Garante per la protezione dei dati personali (Italy) - 10079346
Garante per la protezione dei dati personali - 10079346 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 25 GDPR Article 32 GDPR Article 157 Italian Privacy Code Article 166 Italian Privacy Code Article 22(11) Legislative decree of 10 August 2018 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 17,000 EUR |
Parties: | AST Ascoli Piceno |
National Case Number/Name: | 10079346 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (in IT) |
Initial Contributor: | elu |
The DPA fined a Health Agency €17,000 after it provided the data subject's employer with a sick note disclosing the specific hospital wards the data subject was treated in, thus violating the principle of data minimisation.
English Summary
Facts
The data subject advanced a complaint against the Territorial Health Agency of Ascoli Piceno (in Italian: AST Ascoli Piceno), the controller, which gave the data subject´s employer a certificate for absence with the name of the hospital wards where the data subject had her check-up. This approach disclosed to the data subject's employer which kind of examinations they received. The data subject's attempt to keep this information from their employer was therefore futile.
The DPA requested information related to the data subject from the controller under Article 157 of the Italian Privacy Code (Codice in materia di protezione dei dati personali), to which no reply was ever given.
Holding
After the controller failed to reply to the DPA's request, the DPA started a formal proceeding under Article 166(5) of the Italian Privacy Code (Codice in materia di protezione dei dati personali).
The DPA started its analysis by considering how the controller violated Articles 5(1)(c) and (f) GDPR, as well as Article 25 GDPR and Article 32 GDPR due to naming the hospital wards where the data subject had her medical examinations.
The DPA further reiterated that healthcare agencies are required to put into place specific procedures aimed at preventing that third parties somehow connect the data subject with the relevant hospital ward, as per Article 22(11) Legislative decree of 10 August 2018 (Decreto Legislativo 10 agosto 2018, n. 101). Moreover, the DPA previously explained in another decision that no data related to the healthcare structure or the visit prescribed shall be present in any document given to the data subject to certify their presence in the hospital or justify an absence from work.
Therefore, also due to the clear requirements laid out by previous DPA´s recommendations and decisions in relation to health data processing by Health Agencies, the DPA deemed it appropriate to impose a €17,000 fine to the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10079346] Provision of 26 September 2024 Register of provisions no. 581 of 26 September 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); HAVING SEEN Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”; SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801; REPORTER Prof. Pasquale Stazione; WHEREAS 1. The complaint and the investigation activity On XX, Mrs. XX filed a complaint, accompanied by specific documentation, in which she complained that the Territorial Health Authority of Ascoli Piceno, hereinafter “the Authority”, had provided “the user who requests it with a certificate (to be presented to the employer as justification for the absence) which reports the department where the patient performed the service (neurology, gynecology, orthopedics), thus nullifying the user’s right not to want the employer and the relevant personnel office to know in which area the tests, visits or treatments are being carried out”. As part of the investigation activity, it was necessary to request from the Authority information useful for assessing the case as well as the initiatives taken to conform the processing of personal data to the relevant legislation in this area. This request was formalized in the note of XX (protocol no. XX), formulated by the Authority, pursuant to art. 157 of the Code and sent, via PEC, to the address: ast.ascolipiceno@emarche.it and duly delivered. However, no response was received to this request for information. Therefore, the Authority, with note of XX (prot. no. XX), since the Company did not comply with the request to provide the requested elements within the indicated deadline, notified the same Company of the violation of art. 157 of the Code, communicating, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation. Together with the aforementioned note of XX, the request sent with the previous note of XX was re-transmitted. With a note of XX, sent following the acceptance of the request aimed at obtaining a "postponement" of the deadline for responding to the request for information, the Company provided a response to the request for information of XX, declaring, among other things, that: - "Regional Law no. 19/2022 "Organization of the Regional Health Service" ordered the suppression of the ASUR Marche, as of XX, which was replaced from XX without interruption by the established Territorial Health Companies (...), having autonomous public legal personality and