Garante per la protezione dei dati personali (Italy) - 10013391
Garante per la protezione dei dati personali - 10013391 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 37(1) GDPR Article 37(7) GDPR Article 38(2) GDPR Article 38(6) GDPR Article 17 of Regulation No. 1/2019 Provisions n. 186 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 11.04.2024 |
Fine: | 6,000 EUR |
Parties: | n/a |
National Case Number/Name: | 10013391 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la protezioni dei dati personali (in IT) |
Initial Contributor: | Ligialagev |
The DPA fined a public authority €6,000 after it failed to publish the contact details of the DPO in its website.
English Summary
Facts
The DPA carried out a control check on the institutional website of the public administration ("Controller”), and verified it was not possible to find the contact details of the DPO. Besides that, the Controller didn't communicate the DPO's contact details to the DPA in a dedicated channel for that purpose.
Therefore, the investigations carried out found no evidence of the appointment of the DPO by the Controller.
The DPA notified the Controller based on the Article 58(2)GDPR related to the lack of publication and communication to the Authority of the DPO's contact informations and the lack of proof that a DPO have been designated, consequently violating Article 37 (1) and Article 37 (7)GDPR.
The Controller submitted its defence, stating, among other things, that:
- A employee of the Entity was designated DPO, but besides the DPO role itself, they held (and still holds) other professional roles, such as head of several services within the Entity (Secretariat of the Director of Sector I, Assistance to the Bodies, Information Systems, Tourism and ultimately the Legal Service);
- The DPO'S contact have been on display on the controller's website and on Transparent Administration since before the notification received;
- The controller immediately informed the DPA about the DPO's contact details after receiving the notification;
- The nominated DPO fulfilled theirs duties before and after their referral, and they also produced two courses on data protection.
Holding
In the DPA analysis, it was observed that the nominated DPO was already responsible for numerous roles, having previously held positions such as the Secretariat of the manager of Sector I, Assistance to the Bodies, Information Systems, Tourism, and Legal Service. This overlap of responsibilities was likely to hinder the DPO's effectiveness due to the limited time available to fulfill the necessary duties associated with the position. Furthermore, these pre-existing roles could potentially lead to conflicts of interest, as they involved decision-making responsibilities regarding the purposes or methods of processing personal data, which would constitute a violation of Article 38(6)GDPR .
The Controller responded by outlining the challenges inherent in the organisational structure of the Entity and the utilization of available resources. It was argued that human resources and time constraints had been considered and that the conflict of interest was assessed, concluding that the employee could indeed be designated as the DPO. Additionally, the Controller noted that a temporary external DPO had been appointed due to the lack of feasible internal candidates other than the one already proposed.
Upon reviewing the defence material, the DPA issued its decision, identifying several key points. First, there was a failure to designate the DPO in accordance with Article 37(1) GDPR. Second, there was a delay in publishing and communicating the DPO's contact details to the DPA, violating Article 37(7) GDPR. Third, the appointed DPO, who held multiple positions, lacked the necessary resources, particularly time, and was potentially in a conflict of interest situation, violating Article 38(2)GDPR and Article 38(6)GDPR.
The DPA highlighted that the failure to appoint and provide the DPO's contact details deprived the Controller of a crucial figure for ensuring GDPR compliance and held back the DPA's ability to contact the DPO directly. Although the Controller's efforts to rectify the situation by publishing and communicating the DPO's contact details were acknowledged, these actions were insufficient to mitigate the violations. Consequently, a pecuniary sanction of €6,000 was imposed for violations of Article 37(1)GDPR, Article 37(7)GDPR, Article 38(2) GDPR and Article 38 (6)GDPR in line with Article 83(1) GDPR, ensuring the penalty was effective, proportionate, and dissuasive.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 10013391] Provision of 11 April 2024 Register of measures n. 199 of 11 April THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”); GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801; Speaker Dr. Agostino Ghiglia; PREMISE 1. Introduction. Based on a check carried out by the Authority on the institutional website of the Free Municipal Consortium of Enna (hereinafter, the "Consortium"), it was not possible to find the contact details of the Personal Data Protection Officer (hereinafter, the " RPD”), nor does it appear that this Consortium has communicated the contact details of the RPD to the Authority, in relation to whose fulfillment it has made a specific dedicated channel available (available on the page https://servizi.gpdp.it/ communicationrpd/s/). Therefore, from the investigations carried out, no elements capable of proving the designation of the DPO by the Consortium were found. 2. The preliminary investigation activity With note dated XX (prot. n.XX), the Office, based on the checks carried out, notified the Consortium, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, in relation to the failure to publish and communicate the contact details of the DPO to this Authority, and, more generally, as it is not proven that he actually designated the DPO, in violation of the art. 37 (paragraphs 1 and 7) of the Regulation, with the simultaneous invitation to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1 , from law 24 November 1981, n. With note dated XX (prot. n. XX), the Consortium presented its defense brief, together with some annexes, including an internal report drawn up by the same DPO declaring, among other things, that: - with determination of the Extraordinary Commissioner n. X of the XX was designated "Mr. XX, employee of the Institution, Responsible for the protection of personal data", who "also held and still holds the role of manager of various Services within the Institution (Secretariat of the Manager of Sector I, Assistance to Bodies, IT Systems, Tourism and finally the Legal Service)”; - "the contact details of the DPO have been displayed, since before the note from the Guarantor was received, on the Institution's website and on Agenzia Trasparente", producing, in this regard, the screenshots of the institutional website where such information would be available. It is subsequently specified that "The Guarantor's note indicated the need to further increase the visibility of the matter in question and