of the Republic with limited vote. The members are elected from among persons that ensure independence and who are experts with notorious competence in the fields of both law and informatics. ...” Article 154: Tasks “1.     [T]he Data Protection Authority ... has the task of ... (c)     prescribing, including on its own initiative, the necessary or appropriate measures to the data controllers to ensure that processing is in compliance with the provisions in force, within the meaning of Article 143; ...” Article 167: Unlawful data processing “1.     Unless a more serious crime has been committed, a person who, in order to make profit for himself or others or to cause damage to others, processes personal data in violation of the provisions of Articles 18, 19, 23, 123, 126 and 130, or in application of Article 129, shall be sentenced, if the act causes damage, to six to eighteen months’ imprisonment, or, if the act represents data communication or dissemination, to six to twenty-four months’ imprisonment. 2.     Unless a more serious crime has been committed, a person who, in order to make profit for himself or others or to cause damage to others, processes personal data in violation of the provisions of Articles 17, 20, 21, 22 §§ 8 and 11, 25, 26, 27 and 45, shall be sentenced, if the act causes damage, to one to three years’ imprisonment.” Article 169: Security measures “1.     A person who, despite being obliged to do so, fails to take the minimum measures provided in Article 33 shall be sentenced to up to two years’ imprisonment ... 2.     Upon investigation, or in more complex cases also upon an order by the Data Protection Authority, the offender shall be ordered to take measures to regularise the situation within a time-limit not exceeding the period technically necessary to do so, which may be extended either in the event of very complex cases or objective difficulty in completing the task, but which, however should not exceed six months. Sixty days after the deadline, in the event of completion within the time-limit, the Authority may propose to the offender that he or she pay an amount equal to one-quarter of the maximum fine provided for the administrative offence. Completion of the measures imposed and payment of the fine extinguish liability for the offence. ...” “Annex B: Technical regulation on minimum security measures Processing by means of IT tools The following technical procedures are to be adopted by the controller, the processor and the person in charge of processing, where designated, when processing by means of IT tools: Digital authentication 1.     Personal data may be processed by electronic means only if the persons in charge have authentication credentials enabling them to pass an authentication procedure relating to a specific processing operation or set of operations. 2.     Authentication credentials consist of a processor identification code associated with a confidential keyword known only to the processor, or an authentication device in the exclusive possession and use of the processor, possibly associated with an identification code or keyword, or a biometric characteristic of the processor, possibly associated with an identification code or keyword. 3.     Each person in charge of processing shall be individually assigned or associated with one or more authentication credentials. 4.     The instructions given to the persons in charge of processing shall require them to take the necessary precautions to ensure that the confidential component of the credentials is kept secret and the devices in their exclusive possession and use be stored diligently. 5.     When the authentication system provides for it, the password shall consist of at least eight characters or, if the IT tool does not allow it, of the maximum number of characters allowed; it shall not contain references that can be easily traced back to the authorised person and shall be changed by the latter upon first use and at least every six months thereafter. ... 6.     The identification code, where used, may not be assigned to other appointees, even at different times. 7.     Authentication credentials that have not been used for at least six months shall be deactivated, except for those authorised in advance for technical management purposes. 8.     Credentials shall also be deactivated in the event of loss of the authorisation enabling the processor to access personal data. 9.     Instructions shall be given to the processor not to leave the IT tool unattended and accessible during a processing session. ... Authorisation system 12.     An authorisation system shall be used where authorisation profiles of different scopes have been identified for processors. 13.     Authorisation profiles, for each processor or for homogeneous classes of processors, shall be identified and configured before processing begins, so as to limit access only to the data necessary to perform processing operations. 14.     Periodically, and in any event at least annually, the existence of the conditions for maintaining authorisation profiles shall be verified. Other security measures 15.     As part of the periodic update, at least once a year, of the scope of processing allowed to individual processors and persons in charge of the management or maintenance of IT tools, the list of processors may also be drawn up by homogeneous classes of assignment and related authorisation profiles. 16.     Personal data shall be protected against the risk of intrusion and against the action of programs referred to in Article 615-quinquies of the Criminal Code, by means of suitable IT tools to be updated at least once every six months. 