entrepreneurial, organizational, administrative, patrimonial, accounting, management and technical autonomy"; - "the AST of AP was placed under special administration for 7 months, during which 3 Extraordinary Commissioners were appointed"; - "only from XX did the Regional Council appoint the General Directors of the 5 Territorial Health Companies (...)"; - “until the XX the functions of DPO also for the reference of the territorial Vast Areas, among which the Vast Area n. 5 of Ascoli Piceno (starting from the XX AST of Ascoli Piceno with legal personality) were under the ASUR Marche of Ancona”; - in light of a withdrawal, internal extensions and identification through Mepa “in a period of 13 months the AST of AP proceeded to the appointment of n. 2 DPOs”; - “although not constituting a justification for the failure to fulfill some regulatory obligations in terms of privacy, the 7-month administration of the AST of AP and the recent conclusion of the SARS-COV-2 pandemic period did not facilitate the start of the expected procedures. To date, the acquisition of legal personality with effect from the XX by the Territorial Health Authorities (formerly the Large Territorial Areas dependent on the ASUR Marche) of the Marche Region, concurrent with the suppression of the former ASUR Marche and the changes in the commissioners and DPO, have not allowed for the immediate implementation of all the activities to protect data protection"; - "in coordination and on the indication of the DPO (...), a task force has been set up with the heads of the company offices, in order to adopt/prepare measures to conform the processing of personal data (...) to the discipline: - adoption of specific procedures to prevent present and future knowledge, by outsiders, of the state of health of a patient, through the simple correlation between his identity and the indication of the facility or department, in which he was visited or hospitalized; - implementation of urgent corrective measures, necessary to ensure that certificates, issued for administrative purposes, on the occasion of hospitalization/outpatient services, do not contain indications that could link the certificate to the discipline of provision of the service and in any case to the state of health of the patient"; - “the manager of the General Affairs UOC of AST has started an internal investigation and then acquired information from the Company IT Service UOC and the Clinical Governance and Risk Management UOC in order to carry out the appropriate checks on the forms currently in use such as those referred to in the complaint in question and, started the immediate preparation and communication - with note (..) of XX - to the Directors of the macro healthcare areas involved of the new forms (certifications issued to patients or their companions to certify their presence in the hospital and justify, for example, absence from work) compliant with the provisions dictated by the Guarantor and, therefore, such as to guarantee compliance with the sector legislation, in which there are no indications of the facility where the service was provided, stamps with the specialization of the healthcare workers, or, in any case, information that can trace the state of health. This note was published on the company intranet”; - “on XX a meeting was held with the Directors/Managers of the various organizational branches of the AST, in order to raise their awareness of the use of the forms sent”; - “with note (…) of XX, the Medical Director of the P.O.U also sent to all the directors of the complex operating units, simple structures (…) the aforementioned note (…) of XX in order to standardize in all the UU.OO.CC. the methods of issuing certificates to users/justifications for absences in compliance with the regulations dictated by the Privacy Guarantor”; - “the Manager of the U.O.C SIA verified that the companies supplying software containing, among other things, the administrative certifications relating to medical visits/outpatient services have adapted said certifications to the provisions issued by the Privacy Guarantor”; - “with note (…) of XX, the Director of the General Affairs UOC asked the Directors of the interested Macro Areas for urgent feedback on the status of application of the circular referred to in the aforementioned note (..) of XX” who confirmed that they had read and applied the circular; - “in the former Area Vasta 5 (now AST of Ascoli Piceno) the training activity of employees with respect to the new legislation referred to in EU Regulation 2016/679 in the healthcare sector began in XX. Except for the period of the COVID-19 pandemic, mandatory basic privacy training continued in XX and XX. (…) Area Vasta 5 first and AST of Ascoli Piceno have accredited - through the U.O. Corporate Training - an e-learning course in asynchronous FAD mode (…)”. In the year XX, the aforementioned course was carried out by 623 employees, in the XX by 99 employees and "the current AST Management of Ascoli Piceno has foreseen that the training initiatives on GDPR and privacy legislation have also continued for the XX in order to continuously carry out said updating, to guarantee the confidentiality, integrity and availability of the personal data processed every day throughout the company". 2. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code In relation to the facts described in the complaint, the Office, with note of XX (prot. no. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the initiation of the procedure for the adoption of the provisions pursuant to art. 58, paragraph 2, of the Regulation, inviting it to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). In particular, the Office, in the aforementioned document, considered that the Company had processed the health data of the complainant in a manner that did not comply with the provisions of art. 5, paragraph 1, letter c) and f), 25 and 32 of the Regulation, in violation of the principles of minimization, integrity and confidentiality, data protection from the design stage (privacy by design) as well as the obligations regarding the security of the processing, indicating, in the certification forms, requested by the patient to justify her absence from work, the department where the interested party performed the healthcare service and the stamp with the healthcare professional's specialization. With a note sent, via PEC, on XX, the same healthcare facility sent its defense briefs, in which, in particular, in addition to reiterating what was already indicated in the note of XX, it highlighted that: - "the communication prot.n. XX of XX, acquired by the company protocol with prot.n. XX, as far as the Company is concerned, had been transmitted via Paleo (computerized management system of company protocol) to the internal DPO of AST of Ascoli Piceno (…) who, as such, should have managed the matter in question and therefore complied with the request for information within the indicated timeframe”; - “having learned only on XX of the news of the lack of response from the DPO regarding the complaint in question, the Director of the General Affairs and Litigation UOC promptly took action to collect - with all urgency - all the information of the case through the initiation of an internal investigation, also in consideration of the fact that, in the meantime, the aforementioned DPO had ceased from the XX service and that the Purchasing and Logistics UOC of this company had concluded the procurement procedure for the direct assignment of the two-year DPO service (…)”; - “since XX and subsequently with the attached note prot.n. XX of XX (…), the Medical Director of the San Benedetto del Tronto Hospital had provided specific recommendations regarding the respect of privacy with specific reference to the certifications requested from users by providing suitable forms for this purpose, communicated to the Directors of the hospital UU.OO.CC. belonging to the aforementioned hospital. In the context of the integration process between the organizational articulations belonging to the same Vast Area, said note was transmitted to the Medical Director of the Ascoli Piceno Hospital and to the Single Privacy Representative of the Vast Area (…)”; - “from the dynamics of the facts it can be deduced that the medical staff involved had no intention of causing any harm to Ms. XX. The extent of the seriousness can be classified as slight overall, since for example in the case of the certificate, dated XX, no heading is reported, but only a faded, almost illegible stamp of the referring doctor, who, through imprudence, used the stamp in question. Different is the presence certificate of XX which reports in the header of the sheet the U.O.C. and the Director of the department”; - “the Data Controller and the Director of the UOC General Affairs and Litigation, in coordination with the undersigned new DPO, in the month of February of the current year, and proceeding with a corporate reorganization, in compliance with the principles of privacy by design and privacy by default, have put in place task forces and urgent interventions, to prevent further similar conduct; reiterating that we are faced with a first and isolated event, the conduct in question can be classified as a “minor violation””; - “(…) the erroneous conduct in the data processing carried out by the Company is related to a single interested party, this latter circumstance attenuating the seriousness of the conduct”; - “it is concluded that, in any case, the intention of the AST of AP, following the incident, is to apologize to the interested party for any harm caused and to adopt further initiatives and actions, aimed at raising awareness among staff regarding compliance with the rules on personal data”. During the hearing, which was held on XX, the party intended to clarify that: - “the AST draws attention to the profound organizational change undergone starting from XX, which led to the need to issue the articles of association of the Company itself and review all documents and procedures as well as the compliance of the Company, previously managed centrally by ASUR Marche”; - “as soon as the facts underlying the complaint became known, the Company promptly took action to provide feedback to the Authority and once again give formal instructions so that the correct behaviors required by the law were implemented”; - “the complex reorganization process did not allow a preparatory handover between the three DPOs who have taken turns in the last period”; - “new training has been prepared for the Company’s employees, in addition to that already carried out in previous years”. 