therefore, having immediately adopted the Authority's indication, steps were taken to add to the exposition indicated above and already in place , another publication, made uniform, immediately bearing all the references and all the contact details [...], accessible directly from the home page and easily recognisable"; - regarding the failure to communicate the DPO's contact details to the Guarantor, "the Entity was found to be missing until the Guarantor's note. The DPO informed [...] that he did so immediately after its arrival, according to the prescribed procedure, producing proof and this was also verified"; - "in the period of adoption of the final act of designation of the DPO and of the deliveries in said act arranged at his expense (XX), including the communication to the Guarantor [...] the person in charge - already responsible for various services and recently also responsible for "general and institutional affairs - assistance to the Bodies" - had to deal with the establishment of a political collegial body (Assembly of Mayors), called "suddenly" to carry out active deliberative functions by a regional law of the previous December [ …] with a provision which, among other things, marked a tight execution timetable”; - "testifies, in fact, in favor of the DPO (in charge of communicating his data to the Guarantor), the introduction of a specific objective in the XX Performance Plan, regarding Privacy, [...] to complete the realignment of all the internal regulations in on the Protection of Personal Data started in January 20th, on his initiative and even before his appointment as DPO [...] and it should also be noted that said final act was proposed by the DPO within a period during which - due to external facts and dynamics aggravated by the lack of immediately requestable personnel - the same RPD person was also entrusted, in consideration of the state of affairs and the evident general difficulties, with the further task of assuming the administrative responsibility of the legal service"; - "the impetus activity of the RPD should also be mentioned, with the planning, by the same, during the 20th century, of two training courses on the protection of personal data"; - “the person in charge has fulfilled his duties as DPO in substantial and effective terms before and after his appointment, and has also simultaneously faced, in addition to the Services entrusted to him on a permanent basis, new demanding tasks whose consistency was not foreseen ( nor what they had entailed in terms of commitment, including hourly, for several months continuously): he failed in the most neutral activity among those carried out, although important and necessary, that is, the communication of his data to the Guarantor, which was indeed carried out with the delay indicated above" ; - “Dr. XX, in his capacity as head of the IT systems service, on XX proposed the repeal of the Regulation for the processing of information (adopted with resolution of the Provincial Council no. XX), subsequently approved by the Extraordinary Commissioner". From the declarations made in the memoirs referred to above, it emerged that the Consortium, in appointing Dr. XX as DPO, has entrusted this task to a person who, due to the additional tasks incumbent on him and the obligations he was called upon to carry out in that particular period (such as those connected to the establishment, regulation and functioning of the Assembly of Mayors ), was not in possession of the necessary resources, in relation to the reference context, even in terms of time, to be able to best carry out the functions that the Regulation assigns to the DPO. Furthermore, Dr. XX, precisely in his capacity as holder of the functions of manager of various services that make up the administrative apparatus of the Consortium (i.e. those of the Secretariat of the manager of Sector I, Assistance to the Bodies, IT Systems, Tourism and the Service legal), was in the position of exercising functions that could potentially give rise to a conflict of interest with those of RPD, since in these capacities he assumed a role that involved defining the purposes or methods of the processing of personal data. For these reasons, with note dated XX (prot. n. XX), the Office, on the basis of the elements acquired and the checks carried out, notified the Consortium, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, for having designated a DPO who is simultaneously the holder of other tasks and functions that may give rise to a conflict of interests, in violation of the art. 38 (pars. 2 and 6) of the Regulation. With the same note, the Consortium was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the . 24 November 1981, n. 689). With note dated XX (prot. n. XX), the Consortium presented its defense statement, together with some annexes, in which it provided elements regarding the difficulties inherent to the organizational structure of the Institution and the use of the resources available , and declared, among other things, that: - “for the purposes of identifying Mr. XX as DPO, the above was considered, i.e. the entire Structure of the Institution with its resources and with its organization and list of deliveries, including - to Service 6 of Sector I - precisely that relating to Privacy in the terms reported by the local regulation [...] other aspects were also evaluated, sifting through the indications available at the time in the specialist literature, primarily those coming from the Guarantor: the human resources and time available were evaluated, the characteristics that the employment contract should have, and also of the conflict of interest as it was read in the research; it was also considered to confer a position externally, but also not to expose oneself to treasury liability if the internal investigation had led to the assumption, as it seemed, of the possibility of appointing him internally; - in light of the reference context, it was considered, "taking into account the small size of the organization and its organisation, that Mr. XX could take on the role of DPO, because he was equipped, in convergent terms, with skills gained in the matter, with time available (for the concrete emptying, gradually over the years, of a large part of the deliveries legally foreseen in the assigned services); of human resources dedicated to its support; of autonomy and independence in the role of DPO in compliance with the provisions of the general regulation and, at the same time, extraneous to the standard hypotheses potentially suitable for creating a "conflict of interest" for the reasons expressed above, examined in concrete terms, (on the basis of the organizational structure , its size and the human resources available, as well as its work contents in terms of actual entrusted and active deliveries), as well as lacking decision-making, top management and/or delegations of managerial functions, as well as autonomy and independence for all other tasks other than the role of DPO"; - "the Institution's assessment of the identification of Mr. XX as DPO, in the XX, was not accidental