17.     Periodic updates of computer programs aimed at preventing the vulnerability of IT tools and at correcting their flaws shall be performed at least annually. ...” Article 2050 of the Civil Code 18 .     Article 2050 of the Civil Code sets out a general duty not to harm others in the performance of “dangerous activities”. Anyone who causes damage is liable to pay compensation unless he or she can prove that he or she took all the appropriate measures to avoid causing harm. Article 615-ter of the Criminal Code (Unlawful access to a computer system) 19.     Article 615- ter of the Criminal Code provides for a punishment of up to three years’ imprisonment for anyone who unlawfully accesses a computer system protected by security measures. A sentence of up to five years may be imposed if the offender is a public officer or a person in charge of a public service convicted of an abuse of power and violating institutional duties. Decree of the Ministry of the Interior of 24 May 2017 20 .     The Decree of the Ministry of the Interior of 24 May 2017 defined the different data-processing activities carried out using IT tools for police purposes referred to in Article 53 § 1 of Legislative Decree no. 196/2003. In its Table 58, it identified data processing by the Revenue Police as follows: “Name: Website ‘Tax Registry for the Revenue Police – ATWeb’ Description of data processing: It allows access to information relating to the entire information base of the Tax Registry and is aimed at combating tax evasion and fraud, in all their manifestations, as well as the performance of economic and financial police duties entrusted to the Revenue Police. Data Controller: Commander-General of the Revenue Police ...” Relevant domestic practice Memorandum no. 262434 of 22 November 2006 21.     Memorandum no. 262434 of 22 November 2006 of the Commander ‑ General of the Revenue Police set out internal supervision mechanisms to ensure that data processing by the Revenue Police complied with the Personal Data Protection Code. 22.     Authorisation to access the Tax Registry was granted to individual officers according to specific “user categories” which restricted access to different levels of information depending on the nature of the tasks they were in charge of. Access was by means of individual passwords and credentials and was registered in order to allow subsequent checks. 23.     Since 1 December 2006, the following new security procedures have been in force: (a)     a pop-up window warning users each time they access the databases that searches are allowed only when related to the fulfilment of their professional duties; (b)     a second pop-up window requiring the officer to select from four options the category of tasks for which access to the databases is sought (judicial and security police activities; economic and financial police activities; activities at the request of external entities; and updating files); (c)     a monthly report made available to department chief officers indicating for each officer the date and time of access and the database consulted; on the basis of these reports the department chief officers can verify that on the registered dates and times the officers were actually carrying out tasks requiring access to the databases; (d)     a second report drawn up on the basis of an algorithm based on statistical parameters of normal use of the databases; on the basis of these reports the department chief officers could check specific instances of access that the report had identified as being out of the ordinary. 24.     Further security procedures were implemented through Memorandum no. 12501 of 26 April 2012, which strengthened the system controlling access indicated above. Circular no. 124501, protocol no. 359578 of 13 December 2013 25.     Circular no. 124501, protocol no. 359578 of 13 December 2013 of the Commander-General of the Revenue Police updated the information technology (IT) rules of the Revenue Police. 26.     It set out supervision mechanisms through monthly analytical reports on access carried out by each officer and quarterly statistical reports on specific searches in the databases that stood out because they significantly deviated from the statistical trends of normal use in access requests. 27.     It set out that authorisation to access ATWeb was granted to all officers already authorised to access the Tax Registry, allowing access to different levels of information depending on the user category. Using ATWeb, officers are allowed access to several databases, including the Taxpayer Information Service database. This contains “all information of fiscal interest concerning any taxpayer (natural or legal person)”. 28.     The Circular established that the officers authorised to access the databases had to comply with the rules set out in Annex B to the Personal Data Protection Code. Memorandum no. 83028 of 23 March 2020 29.     Memorandum no. 83028 of 23 March 2020 of the Commander-General of the Revenue Police updated the IT rules of the Revenue Police in the context of the launch on 2 April 2020 of a new platform to access the databases. 30.     Since the new platform allowed more in-depth investigations, the Memorandum set out that officers should be trained on using it correctly and that department chief officers should carry out meticulous monitoring of their activities. Decisions of the Data Protection Authority on security of access to the Tax Registry 31 .     