Garante per la protezione dei dati personali (Italy) - 10070330
From GDPRhub
| Garante per la protezione dei dati personali - 10070330 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 15 GDPR Art. 157 D.Lgs. 196/2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.07.2024 |
| Published: | |
| Fine: | 4,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 10070330 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | elu |
After non-compliance with a patient’s request for access to pictures taken before and after their surgery, the DPA fined a doctor €4,000 for a violation of Article 15 GDPR.
English Summary
Facts
The data subject contacted a doctor, the controller, requesting access to pictures taken before and after their plastic surgery, as provided for under Article 15 GDPR. The controller never responded to such request, thus the data subject filed a complaint with the DPA for the infringement of Article 15 GDPR.
Prior to initiating a procedure against the controller, the Italian DPA requested the controller to comply with the data subject’s request twice and additionally requested specified copy of the information to be provided by the controller to data subjects under Article 13 GDPR.
As the controller did not reply to those requests, the DPA initiated a proceeding and invited the controller to share their defence. Additionally, the DPA again asked the controller to provide the Article 15 GDPR information. The controller did not react to either the invite of sharing their defence or to respond to the access request.
Holding
The DPA established that, by never replying to the multiple requests, the controller maintained a negligent behaviour which violated Article 157 of the Italian Data Protection Code (Codice in materia di protezione dei dati personali).
Thus, the DPA considered the imposition of a fine under Article 83(5) GDPR, and in line with its powers under Article 58 GDPR, appropriate. The Italian DPA considered two elements to determine the fine: the lack of previous violations as per Article 83(2)(e) GDPR and the controller´s non-cooperation as per Article 83(2)(f) GDPR.
On the basis of these two elements, the Italian DPA set a fine of €4.000 .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10070330] Provision of 17 July 2024 Register of provisions no. 445 of 17 July 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. no. 1098801; REPORTER Dr. Agostino Ghiglia; WHEREAS 1. The complaint With note of XX, Mrs. XX, through her lawyer, Mr. XX, complained to this Authority that she had exercised the rights under Articles 15 to 22 of the Regulation against Dr. Roy De Vita (C.F. XX) and that she had not received a response. In particular, the complainant stated that she had exercised the right under art. 15 of the Regulation, since with “certified email communication of XX (…), through his lawyers, he submitted to Dr. De Vita a request pursuant to art. 15 EU Regulation 679/2016 for a certified copy of all the photographs taken of him before and after the rhinoplasty surgery (…); however, Dr. De Vita never responded (…) (to this) request”. 2. The investigation activity Subsequent to this complaint, the Office, with a note of XX (prot. no. XX), sent by certified email to the professional address of the aforementioned doctor, invited the latter, the data controller, to comply - within 20 days of receiving this note - with the complainant's requests pursuant to art. 15 of Regulation no. 1/2019 of the Guarantor for the protection of personal data (web doc. no. 9107633) in a timely and exhaustive manner, requesting, at the same time, the sending of a copy of such response also to the Authority itself at the address protocollo@pec.gpdp.it. After the deadline indicated for the response and having verified that no follow-up was given to the aforementioned invitation, the Office, with a note of XX (prot. no. XX) - sent by certified email to the professional address of the owner - requested from the aforementioned doctor information regarding the reasons for the failure to respond to the request made by the complainant and the invitation to adhere made by the undersigned Authority with the aforementioned note of XX (prot. no. XX), as well as the retention period of the patients' personal data - with regard to the photographs that precede and follow the surgical interventions of competence - and a copy of the information referred to in art. 13 of the Regulation to be provided to patients in relation to the processing of personal data. 3. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5, of the Code Given that the request cited above was not followed by any feedback, having detected this omission through internal checks at the Authority's protocol service, the Office, with a document dated XX (prot. no. XX), notified Dr. Roy De Vita, data controller, on XX - through the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza - of the initiation of the procedure, pursuant to art. 166, paragraph 5, of the Code, aimed at adopting the measures pursuant to art. 58, paragraph 2, of the Regulation; this, for the violation of art. 157 of the Code. This, by inviting the data controller to produce written defenses or documents to the Guarantor, or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, law no. 689 of 24 November 1981). At the same time, again through the aforementioned Guardia di Finanza Unit, the Office reiterated the request for information of XX (ref. no. XX), notifying it on the same date (with a separate accompanying note dated XX (ref. no. XX)). This last notification was also not followed by any response from Dr. De Vita, who did not provide the information requested by the Authority. The Office also took note of the fact that the data controller, with reference to the act of initiation of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the violation of art. 157 of the Code itself, did not avail himself of the right to submit written defenses and/or request to be heard by the Authority, pursuant to art. 166, paragraph 6, of the Code and art. 13 of the Internal Regulation of the Guarantor no. 1/2019. 