3 Outcome of the investigation Having taken note of what the Company has represented in the documentation in the files and in the defense briefs, it is noted that: 1. “Personal data” means “any information relating to an identified or identifiable natural person (“data subject”)” and, “data relating to health” means “data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health” (Article 4, paragraph 1, nos. 1 and 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health “include information on the natural person collected during his or her registration for the purpose of receiving health care services”. 2. According to the Regulation, personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the “principle of data minimisation”)” and “processed in a manner that ensures appropriate security (…), including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (the “principle of integrity and confidentiality”), using appropriate technical or organisational measures (Article 5, paragraph 1, letters c) and f) of the Regulation). 3. Personal data must also be processed in compliance with the principle of data protection by design (privacy by design), according to which “both at the time of determining the means of processing and at the time of the processing itself, the controller must implement appropriate technical and organisational measures designed to implement the data protection principles effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects” (Article 25 of the Regulation). 4. According to the accountability principle, the data controller must comply with and be able to demonstrate both compliance with the principles and the obligations provided for by the Regulation (Articles 5, paragraph 2 and 24 of the Regulation). The data controller is therefore required to carry out an assessment of the relevance and non-excessiveness of the information processed, in order to ensure the effective application of the minimization principle (Articles 5, paragraph 2 and 25 of the Regulation; see also points 49, 51 and paragraph 3.5 of the Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, adopted on XX). 5. The data controller is also required to adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the risks arising from unauthorized disclosure or access, in an accidental or illegal manner, to personal data transmitted, stored or otherwise processed (art. 32 of the Regulation). 6. With specific reference to the case in question, it is highlighted that healthcare organizations must implement specific procedures aimed at preventing, in relation to outsiders, an explicit correlation between the interested party and departments or structures, indicative of the existence of a particular state of health (see art. 83 of the Code and art. 22, paragraph 11, Legislative Decree 10 August 2018, no. 101 as well as the general provision of the Guarantor of 9 November 2005, web doc. no. 1191411, in which the Guarantor had expressly provided that "such precautions must also be oriented towards any certifications requested for administrative purposes not related to those of care (e.g., to justify an absence from work or the impossibility of appearing in a competitive procedure)" (par. 3, letter g) of the aforementioned provision; see art. 22, paragraph 4, of the aforementioned provision Legislative Decree no. 101/2018). The aforementioned orientation was also reiterated in Newsletter no. 398 of 9 February 2015, web doc. no. 3710265, in which the Guarantor specified that "in the certifications issued to patients or their companions to certify their presence in the hospital and justify, for example, absence from work, the indications of the facility where the service was provided, the stamp with the health professional's specialization, or in any case information that could lead to the state of health must not be reported (...) These precautions must also be observed when drawing up the certifications required for administrative purposes (e.g. to justify an absence from work or the impossibility of participating in a competition)" (on this topic, see also point 8.2. of the "Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector" - 14 June 2007, web doc. no. 1417809, in which it was specified that, with specific regard to the processing of data suitable for revealing the state of health of workers, the existence of specific regulatory obligations with regard to the worker to allow the employer to verify his real health conditions in the forms of the law, justifies that specific documentation be provided to the administration to which he belongs. justification for the absence, consisting of a medical certificate containing only the indication of the onset and presumed duration of the illness: so-called "prognosis". In the absence of special provisions of a regulatory nature, which provide otherwise for specific professional figures, the public employer is not entitled to collect medical certificates also containing the indication of the diagnosis). 