but the result of a reading that tried to reconcile the organization of the Institution, the human resources available among those NOT with part-time contracts (among which the Guarantor considers it preferable not having to draw upon), NOT assigned to deliveries considered sensitive by the Guarantor for the purposes of conflict of interest, NOT with profiles lower than that of manager/official (as indicated by the Guarantor) and, also, with skills, space, time and support of human resources, in quantity and quality deemed suitable to be able to carry out the RPD functions as expected for them; - "on the second profile, the one deeming the existence of a conflict of interest (violation no. 2), it is also considered worthy of being overcome. It seems clear, first of all, that many substantial elements of the defense have already been made above, dealing with the context and consistencies of the deliveries which powerfully inform the topic under discussion. Here too it was necessary to represent a concrete case, otherwise unfindable, to highlight first of all that Mr. XX cannot, legally and effectively, "intervene" in a direct, autonomous and independent manner on the Privacy system, except as DPO [...]. And from reading the DPO's report [...], in the part in which it reports what the credit released by Mr. XX proposed the repeal of the Regulation for the processing of information, it seems necessary to underline the consistency of the proposal and the act, for two evident and shared profiles, substantially already traced by the DPO in his own reporting document"; - "it was deemed that there was no "conflict of interest" for Mr. XX: if already the standard hypotheses of conflict of interest in relation to the tasks ordinarily carried out, as outlined by the Guarantor, can, with prudence, be waived in small entities, the danger is weakened and the conflict can arise even less if - in same small context - are attributed to a subject who does not deal with sentinel matters (personnel, accounting, anti-corruption) and who does not have, by law, decision-making power, power to adopt or modify acts, delegated powers, to which it is added that it is the same organizational and hierarchical structure of the Entity, among other things, outlined in compliance with specific legal provisions, which excludes in re ipsa, in the organizational context in which the undersigned Administration operates, the "possibility" of conflict of interest between the in charge of the XX of some Services, and his role as DPO [...] in the absolute good faith and trust of having correctly read and interpreted"; - "it must be added, for completeness and substance, as already referred to in XX's defence, that the critical issues noted do not appear to have been complained about by users, but above all they do not appear to have exposed anyone, external or internal to the organisation, to limitations in protection of one's personal data and/or damage of any kind, with the latter, more generally, not appearing to have been caused or produced, in any other capacity". With note dated XX (protocol no. XX), the Consortium presented the additional memos with particular reference to the initiatives adopted or intends to adopt in order to ensure compliance with the obligations set out in the Regulation, specifying, in particular, that, "even though the Entity is confident that it has acted well and that it is not at fault, it has been decided - in order to sterilize any doubts and possible perplexities of the Guarantor regarding the current and the same resolution being approached - to temporarily outsource the role of DPO, as the state lacks any internal alternative to the one already arranged and in place". 3. Outcome of the preliminary investigation. The processing of personal data by public entities must take place in compliance with the provisions of the regulations regarding the protection of personal data, with particular reference to art. 37, par. 1, letter. a), and 7, to the art. 38, par. 2 and 6, and art. 39, par. 1, letter. a), of the Regulation, also taking into account the cons. 97. Also in the "Guidelines on data protection officers (DPOs)", adopted by the Article 29 Working Party on the protection of personal data on 13 December 2016 and amended on 5 April 2017, it is provided that: - “Article 37, seventh paragraph, of the GDPR requires the controller or processor to publish the contact details of the DPO, and to communicate the contact details of the DPO to the relevant supervisory authorities. These provisions aim to ensure that both data subjects (inside or outside the owner or responsible entity/body) and the supervisory authorities can contact the DPO easily and directly without having to contact another structure operating at the owner/manager” (para. 2.6); - "among the resources to be assigned to the DPO there is sufficient time to carry out the tasks entrusted to the DPO. […] Otherwise, the risk is that the activities to which the DPO is called end up being neglected due to conflicts with other priorities. It is essential to have sufficient time to dedicate to carrying out the tasks envisaged for the DPO", as "The "data protection" function must be able to operate efficiently and rely on sufficient resources in proportion to the processing carried out" (para. 3.2); - “the absence of conflicts of interest is strictly connected to the independence obligations. Although a DPO may perform other functions, the assignment of such additional tasks and functions is only possible provided that they do not give rise to conflicts of interest. This means, in particular, that a DPO cannot hold, within the organization of the data controller or processor, a role that involves defining the purposes or methods of processing personal data. This is an element to be taken into consideration on a case-by-case basis by looking at the specific organizational structure of the individual data controller or data processor. Broadly speaking, conflict situations may exist within the organization of the data controller or data processor regarding top managerial roles (CEO, operations manager, finance manager, healthcare manager, marketing management, human resources management, IT manager), but also with respect to hierarchically lower positions if the latter involve determining the purposes or means of the processing" (para. 3.5). Finally, it is recalled that the "Guideline document on the designation, position and duties of the Data Protection Officer (DPO) in the public sector", adopted by the Guarantor on 29 April 2021 with provision no. 186 (web doc. no. 9589104), specifies that: - "However, the DPO must not be assigned tasks which are the responsibility of the data controller and which go beyond the consultancy, surveillance and, more generally, consultation activities established by the art. 39 of the Regulation - as well as, possibly, keeping the register of processing activities referred to in the art. 30 of the Regulation (see the WP29 Guidelines, par. 4.5, pp. 24-25). While recognizing that the tasks listed therein constitute only an