On 14 December 2007 the Data Protection Authority began, of its own motion, an assessment on the compliance with domestic law on data protection of personal data processing carried out on the Tax Registry. By means of decisions issued in the years 2008 to 2011, it identified several shortcomings in the security of access to personal data and, under Article 154 of Legislative Decree no. 196/2003, ordered the tax authorities to put in place a comprehensive set of technological and administrative measures to enhance access security and to make the data processing compliant with the relevant domestic framework. (a)    Decision of the Data Protection Authority on access carried out by tax authorities for tax-collection purposes 32 .     In a decision of 7 October 2009, the Data Protection Authority identified several shortcomings in the security of access to personal data in the context of tax collection. Responsibility for personal data processing was not clearly identified among tax authorities and the companies carrying out tax collection. Personal data were duplicated and stored in several autonomous databases which resulted in an increased risk of the information being used for purposes other than those for which access had been granted. Tax-collection entities did not set out rules on personal data storage, in particular with regard to searches in the Tax Registry on personal data and data on taxpayers’ property. Several inadequate technological measures exposed the data stored in the Tax Registry to misuse of passwords and credentials. Even though according to the relevant legal framework access to personal data stored in the Tax Registry for collecting purposes was allowed only following formal registration of a case ( iscrizione a ruolo ), searches in the database in relation to case files related to tax collection started before 2005 could be carried out without any need to specify the case-file number in relation to which access was sought. Access-authorisation requests were not managed in a way which ensured the timely updating and revocation of authorisation by tax-collection entities. 33.     The Data Protection Authority found that tax authorities had not put in place adequate audit procedures on access to personal data in the context of tax collection, in particular having regard to the absence of warning mechanisms, risk analysis on access and search tracking. 34 .     The Data Protection Authority ordered the tax authorities to put in place a comprehensive set of measures to redress the identified shortcomings within a time range varying from one to eighteen months depending on the complexity of the measure required. (b)    Decisions of the Data Protection Authority on access carried out by entities other than the tax authorities 35 .     In a decision of 18 September 2008, the Data Protection Authority found that the most serious and urgent issues identified in the context of its assessment of the operation of the Tax Registry concerned the security of access by public and private entities other than the tax authorities ( enti esterni ). The Data Protection Authority observed that approximately ten thousand entities, made up of about seventy-eight thousand users, had access to the Tax Registry by means of several connection systems, on the basis of specific regulations and under the terms of agreements with the tax authorities. 36 .     In this context, it identified several shortcomings in access security including, among others, the following. Tax authorities lacked knowledge of the total number of users having access to the Tax Registry and of their identity. This compromised their ability to monitor whether the users fulfilled the access requirements and thus to avoid unlawful access and misuse of information. Moreover, several agreements between tax authorities and external entities did not state clearly the purposes for which access had been granted. Some entities had authorised users to access the Tax Registry for purposes other than those identified in the agreements. Users did not have to provide reasons for accessing it, which also resulted in the impossibility to subsequently check the legality of the access. Access to personal data in the Tax Registry was not restricted according to the territorial competence of each entity, which therefore had access to personal data across the entire national territory. 37.     The Data Protection Authority identified several inadequate technological measures which exposed the data stored in the Tax Registry to phishing and misuse of passwords and credentials. In some cases, using the same credentials it was possible to carry out simultaneous multiple access from different locations. External entities often assigned the task of managing authorisation to access to the Tax Registry to personnel lacking the professional skills needed to assess authorisation requests and to monitor abuse. Inadequate information concerning former staff’s termination of duties led to a situation where authorisation was not immediately revoked when the user ceased to work for the entity having access to the Tax Registry. In some cases, passwords and credentials were passed on and shared among different individuals and authorisation was granted which exceeded the aims pursued. Some entities carried out massive duplication of personal data and created autonomous databases in breach of the terms of their authorisation to access the Tax Registry. 38.     