7. Article 157 of the Code provides that “Within the scope of the powers referred to in Article 58 of the Regulation and for the performance of its duties, the Guarantor may request the owner, the person in charge, the representative of the owner or the person in charge, the interested party or even third parties to provide information and to exhibit documents also with reference to the content of databases”. 4. Conclusions In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code (“False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”), the elements provided by the Company, as data controller, in the defense briefs mentioned above and during the hearing are not suitable to accept the requests for archiving, not allowing to overcome the findings notified by the Office with the aforementioned act of initiation of the proceeding. It should be noted, in fact, that the regulatory and procedural framework outlined above dates back to a time period far earlier than the reorganization of regional healthcare, which took place by Regional Law no. 19/2022 which provided, starting from the XX, the suppression of the ASUR Marche, and the takeover of the Territorial Health Authorities. The principles indicated above and the various occasions described in which the Guarantor has provided a clear and specific framework of guarantees have long been a well-established orientation, which should have been known and taken into consideration even before the changes to the new regional health system, with the resulting organizational difficulties, aggravated by the pandemic emergency. Furthermore, the alternation, in a short time, of several Data Protection Officers (whose designation must take place, pursuant to art. 37, par. 5, of the Regulation, based on professional qualities, in particular specialized knowledge of data protection legislation and practices, and the ability to perform the tasks referred to in art. 39 of the same Regulation), does not exempt the data controller from verifying compliance with data protection legislation, both in relation to fulfilling the obligation to provide the information requested by the Guarantor, pursuant to art. 157 of the Code, both with reference to the preparation and adoption of measures aimed at preventing, against outsiders (and, in particular, the employer), an explicit correlation between the interested party and departments or structures, indicative of the existence of a particular state of health. Furthermore, in highlighting that it is up to the data controller to evaluate the analysis of the possession of the requirements of the Data Protection Officer necessary for the performance of his duties, it is also noted that "the practice of establishing contacts, only occasionally, between the public body and its DPO (both internal and external) nullifies the sense of the presence of the DPO and, with it, the privacy by design and by default approach promoted by the Regulation, with direct consequences for the entities themselves in terms of accountability and failure to comply with regulatory obligations (for example, pursuant to Articles 82 and 83 of the Regulation). (…), it has been found that this attitude can be attributed to both parties: to the DPO, as it is often led to not adequately propose to the owner the activities necessary to conform the processing to the regulations on the protection of personal data; to the public body, for the tendency to consider the appointment of the DPO only as a formal fulfillment, not recognizing and even less valorizing the tasks and potential of this figure” (see points 5 and 8 of the “Guideline document on the designation, position and tasks of the Data Protection Officer (DPO) in the public sector”, document attached to the provision of 29 April 2021 no. 186, web doc. no. 9589467). Having said this, it is noted that the Company, by failing to provide feedback to the Authority's request for information, formulated pursuant to art. 157 of the Code, has committed a violation of art. 157 and, by indicating, in the certification forms requested by the patient to justify her absence from work, the department where the interested party performed the healthcare service and the stamp with the healthcare professional's specialization, has processed health data in violation of the principle of minimization, integrity and confidentiality of data (articles 5, paragraph 1, letters c) and f) of the Regulation) and, by not having, since the preparation of the aforementioned certification models, adopted adequate measures to guarantee the effective application of the aforementioned principle of minimization, has not respected the principle of privacy by design and the obligations regarding the security of processing (articles 25 and 32 of the Regulation). For these reasons, the processing of health data carried out by the Company is found to be unlawful, in the terms set out in the reasons, due to the violation of articles 5, paragraph 1, letters c) and f), 25, 32 of the Regulation as well as art. 157 of the Code. In this context, considering that the conduct has exhausted its effects and noted that the Company has modified the methods of issuing certificates to users and justifications for absences in line with the above-mentioned legislation, verifying their correct application and has carried out specific training on the protection of personal data, the conditions for adopting the corrective measures referred to in art. 58, paragraph 2, of the Regulation do not currently exist. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code). The violation of art. 5, paragraph 1, letter c) and f), 25 and 32 of the Regulation as well as art. 157 of the Code, caused by the conduct of the Company is subject to the application of the administrative pecuniary sanction pursuant to art. 83, par. 4, letter a) and par. 5, letter a) of the Regulation (see art. 166, paragraph 2, of the Code). Please note that the Guarantor, pursuant to art. 58, par. 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In light of the above and, in particular, of the category of personal data affected by the violation, the number of data subjects (patients), including potentially involved, the nature of the processing, as well as the duration of the violation, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). Taking into account that the violation of Articles 5, par. 1, letters c) and f), 25, 32 of the Regulation occurred as a result of a single conduct (same processing or processing operations linked to each other), Article 83, par. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation (which, in this case, concerns art. 5, par. 1, letters c) and f) of the Regulation). Having said this, having assessed certain elements as a whole and, in particular, that: - the Authority became aware of the event following a complaint by an interested party (art. 83, par. 2, letter h) of the Regulation); - the data processing carried out by the Company concerned data suitable for detecting information on the health of an interested party, but potentially, of other subjects who requested an administrative certification to justify absence from work (art. 83, par. 2, letters a) and g) of the Regulation); - from the perspective of the subjective element, the violation is negligent (art. 83, par. 2, letter b) of the Regulation); - the owner, in order to avoid the repetition of the event that occurred, has undertaken to introduce measures aimed at reducing the replicability of the event that occurred (art. 83, par. 2, letter c) of the Regulation); it is considered to determine the amount of the pecuniary sanction provided for by art. 83, par. 5 of the Regulation, in the amount of € 13,000.00 (thirteen thousand/00) for the violation of arts. 5, 25 and 32 of the same Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Considering that the distinct conduct relating to the violation of art. 157 of the Code is subject to the administrative pecuniary sanction referred to in art. 83, par. 5, of the Regulation (art. 166, paragraph 2 of the Code), the total amount of the sanction is to be quantified taking into account the so-called “static” maximum established by the Regulation, equal to the maximum limit of 20,000,000 euros. In relation to this, it is believed that, in this circumstance, the level of severity, on the basis of the elements referred to in art. 83, paragraph 2, letters a), b) of the Regulation, is to be considered medium, taking into account the fact that no malicious conduct on the part of the data controller emerges. In light of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €4,000.00 (four thousand/00) for the violation of art. 157 of the Code. It is also believed that the accessory sanction of publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. NOW, CONSIDERING ALL THE ABOVE, THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the Territorial Health Authority of Ascoli Piceno, for the violation of the principles set out in art. 5, par. 1, letters c) and f), 25 and of the obligations set out in art. 32 of the Regulation, as well as art. 157 of the Code, in the terms set out in the reasons; ORDERS the Territorial Health Authority of Ascoli Piceno, with registered office in Ascoli Piceno (AP), Via degli Iris – 63100, Fiscal Code/VAT number 02500670449, to pay the sum of €17,000.00 (seventeen thousand/00) as an administrative pecuniary sanction, pursuant to art. 58, par. 2, letter i) and 83 of the Regulation, for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €17,000.00 (seventeen thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive actions pursuant to art. 27 of Law no. 689/1981; ORDERS the publication of this provision in full on the website of the Guarantor, pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions for annotation in the internal register of the Authority pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 26 September 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei [web doc. no. 10079346] Provision of 26 September 2024 Register of provisions n. 581 of 26 September 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); HAVING SEEN Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”; SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); SEEN the documentation