illustrative representation, the fact remains that the DPO cannot be called upon to carry out, personally, activities which, according to the Regulation, are the responsibility of the owner/manager, under penalty of application of an administrative sanction in case of violation" (para. 8); - “In the WP29 Guidelines and in the Guarantor's FAQ, situations of conflict of interest have already been indicated in relation to top managerial roles such as those, among others, of “[…] financial manager […] human resources management, manager IT”, “responsible for corruption prevention and transparency” or “responsible for information systems [...] or that of the Statistics Office”. In any case, the same Guidelines specify that the investigation must be carried out "on a case-by-case basis looking at the specific organizational structure of the individual data controller or data processor": this means that only the concrete examination of each individual reality - considering elements such as the size of the entity, the resources available, the complexity of the structure, the types of processing carried out, the quality and quantity of the data processed, etc. – may lead to a definitive assessment of whether or not causes of incompatibility exist. This assessment, in any case, must be provided by the data controller, also on the basis of suitable documentation, by virtue of the principle of accountability referred to in the articles. 5, par. 2, and 24 of the Regulation. That said, with regard to positions of a monocratic nature (such as those of managers directly involved in treatments, or even top management of the organisation), the conflict of interests often becomes evident icto oculi, and it is difficult to prove, on the part of the data controller, that the same person who determines the processing falling within its sector has the necessary independence to exercise, in a correct, transparent and impartial manner, those supervisory tasks on compliance with the regulations and on the data controller's policies regarding protection of personal data, provided for by the art. 39, par. 1, letter. b), of the Regulation. It can certainly be stated that there is a conflict of interest in relation to the roles already mentioned (such as the human resources or accounting management, the IT manager or the person responsible for corruption prevention and transparency), as these are sectors in which data processing personal data are certain and transversal to the entire administration, as well as significant in terms of quantity and quality of the personal data processed, as well as risks to the fundamental rights and freedoms of the interested parties" (para. 10.1). In this case, with reference to the specific findings made in the initiation of the procedure aimed at adopting corrective measures, in relation to what was argued by the Consortium, the following is observed: - it is established in documents that the designation of the DPO took place only in the 20th century, therefore more than three and a half years after the entry into force of the Regulation which, in art. 37, par. 1, letter. a), imposes this obligation on public entities - including the Consortium -, therefore leading to a violation of the aforementioned art. 37, par. 1, of the Regulation; - it is also established in the documents that the Consortium communicated the contact details of the DPO to the Authority only on XX (therefore, more than one year after the designation of the same), i.e. following the sending of the note by of the Authority itself, with which the aforementioned failure was contested. With reference, however, to the profile of the omitted publication, the screen shots produced by the Consortium attached to the defense documents do not demonstrate the actual display of the contact details of the DPO, as they show the deed of designation (which does not contain the data contact details), in which the doctor's references are indicated. XX in the context of "Administrative Secretariat Office - Head of the Legal and Litigation Service" (but without any mention of the role of DPO) and the documentation drawn up by the Entity as part of the obligations related to the regulations on anti-corruption and transparency: however, none of this content makes the DPO's contact details clearly intelligible to the user, so much so that the Consortium subsequently dedicated a specific web page containing this information, which can be accessed from the site's homepage. Therefore, the omissions described entail the violation of the art. 37, par. 7, of the Regulation; - the assignment of the role of DPO to a person who already holds other roles as manager of multiple services of an administration - such as, in this case, that of "responsible for various services within the organization (Secretariat of Manager of Sector I, Assistance to Bodies, IT Systems, Tourism and finally of the Legal Service)" - involves the possibility that the person in question does not fulfill the tasks that the Regulation assigns to the DPO in a full, effective and completely autonomous manner, a due to the absence of the necessary resources, especially in terms of time, and the exercise of functions which have given or in any case could have given rise to a conflict of interests, thus leading to the violation of the art. 38, par. 2 and 6 of the Regulation. 4. Conclusions. In light of the assessments mentioned above, it is noted that the declarations made by the Consortium during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗ although worthy of consideration in terms of understanding the context and defining the degree of responsibility, they do not allow us to overcome the findings notified by the Office with the initiation of the procedure and are insufficient to allow the archiving of this procedure, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019. The preliminary assessments of the Office are therefore confirmed and the following are noted: - the failure to designate the DPO until XX, in violation of the art. 37, par. 1, of the Regulation; - the late publication and communication of the DPO's contact details to the Authority, in violation of the art. 37, par. 7, of the Regulation; - the identification, as DPO, of a Consortium employee who, while also holding other roles, did not have the necessary resources, especially in terms of time, and could potentially find himself in a position of conflict of interest, in violation of the art. 38, par. 2 and 6 of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). In this regard, in this case, the violation of the cited provision is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, of the Regulation, which the Guarantor has the power to inflict pursuant to articles. 