4. Outcome of the investigation In carrying out the personal data processing activities, the data controllers are required to observe the rules on the protection of personal data, in particular the Regulation and the Code. It is highlighted, in particular, that the Supervisory Authority, within the scope of the tasks and powers attributed by the Regulation, ensures, among other things, the application of the provisions of the aforementioned rules and carries out the appropriate investigations, also on the correct application of the personal data protection regulations by the data controllers (art. 57 par.1, letters a), f) and h) and 58 of the Regulation). To this end, the Authority has the power to order the data controller to provide any information it needs to perform its tasks (Article 58, paragraph 1, letter a), of the Regulation). Article 157 of the Code provides, to this end, that “within the scope of the powers referred to in Article 58 of the Regulation, and for the performance of its tasks, the Guarantor may request the data controller, the data processor, the representative of the data controller or the data processor, the interested party or even third parties to provide information and produce documents also with reference to the content of databases” and that failure to comply with this provision makes the administrative pecuniary sanction provided for by Article 83, paragraph 5 of the Regulation applicable (Article 166, paragraph 2, of the Code). It is noted, with reference to the matter that is the subject of the complaint, that, also in light of the general principles of good practice, efficiency, effectiveness and cost-effectiveness of administrative action (art. 97 of the Constitution, as well as art. 9, paragraph 1 and 10, paragraph 3, of the Internal Regulation of the Guarantor no. 1/2019 of 4 April 2019, web doc. no. 9107633), the omission of the owner has implied the repeated intervention of the Authority in the need to gather useful elements for the assessments and decision of the case. Despite the reiteration of the request of XX made by the aforementioned Guardia di Finanza Unit and notified on XX (note prot. no. XX of XX) - at the professional office of the data controller (as shown in the "Notification Report" of XX present in the documents of the proceeding) - no feedback was received from Dr. Roy De Vita. 5. Conclusions. In light of the above assessments, since none of the cases provided for by art. 11 of the regulation of the Guarantor no. 1/2019 apply, it is established that Dr. Roy De Vita - with reference to the matter in question concerning the failure to respond to the request for information addressed several times to the same doctor - has engaged in an unlawful omission in violation of art. 157 (request for information and production of documents) in relation to art. 166, paragraph 2, of the Code. The violation of this rule, pursuant to art. 166, paragraph 2, of the Code, is subject to the application of the administrative pecuniary sanction pursuant to art. 83, paragraph 5 of the Regulation. Therefore, the Guarantor, pursuant to arts. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides, in order to apply the accessory administrative sanction, its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83, paragraph 1, of the Regulation. First of all, given that the violations relating to the matter in question fall within the cases listed in Article 83, paragraph 5, of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called “static” statutory maximum). As regards the assessment of the seriousness of the violation (art. 83, par. 2, letters a), b) and g) of the Regulation), it is believed that the level of seriousness is to be considered serious, considering the continuation of the violation determined, with reference to the psychological profile, by the voluntary and intentional omission of the data controller. Dr. De Vita, in fact, not only had not responded to the invitation to join made with a note of XX (prot. no. XX), but, with regard to the violation in question, he did not respond to the request for information formulated with a note of XX (prot. no. XX) and reiterated with a note dated XX (prot. no. XX), notified by the Special Unit for Privacy and Technological Fraud of the Guardia di Finanza on XX, in the hands of the aforementioned doctor (see notification report of XX). In relation to the assessment of the additional elements provided for by art. 83, par. 2 of the Regulation, as aggravating and mitigating circumstances, it is taken into account that: - no measures have previously been adopted against the data controller regarding relevant violations (art. 83, par. 2, letter e) of the Regulation); - the latter did not cooperate with the Authority (Article 83, paragraph 2, letter f) of the Regulation): this omission implied the repeated intervention of the Authority in the need to collect elements useful for the assessments and decision of the case, thus hindering the smooth running, efficiency, effectiveness and cost-effectiveness of the administrative action (Article 97 of the Constitution, as well as Article 9, paragraph 1 and Article 10, paragraph 3, of the Internal Regulation of the Guarantor no. 1/2019 of 4 April 2019, web doc. no. 9107633), On the basis of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by Article 83, paragraph 5, of the Regulation, in the amount of EUR 4,000.00 (four thousand/00) for the violation referred to in Article 157 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation no. 1/2019 in consideration of the type of violation ascertained which concerned the obligation to respond to requests for information by the Guarantor; Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by Dr. Roy De Vita, data controller, for the violation of art. 157 of the Code, in relation to art. 166, paragraph 2, of the Code in the terms set out in the reasons; ORDERS pursuant to art. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, the aforementioned data controller to pay the sum of €4,000.00 (four thousand/00) as an administrative pecuniary sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; ORDERS the aforementioned data controller, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €4,000.00 (four thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 17 July 2024 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE GENERAL SECRETARY Mattei [web doc. no. 10070330] Provision of 17 July 2024 Register of provisions no. 445 of 17 July 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY’S MEETING, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the councilor Fabio Mattei, general secretary; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); SEEN Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Data Protection Supervisor, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Supervisor Regulation no. 1/2019”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Data Protection Supervisor Regulation no. 1/2000 on the organization and functioning of the office of the Data Protection Supervisor, in www.gpdp.it, web doc. no. 1098801; REPORTER Dr. Agostino Ghiglia; WHEREAS 1. The complaint With note of XX, Mrs. XX, through her lawyer, Mr. XX, complained to this Authority that she had exercised the rights under Articles 15 to 22 of the Regulation against Dr. Roy De Vita (C.F. XX) and that she had not received a response. In particular, the complainant stated that she had exercised the right under Article 15 of the Regulation, since with “certified email communication of XX (…), through her lawyers, she submitted to Dr. De Vita a request pursuant to Article 15 of EU Regulation 679/2016 for a certified copy of all the photographs taken of her before and after the rhinoplasty surgery (…); however, Dr. De Vita never responded (…) (to this) request”. 2. The investigation activity Subsequently to this complaint, the Office, with a note of XX (prot. no. XX), sent by certified email to the professional address of the aforementioned doctor, invited the latter, the data controller, to adhere - within 20 days of receiving this note - to the requests of the complainant pursuant to art. 15 of Regulation no. 1/2019 of the Guarantor for the protection of personal data (web doc. no. 9107633) in a timely and exhaustive manner, requesting, at the same time, that a copy of this response also be sent to the Authority itself at the address protocollo@pec.gpdp.it. After the deadline indicated for the response and having verified that no follow-up was given to the aforementioned invitation, the Office, with a note of XX (prot. no. XX) - sent by certified email to the professional address of the owner - requested from the aforementioned doctor information regarding the reasons for the failure to respond to the request made by the complainant and the invitation to adhere made by the undersigned Authority with the aforementioned note of XX (prot. no. XX), as well as the period of retention of the patients' personal data - with regard to the photographs that precede and follow the surgical interventions of competence - and a copy of the information pursuant to art. 13 of the Regulation to be provided to patients in relation to the processing of personal data. 3. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5, of the Code Given that the request cited above was not followed by any response, having detected this omission through internal checks at the Authority's protocol service, the Office, with a document dated XX (prot. no. XX), notified Dr. Roy De Vita, data controller, on XX - through the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza - of the initiation of the procedure, pursuant to art. 166, paragraph 5, of the Code, aimed at adopting the measures pursuant to art. 58, par. 2, of the Regulation; this, for the violation of art. 157 of the Code. This, by inviting the data controller to produce written defenses or documents to the Guarantor, or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, law no. 689 of 24 November 1981). At the same time, again through the aforementioned Guardia di Finanza Unit, the Office reiterated the request for information of XX (ref. no. XX), notifying it on the same date (with a separate accompanying note dated XX (ref. no. XX)). This last notification was also not followed by any response from Dr. De Vita, who did not provide the information requested by the Authority. The Office also noted that the owner, with reference to the act of initiation of the proceeding, pursuant to art. 166, paragraph 5, of the Code, for the violation of art. 157 of the same Code, did not avail himself of the right to present written defenses and/or request to be heard by the Authority, pursuant to art. 166, paragraph 6, of the Code and art. 13 of the Internal Regulation of the Guarantor no. 1/2019. 