in the files; SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801; REPORTER Prof. Pasquale Stazione; WHEREAS 1. The complaint and the investigation activity On XX, Mrs. XX filed a complaint, accompanied by specific documentation, in which she complained that the Territorial Health Authority of Ascoli Piceno, hereinafter “the Authority”, had provided “the user who requests it with a certificate (to be presented to the employer as justification for the absence) which reports the department where the patient performed the service (neurology, gynecology, orthopedics), thus nullifying the user’s right not to want the employer and the relevant personnel office to know in which area the tests, visits or treatments are being carried out”. As part of the investigation activity, it was necessary to request from the Authority information useful for assessing the case as well as the initiatives taken to conform the processing of personal data to the relevant legislation in this area. This request was formalized in the note of XX (protocol no. XX), formulated by the Authority, pursuant to art. 157 of the Code and sent, via PEC, to the address: ast.ascolipiceno@emarche.it and duly delivered. However, no response was received to this request for information. Therefore, the Authority, with note of XX (prot. no. XX), since the Company did not comply with the request to provide the requested elements within the indicated deadline, notified the same Company of the violation of art. 157 of the Code, communicating, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation. Together with the aforementioned note of XX, the request sent with the previous note of XX was re-transmitted. With a note of XX, sent following the acceptance of the request aimed at obtaining a "postponement" of the deadline for responding to the request for information, the Company provided a response to the request for information of XX, declaring, among other things, that: - "Regional Law no. 19/2022 "Organization of the Regional Health Service" ordered the suppression of the ASUR Marche, as of XX, which was replaced from XX without interruption by the established Territorial Health Companies (...), having autonomous public legal personality and entrepreneurial, organizational, administrative, patrimonial, accounting, management and technical autonomy"; - "the AST of AP was placed under special administration for 7 months, during which 3 Extraordinary Commissioners were appointed"; - "only from XX did the Regional Council appoint the General Directors of the 5 Territorial Health Companies (...)"; - “until the XX the functions of DPO also for the reference of the territorial Vast Areas, among which the Vast Area n. 5 of Ascoli Piceno (starting from the XX AST of Ascoli Piceno with legal personality) were under the ASUR Marche of Ancona”; - in light of a withdrawal, internal extensions and identification through Mepa “in a period of 13 months the AST of AP proceeded to the appointment of n. 2 DPOs”; - “although not constituting a justification for the failure to fulfill some regulatory obligations in terms of privacy, the 7-month administration of the AST of AP and the recent conclusion of the SARS-COV-2 pandemic period did not facilitate the start of the expected procedures. To date, the acquisition of legal personality with effect from the XX by the Territorial Health Authorities (formerly the Large Territorial Areas dependent on the ASUR Marche) of the Marche Region, concurrent with the suppression of the former ASUR Marche and the changes in the commissioners and DPO, have not allowed for the immediate implementation of all the activities to protect data protection"; - "in coordination and on the indication of the DPO (...), a task force has been set up with the heads of the company offices, in order to adopt/prepare measures to conform the processing of personal data (...) to the discipline: - adoption of specific procedures to prevent present and future knowledge, by outsiders, of the state of health of a patient, through the simple correlation between his identity and the indication of the facility or department, in which he was visited or hospitalized; - implementation of urgent corrective measures, necessary to ensure that certificates, issued for administrative purposes, on the occasion of hospitalization/outpatient services, do not contain indications that could link the certificate to the discipline of provision of the service and in any case to the state of health of the patient"; - “the manager of the General Affairs UOC of AST has started an internal investigation and therefore acquired information from the Company IT Service UOC and the Clinical Governance and Risk Management UOC in order to carry out the appropriate checks on the forms currently in use such as those referred to in the complaint in question and, started the immediate preparation and communication - with note (..) of XX - to the Directors of the macro healthcare areas involved of the new forms (certifications issued to patients or their companions to certify their presence in the hospital and justify, for example, absence from work) compliant with the provisions dictated