58, par. 2, letter. i), and 83 of the same Regulation as well as art. 166 of the Code. The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation, in relation to which the following is observed. The failure to designate until the month of XX and the failure to communicate the contact details of the DPO has deprived the Consortium of a mandatory and essential figure to ensure compliance with the Regulation, also negatively impacting the possibility that the Authority could easily contact the DPO it's direct. On the other hand, it is noted that the Consortium took action to remedy the violation and mitigate its possible negative effects, publishing and communicating the contact details of the DPO to the Authority, following the initiation of the procedure, and appointing a new RPD who was not in the conditions in which the previous one was, and that there are no previous relevant violations committed or previous measures referred to in the art. 58 of the Regulation. The negligent nature of the violation is also noted. On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of 6,000 (six thousand) euros for the violation of the articles. 37, par. 1 and 7, and 38, pars. 2 and 6 of the Regulation as a pecuniary administrative sanction deemed pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive. It is also believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, as it concerns the failure to comply with a requirement that has become mandatory for more than five years. Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR the illegality of the conduct carried out by the Free Municipal Consortium of Enna was noted, described in the terms set out in the motivation, consisting in the violation of the articles. 37, par. 1 and 7, and 38, pars. 2 and 6 of the Regulation; ORDER to the Free Municipal Consortium of Enna, with headquarters in Piazza Garibaldi, n. 2, 94100 - CF 80000810863 - pursuant to articles. 58, par. 2, letter. i), and 83, par. 5, of the Regulation and art. 166, paragraph 2, of the Code, to pay the sum of 6,000 (six thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification; ORDERS to the Free Municipal Consortium of Enna, to pay the sum of 6,000 (six thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981. In this regard, please note that the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011); HAS the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code; the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation. Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Messina, 11 April 2024 PRESIDENT Stantion THE SPEAKER Ghiglia THE GENERAL SECRETARY Mattei [doc. web no. 10013391] Provision of 11 April 2024 Register of measures n. 199 of 11 April THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”); GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801; Speaker Dr. Agostino Ghiglia; PREMISE 1. Introduction. Based on a check carried out by the Authority on the institutional website of the Free Municipal Consortium of Enna (hereinafter, the "Consortium"), it was not possible to find the contact details of the Personal Data Protection Officer (hereinafter, the " RPD”), nor does it appear that this Consortium has communicated the contact details of the RPD to the Authority, in relation to the fulfillment of which it has made a specific dedicated channel available (available on the page https://servizi.gpdp.it/ communicationrpd/s/). Therefore, from the investigations carried out, no elements capable of proving the designation of the DPO by the Consortium were found. 2. The preliminary investigation activity With note dated XX (prot. n.XX), the Office, based on the checks carried out, notified the Consortium, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, in relation to the failure to publish and communicate the contact details of the DPO to this Authority, and, more generally, as it is not proven that he actually designated the DPO, in violation of the art. 37 (paragraphs 1 and 7) of the Regulation, with the simultaneous invitation to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1 , from law 24 November 1981, n. With note dated XX (prot. n. XX), the Consortium presented its defense brief, together with some annexes, including an internal report drawn up by the same DPO declaring, among other things, that: - with determination of the Extraordinary Commissioner n. X of the XX was designated "Mr. XX, employee of the Institution, Responsible for the protection of personal data", who "also held and still holds the role of manager of various Services within the Institution (Secretariat of the Manager of Sector I, Assistance to Bodies, IT Systems, Tourism and finally the Legal Service)”; - "the contact details of the DPO have been displayed, since before the note from the Guarantor was received, on the Institution's website and on Agenzia Trasparente", producing, in this regard, the screenshots of the institutional website where such information would be available. It is subsequently specified that "The Guarantor's note indicated the need to further increase the visibility of the matter in question and therefore, having immediately adopted the Authority's indication, steps were taken to add to the exposition indicated above and already in place , another publication, made uniform, immediately bearing all the references and all the contact details [...], accessible directly from the home page and easily recognisable"; - regarding the failure to communicate the DPO's contact details to the Guarantor, "the Entity was found to be missing until the Guarantor's note. The DPO informed [...] that he took action immediately after its arrival, according to the prescribed procedure, producing proof and this was also verified"; - "in the period of adoption of the final act of designation of the DPO and of the deliveries in said act arranged at his expense (XX), including the communication to the Guarantor [...] the person in charge - already responsible for various services and recently also responsible for "general and institutional affairs - assistance to the Bodies" - had to deal with the establishment of a political collegial body (Assembly of Mayors), called "suddenly" to carry out active deliberative functions by a regional law of the previous December [ …] with a provision which, among other things, marked a tight execution timetable”; - "testifies, in fact, in favor of the DPO (in charge of communicating his data to the Guarantor), the introduction of a specific objective in the XX Performance Plan, regarding Privacy, [...] to complete the realignment of all the internal regulations in on the Protection of Personal Data started in January 20th, on his initiative and even before his appointment as DPO [...] and it should also be noted that said final act was proposed by the DPO within a period during which - due to external facts and dynamics aggravated by the lack of immediately requestable personnel - the same RPD person was also entrusted, in consideration of the state of affairs and the evident general difficulties, with the further task of assuming the administrative responsibility of the legal service"; - "the impetus activity of the RPD should also be mentioned, with the planning, by the same, during the 20th century, of two training courses on the protection of personal data"; - “the person in charge has fulfilled his duties as DPO in substantial and effective terms before and after his appointment, and