Moreover, the Data Protection Authority identified in relation to each connection system several specific shortcomings, including the possibility of repeatedly downloading a file containing personal data without registering the downloads after the first time and the possibility of accessing sensitive data concerning deductible charges contained in tax declarations without any checks that the access was actually compliant with the relevant domestic law on sensitive data. 39.     The Data Protection Authority found that tax authorities did not put in place adequate audit procedures on access to personal data by external entities. In relation to some of the connection systems to the Tax Registry, tax authorities did not monitor the activities of local managers, the number of users authorised by them, or their authorisation profiles and access. Local managers did not have tools to periodically and statistically monitor access; nor did they assess periodically that the authorised users still complied with the access requirements. 40.     The Data Protection Authority ordered the tax authorities to put in place a comprehensive set of measures to redress the identified shortcomings within a time range varying from three to twelve months depending on the complexity of the measure required. 41.     In a decision of 26 March 2009, the Data Protection Authority observed that the tax authorities had declared that they had put in place some of the measures ordered in the decision of 18 September 2008 and had requested an extension of the deadline set for several others, including the deadline within which it should have banned all access to the Tax Registry by the entities whose connection systems did not comply with the requirements set out by the Data Protection Authority. The tax authorities specified that agreements with approximately nine thousand entities would not be updated or renegotiated before March 2010 and only at that time would the security measures prescribed by the Data Protection Authority be put in place. The Data Protection Authority granted the request for the extension and ordered new measures to be implemented in the transition period to avoid unlawful access and the misuse of personal data. In particular, it ordered the tax authorities to verify that external entities were carrying out checks that each user still had a valid reason to access the Tax Registry, also in relation to the purposes for which access had been granted in the first place, and banning any access which appeared unjustified under the relevant legal framework. If external entities failed to carry out this assessment, tax authorities were to deactivate the credentials of those entities, other than those of the local managers, and inform them that, in order for those credentials to be reactivated, they would have to demonstrate that each user still had a valid reason to access the Tax Registry. The deadline for this measure was set for 31   July 2009. In a decision of 23 July 2009, upon a request of the tax authorities, the Data Protection Authority extended the deadline to 30   October 2009 in relation to 332 municipalities which had failed to respond to the tax authorities’ request to assess their users’ access to the Tax Registry. 42.     In decisions of 2 July, 17 July, 23 July and 26 November 2009 and 26   March and 2 December 2010, upon requests of the tax authorities, the Data Protection Authority granted extensions of the deadline to put in place security measures in relation to access to the Tax Registry by the National Social Security Institute ( Istituto Nazionale della Previdenza Sociale – “the INPS”), the National Public Service Social Security Institute ( Istituto nazionale di previdenza per i dipendenti dell’amministrazione pubblica – “the INPDAP”), the Authority for the Supervision of Public Contracts regarding Works, Services, and Supplies (Autorità per la vigilanza sui contratti pubblici di lavori, servizi e forniture – “the AVCP”), the National Social Security and Assistance Entity for Show Business Workers ( Ente nazionale di previdenza e di assistenza per i lavoratori dello spettacolo – “the ENPALS”), the Agricultural Fund Agency ( Agenzia per le erogazioni in agricoltura – “the AgEA”), and the chambers of commerce. A new deadline was set for 31 December 2010. 43 .     In decisions of 21 October 2010 and 16 February 2011, upon requests of the tax authorities, the Data Protection Authority granted extensions to the deadline set out in the decision of 18 September 2008 for tax authorities to verify that approximately nine thousand external entities still had a valid reason to access the Tax Registry, also in relation to the number of users having access within each entity, and to ban any access which appeared unjustified under the relevant legal framework. A new deadline was set for 15 April 2011. The Court has not been informed by the parties of any subsequent development. International materials Recommendation No. R (87) 15 of the Committee of Ministers regulating the use of personal data in the police sector 44.     The relevant parts of this Recommendation, adopted by the Committee of Ministers on 17 September 1987, read as follows: Principle 2: Collection of data “2.1.     The collection of personal data for police purposes should be limited to such as is necessary for the prevention of a real danger or the suppression of Citations
Aucune citation répertoriée pour cette décision.
Décisions connexes
Aucune décision similaire identifiée pour le moment.
Synthèse
- Juridiction
- CEDH
- Chambre
- CASELAW;DECISIONS;ADMISSIBILITY;ENG
- Formation
- 4
- Date
- 5 novembre 2024
- Matière
- droits fondamentaux
Référence
ECLI:CE:ECHR:2024:1105DEC002557811
Données disponibles
- Texte intégral