4. Outcome of the investigation activity In the context of carrying out the personal data processing activities, the owners are required to observe the rules on the protection of personal data, in particular the Regulation and the Code. It is highlighted, in particular, that the Supervisory Authority, within the scope of the tasks and powers attributed by the Regulation, ensures, among other things, the application of the provisions of the aforementioned rules and carries out the appropriate investigations, including on the correct application of the personal data protection regulations by the controllers (art. 57 par. 1, letter a), f) and h) and 58 of the Regulation). To this end, the Authority has the power to order the controller to provide any information it needs for the performance of its tasks (art. 58 par. 1, letter a), of the Regulation). Art. 157 of the Code provides, to this end, that "within the scope of the powers referred to in Article 58 of the Regulation, and for the performance of its duties, the Guarantor may request the owner, the person in charge, the representative of the owner or the person in charge, the interested party or even third parties to provide information and to exhibit documents also with reference to the content of databases" and that failure to comply with this provision makes the administrative pecuniary sanction provided for by Article 83, paragraph 5 of the Regulation applicable (Article 166, paragraph 2, of the Code). It is noted, with reference to the matter that is the subject of the complaint, that, also in light of the general principles of good practice, efficiency, effectiveness and cost-effectiveness of administrative action (art. 97 of the Constitution, as well as art. 9, paragraph 1 and 10, paragraph 3, of the Internal Regulation of the Guarantor no. 1/2019 of 4 April 2019, web doc. no. 9107633), the omission of the owner has implied the repeated intervention of the Authority in the need to gather useful elements for the assessments and decision of the case. Despite the reiteration of the request of XX made by the aforementioned Guardia di Finanza Unit and notified on XX (note prot. no. XX of XX) - at the professional office of the data controller (as shown in the "Notification Report" of XX present in the documents of the proceeding) - no feedback was received from Dr. Roy De Vita. 5. Conclusions. In light of the above assessments, since none of the cases provided for by art. 11 of the regulation of the Guarantor no. 1/2019 apply, it is established that Dr. Roy De Vita - with reference to the matter in question concerning the failure to respond to the request for information addressed several times to the same doctor - has engaged in an unlawful omission in violation of art. 157 (request for information and production of documents) in relation to art. 166, paragraph 2, of the Code. The violation of this rule, pursuant to art. 166, paragraph 2, of the Code, is subject to the application of the administrative pecuniary sanction pursuant to art. 83, paragraph 5 of the Regulation. Therefore, the Guarantor, pursuant to arts. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides, in order to apply the accessory administrative sanction, its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in Article 83, paragraph 1, of the Regulation. First of all, given that the violations relating to the matter in question fall within the cases listed in art. 83, par. 5, of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called “static” maximum). With regard to the assessment of the seriousness of the violation (art. 83, par. 2, letters a), b) and g) of the Regulation), it is believed that the level of seriousness is to be considered serious, given the continuation of the violation determined, with reference to the psychological profile, by the voluntary and intentional omission of the data controller. Dr. In fact, De Vita not only had not responded to the invitation to join made with note of XX (prot. no. XX), but, with regard to the violation in question, he had not responded to the request for information formulated with note of XX (prot. no. XX) and reiterated with note dated XX (prot. no. XX), notified by the Special Unit for Privacy and Technological Fraud of the Guardia di Finanza on XX, in the hands of the aforementioned doctor (see notification report of XX). In relation to the assessment of the additional elements provided for by art. 83, par. 2 of the Regulation, such as aggravating and mitigating circumstances, it is taken into account that: - no measures have previously been adopted against the data controller regarding relevant violations (art. 83, par. 2, letter e) of the Regulation); - the latter did not cooperate with the Authority (Article 83, paragraph 2, letter f) of the Regulation): this omission implied the repeated intervention of the Authority in the need to collect elements useful for the assessments and decision of the case, thus hindering the smooth running, efficiency, effectiveness and cost-effectiveness of the administrative action (Article 97 of the Constitution, as well as Article 9, paragraph 1 and Article 10, paragraph 3, of the Internal Regulation of the Guarantor no. 1/2019 of 4 April 2019, web doc. no. 9107633), On the basis of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction provided for by Article 83, paragraph 5, of the Regulation, in the amount of EUR 4,000.00 (four thousand/00) for the violation referred to in Article 157 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation no. 1/2019 in consideration of the type of violation ascertained which concerned the obligation to respond to requests for information by the Guarantor; Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by Dr. Roy De Vita, data controller, for the violation of art. 157 of the Code, in relation to art. 166, paragraph 2, of the Code in the terms set out in the reasons; ORDERS pursuant to art. 58, paragraph 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, the aforementioned data controller to pay the sum of €4,000.00 (four thousand/00) as an administrative pecuniary sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; ORDERS the aforementioned data controller, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €4,000.00 (four thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 17 July 2024 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE GENERAL SECRETARY Mattei