has also simultaneously faced, in addition to the Services entrusted to him on a permanent basis, new demanding tasks whose consistency was not foreseen ( nor what they had entailed in terms of commitment, including hourly, for several months continuously): he failed in the most neutral activity among those carried out, although important and necessary, that is, the communication of his data to the Guarantor, which was indeed carried out with the delay indicated above" ; - “Dr. XX, in his capacity as head of the IT systems service, on XX proposed the repeal of the Regulation for the processing of information (adopted with resolution of the Provincial Council no. XX), subsequently approved by the Extraordinary Commissioner". From the declarations made in the memoirs referred to above, it emerged that the Consortium, in appointing Dr. XX as DPO, has entrusted this task to a person who, due to the additional tasks incumbent on him and the obligations he was called upon to carry out in that particular period (such as those connected to the establishment, regulation and functioning of the Assembly of Mayors ), was not in possession of the necessary resources, in relation to the reference context, even in terms of time, to be able to best carry out the functions that the Regulation assigns to the DPO. Furthermore, Dr. XX, precisely in his capacity as holder of the functions of manager of various services that make up the administrative apparatus of the Consortium (i.e. those of the Secretariat of the manager of Sector I, Assistance to the Bodies, IT Systems, Tourism and the Service legal), was in the position of exercising functions that could potentially give rise to a conflict of interest with those of RPD, since in these capacities he assumed a role that involved defining the purposes or methods of the processing of personal data. For these reasons, with note dated XX (prot. n. XX), the Office, on the basis of the elements acquired and the checks carried out, notified the Consortium, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, for having designated a DPO who is simultaneously the holder of other tasks and functions that may give rise to a conflict of interests, in violation of the art. 38 (paragraphs 2 and 6) of the Regulation. With the same note, the Consortium was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the . 24 November 1981, n. 689). With note dated XX (prot. n. XX), the Consortium presented its defense statement, together with some annexes, in which it provided elements regarding the difficulties inherent to the organizational structure of the Institution and the use of the resources available , and declared, among other things, that: - “for the purposes of identifying Mr. XX as DPO, the above was considered, i.e. the entire Structure of the Institution with its resources and with its organization and list of deliveries, including - to Service 6 of Sector I - precisely that relating to Privacy in the terms reported by the local regulation [...] other aspects were also evaluated, sifting through the indications available at the time in the specialist literature, primarily those coming from the Guarantor: the human resources and time available were evaluated, the characteristics that the employment contract should have, and also of the conflict of interest as it was read in the research; it was also considered to confer a position externally, but also not to expose oneself to treasury liability if the internal investigation had led to the assumption, as it seemed, of the possibility of appointing him internally; - in light of the reference context, it was considered, "taking into account the small size of the organization and its organisation, that Mr. XX could take on the role of DPO, because he was equipped, in convergent terms, with skills gained in the matter, with time available (for the concrete emptying, gradually over the years, of a large part of the deliveries legally foreseen in the assigned services); of human resources dedicated to its support; of autonomy and independence in the role of DPO in compliance with the provisions of the general regulation and, at the same time, extraneous to the standard hypotheses potentially suitable for creating a "conflict of interest" for the reasons expressed above, examined in concrete terms, (on the basis of the organizational structure , its size and the human resources available, as well as its work contents in terms of actual entrusted and active deliveries), as well as lacking decision-making, top management and/or delegations of managerial functions, as well as autonomy and independence for all other tasks other than the role of DPO"; - "the Institution's assessment of the identification of Mr. XX as DPO, in the XX, was not accidental but the result of a reading that tried to reconcile the organization of the Institution, the human resources available among those NOT with part-time contracts (among which the Guarantor considers it preferable not having to draw upon), NOT assigned to deliveries considered sensitive by the Guarantor for the purposes of conflict of interest, NOT with profiles lower than that of manager/official (as indicated by the Guarantor) and, also, with skills, space, time and support of human resources, in quantity and quality deemed suitable to be able to carry out the RPD functions as expected for them; - "on the second profile, the one deeming the existence of a conflict of interest (violation no. 2), is also considered worthy of being overcome. It seems clear, first of all, that many substantial elements of the defense have already been made above, dealing with the context and consistencies of the deliveries which powerfully inform the topic under discussion. Here too it was necessary to represent a concrete case, otherwise unavailable, to highlight first of all that Mr. XX cannot, legally and effectively, "intervene" in a direct, autonomous and independent manner on the Privacy system, except as DPO [...]. And from reading the DPO's report [...], in the part in which it reports what the credit released by Mr. XX proposed the repeal of the Regulation for the processing of information, it seems necessary to underline the consistency of the proposal and the act, for two evident and shared profiles, substantially already traced by the DPO in his own reporting document"; - "it was deemed that there was no "conflict of interest" for Mr. XX: if already the standard hypotheses of conflict of interest in relation to the tasks ordinarily carried out, as outlined by the Guarantor, can, with prudence, be waived in small entities, the danger is weakened and the conflict can arise even less if - in same small context - are attributed to a subject who does not deal with sentinel matters (personnel, accounting, anti-corruption) and who does not have, by law, decision-making power, power to adopt or modify acts, delegated powers, to which it is added that it is the same organizational and hierarchical structure of the Entity, among other things, outlined in compliance with specific legal provisions, which excludes in re ipsa, in the organizational context in which the undersigned Administration operates, the "possibility" of conflict of interest between the in charge of the XX of some Services, and his role as DPO [...] in the absolute good faith and trust of having correctly read and interpreted"; - "it must be added, for completeness and substance, as already referred to in XX's defence, that the critical issues noted do not appear to have been complained about by users, but above all they do not appear to have exposed anyone, external or internal to the organisation, to limitations in protection of one's personal data and/or damage of any kind, with the latter, more generally, not appearing to have been caused or produced, in any other capacity". With note dated XX (protocol no. XX), the Consortium presented the additional memos with particular reference to the initiatives adopted or intends to adopt in order to ensure compliance with the obligations set out in the Regulation, specifying, in particular, that, "even though the Body is confident that it has acted well and that it is not at fault, it has been decided - in order to sterilize any doubts and possible perplexities of the Guarantor on the current and on the same resolution being approached - to temporarily outsource the role of DPO, as the state lacks any internal alternative to the one already arranged and in place". 3. Outcome of the preliminary investigation. The processing of personal data by public entities must take place in compliance with the provisions of the regulations regarding the protection of personal data, with particular reference to art. 37, par. 1, letter. a), and 7, to the art. 38, par. 2 and 6, and art. 39, par. 1, letter. a), of the Regulation, also taking into account the cons. 97. Also in the "Guidelines on data protection officers (DPOs)", adopted by the Article 29 Working Group on the protection of personal data on 13 December 2016 and amended on 5 April 2017, it is provided that: - “Article 37, seventh paragraph, of the GDPR requires the controller or processor to publish the contact details of the DPO, and to communicate the contact details of the DPO to the relevant supervisory authorities. These provisions aim to ensure that both data subjects (inside or outside the owner or responsible entity/body) and the supervisory authorities can contact the DPO easily and directly without having to contact another structure operating at the owner/manager” (para. 2.6); - "among the resources to be assigned to the DPO there is sufficient time to carry out the tasks entrusted to the DPO. […] Otherwise, the risk is that the activities to which the DPO is called end up being neglected due to conflicts with other priorities. It is essential to have sufficient time to dedicate to carrying out the tasks envisaged for the DPO", as "The "data protection" function must be able to operate efficiently and rely on sufficient resources in proportion to the processing carried out" (para. 3.2); - “the absence of conflicts of interest is strictly connected to the independence obligations. Although a DPO may perform other functions, the assignment of such additional tasks and functions is only possible provided that they do not give rise to conflicts of interest. This means, in particular, that a DPO cannot hold, within the organization of the data controller or processor, a role that involves defining the purposes or methods of processing personal data. This is an element to be taken into consideration on a case-by-case basis by looking at the specific organizational structure of the individual data controller or data processor. Broadly speaking, situations of conflict may exist within the organization of the data controller or data processor regarding top managerial roles (CEO, operations manager, finance manager, healthcare manager, marketing management, human resources management, IT manager), but also with respect to hierarchically lower positions if the latter involve determining the purposes or means of the processing" (para. 3.5). Finally, it is recalled that the "Guideline document on the designation, position and duties of the Data Protection Officer (DPO) in the public sector", adopted by the Guarantor on 29 April 2021 with provision no. 186 (web doc. no. 9589104), specifies that: - "However, the DPO must not be assigned tasks which are the responsibility of the data controller and which go beyond the consultancy, supervision and, more generally, consultation activities established by the art. 39 of the Regulation - as well as, possibly, keeping the register of processing activities referred to in art. 30 of the Regulation (see the WP29 Guidelines, par. 4.5, pp. 24-25). While recognizing that the tasks listed therein constitute only an illustrative representation, the fact remains that the DPO cannot be called upon to carry out, personally, activities which, according to the Regulation, are the responsibility of the owner/manager, under penalty of application of an administrative sanction in case of violation" (para. 8); - “In the WP29 Guidelines and in the Guarantor's FAQ, situations of conflict of interest have already been indicated in relation to top managerial roles such as those, among others, of “[…] financial manager […] human resources management, manager IT”, “responsible for corruption prevention and transparency” or “responsible for information systems [...] or that of the Statistics Office”. In any case, the same Guidelines specify that the investigation must be carried out "on a case-by-case basis looking at the specific organizational structure of the individual data controller or data processor": this means that only the concrete examination of each individual reality - considering elements such as the size of the institution, the resources available, the complexity of the structure, the types of processing carried out, the quality and quantity of the data processed, etc. – may lead to a definitive assessment of whether or not causes of incompatibility exist. This assessment, in any case, must be provided by the data controller, also on the basis of suitable documentation, by virtue of the principle of accountability referred to in the articles. 5, par. 2, and 24 of the Regulation. That said, as regards positions of a monocratic nature (such as those of managers directly involved in treatments, or even top management of the organisation), the conflict of interests often becomes evident icto oculi, and it is difficult to prove, on the part of the data controller, that the same person who determines the processing falling within its sector has the necessary independence to exercise, in a correct, transparent and impartial manner, those supervisory tasks on compliance with the regulations and on the data controller's policies regarding protection of personal data, provided for by the art. 39, par. 1, letter. b), of the Regulation. The existence of a conflict of interest can certainly be stated in relation to the roles already mentioned (such as the human resources or accounting management, the IT manager or the person responsible for corruption prevention and transparency), since these are sectors in which data processing personal data are certain and transversal to the entire administration, as well as significant in terms of quantity and quality of the personal data processed, as well as risks to the fundamental rights and freedoms of the interested parties" (para. 10.1). In this case, with reference to the specific findings made in the initiation of the procedure aimed at adopting corrective measures, in relation to what was argued by the Consortium, the following is observed: - it is established in documents that the designation of the DPO occurred only in the 20th century, therefore more than three and a half years after the entry into force of the Regulation which, in art. 37, par. 1, letter. a), imposes this obligation on public entities - including the Consortium -, therefore leading to a violation of the aforementioned art. 37, par. 1, of the Regulation; - it is also established in the documents that the Consortium communicated the contact details of the DPO to the Authority only on XX (therefore, more than one year after the designation of the same), i.e. following the sending of the note by of the Authority itself, with which the aforementioned failure was contested. With reference, however, to the profile of the omitted publication, the screen shots produced by the Consortium attached to the defense documents do not demonstrate the actual display of the contact details of the DPO, as they show the deed of designation (which does not contain the data contact details), in which the doctor's references are indicated. XX in the context of "Administrative Secretariat Office - Head of the Legal and Litigation Service" (but without any mention of the role of DPO) and the documentation drawn up by the Entity as part of the obligations related to the regulations on anti-corruption and transparency: however, none of this content makes the DPO's contact details clearly intelligible to the user, so much so that the Consortium subsequently dedicated a specific web page containing this information, which can be accessed from the site's homepage. Therefore, the omissions described entail the violation of the art. 37, par. 7, of the Regulation; - the assignment of the role of DPO to a person who already holds other roles as manager of multiple services of an administration - such as, in this case, that of "responsible for various services within the organization (Secretariat of Manager of Sector I, Assistance to Bodies, IT Systems, Tourism and finally of the Legal Service)" - involves the possibility that the person in question does not fulfill the tasks that the Regulation assigns to the DPO in a full, effective and completely autonomous manner, a due to the absence of the necessary resources, especially in terms of time, and the exercise of functions which have given or in any case could have given rise to a conflict of interests, thus leading to the violation of the art. 38, par. 2 and 6 of the Regulation. 4. Conclusions. In light of the assessments mentioned above, it is noted that the declarations made by the Consortium during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗ although worthy of consideration in terms of understanding the context and defining the degree of responsibility, they do not allow us to overcome the findings notified by the Office with the initiation of the procedure and are insufficient to allow the archiving of this procedure, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019. The preliminary assessments of the Office are therefore confirmed and the following are noted: - the failure to designate the DPO until XX, in violation of the art. 37, par. 1, of the Regulation; - the late publication and communication of the DPO's contact details to the Authority, in violation of the art. 37, par. 7, of the Regulation; - the identification, as DPO, of a Consortium employee who, while also holding other roles, did not have the necessary resources, especially in terms of time, and could potentially find himself in a position of conflict of interest, in violation of the art. 38, par. 2 and 6 of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). In this regard, in this case, the violation of the cited provision is subject to the application of the pecuniary administrative sanction provided for by the art. 83, par. 4, of the Regulation, which the Guarantor has the power to inflict pursuant to articles. 58, par. 2, letter. i), and 83 of the same Regulation as well as art. 166 of the Code. The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation, in relation to which the following is observed. The failure to designate until the month of XX and the failure to communicate the contact details of the DPO has deprived the Consortium of a mandatory and essential figure to ensure compliance with the Regulation, also negatively impacting the possibility that the Authority could easily contact the DPO it's direct. On the other hand, it is noted that the Consortium took action to remedy the violation and mitigate its possible negative effects, publishing and communicating the contact details of the DPO to the Authority, following the initiation of the procedure, and appointing a new RPD who was not in the conditions in which the previous one was, and that there are no previous relevant violations committed or previous measures referred to in the art. 58 of the Regulation. The negligent nature of the violation is also noted. On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of 6,000 (six thousand) euros for the violation of the articles. 37, par. 1 and 7, and 38, pars. 2 and 6 of the Regulation as a pecuniary administrative sanction deemed pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive. It is also believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, as it concerns the failure to comply with a requirement that has become mandatory for more than five years. Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR the illegality of the conduct carried out by the Free Municipal Consortium of Enna was noted, described in the terms set out in the motivation, consisting in the violation of the articles. 37, par. 1 and 7, and 38, pars. 2 and 6 of the Regulation; ORDER to the Free Municipal Consortium of Enna, with headquarters in Piazza Garibaldi, n. 2, 94100 - CF 80000810863 - pursuant to articles. 58, par. 2, letter. i), and 83, par. 5, of the Regulation and art. 166, paragraph 2, of the Code, to pay the sum of 6,000 (six thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification; ORDERS to the Free Municipal Consortium of Enna, to pay the sum of 6,000 (six thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981. In this regard, please note that the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011); HAS the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code; the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation. Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Messina, 11 April 2024 PRESIDENT Stantion THE SPEAKER Ghiglia THE GENERAL SECRETARY Mattei