by the Guarantor and, therefore, such as to guarantee compliance with the sector legislation, in which there are no indications of the facility where the service was provided, stamps with the specialization of the healthcare workers, or, in any case, information that can trace the state of health.This note was published on the company intranet”; - “on XX, a meeting was held with the Directors/Managers of the various organizational branches of the AST, in order to raise their awareness of the use of the forms sent”; - “with a note (…) of XX, the Medical Director of the P.O.U also sent to all the directors of the complex operating units, simple structures (…) the aforementioned note (…) of XX in order to standardize in all the UU.OO.CC. the methods of issuing certificates to users/justifications for absences in compliance with the regulations dictated by the Privacy Guarantor”; - “the Manager of the U.O.C SIA has verified that the companies supplying software containing, among other things, the administrative certifications relating to medical visits/outpatient services have adapted said certifications to the provisions issued by the Privacy Guarantor”; - “with note (…) of XX, the Director of the General Affairs UOC asked the Directors of the interested Macro Areas for urgent feedback on the status of application of the circular referred to in the aforementioned note (..) of XX” who confirmed that they had read and applied the circular; - “in the former Area Vasta 5 (now AST of Ascoli Piceno) the training activity of employees with respect to the new legislation referred to in EU Regulation 2016/679 in the healthcare sector began in XX. Except for the period of the COVID-19 pandemic, mandatory basic privacy training continued in XX and XX. (…) Area Vasta 5 first and AST of Ascoli Piceno have accredited - through the U.O. Corporate Training - an e-learning course in asynchronous FAD mode (…)”. In the year XX, the aforementioned course was carried out by 623 employees, in the XX by 99 employees and "the current AST Management of Ascoli Piceno has planned that the training initiatives on GDPR and privacy legislation have also continued for the XX in order to continuously carry out said update, to guarantee the confidentiality, integrity and availability of personal data processed every day throughout the company". 2. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code In relation to the facts described in the complaint, the Office, with a note of XX (prot. no. XX), notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures pursuant to art. 58, par. 2, of the Regulation, inviting her to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). In particular, the Office, in the aforementioned document, considered that the Company had processed the complainant's health data in a manner that did not comply with the provisions of art. 5, paragraph 1, letters c) and f), 25 and 32 of the Regulation, in violation of the principles of minimization, integrity and confidentiality, data protection from the design stage (privacy by design) as well as the obligations regarding the security of the processing, indicating, in the certification forms, requested by the patient to justify her absence from work, the department where the interested party performed the health service and the stamp with the health professional's specialization. With a note sent, via PEC, on XX, the same health facility sent its defense briefs, in which, in particular, in addition to reiterating what was already indicated in the note of XX, it highlighted that: - "the communication prot.n. XX of XX, acquired by the company protocol with prot.n. XX, as far as the Company is concerned, had been sent via Paleo (computerized management system of company protocol) to the internal DPO of AST of Ascoli Piceno (...) who, as such, should have managed the practice in question and therefore complied with the request for information within the indicated time frame"; - “having learned only on XX of the lack of response from the DPO regarding the complaint in question, the Director of the General Affairs and Litigation UOC promptly took action to collect - with all urgency - all the information of the case by starting an internal investigation, also in consideration of the fact that, in the meantime, the aforementioned DPO had ceased service XX and that the Purchasing and Logistics UOC of this company had concluded the procurement procedure for direct assignment of the two-year DPO service (…)”; - “since XX and subsequently with the attached note prot.n. XX of XX (…), the Medical Director of the San Benedetto del Tronto Hospital Presidium had provided specific recommendations regarding respect for privacy with specific reference to the certifications requested from users by providing suitable forms for this purpose, communicated to the Directors of the hospital UU.OO.CC. pertaining to the aforementioned hospital. In the context of the integration process between the organizational units belonging to the same Vast Area, this note was sent to the Medical Directorate of the Ascoli Piceno Hospital and to the Single Privacy Representative of the Vast Area (…)”; - “from the dynamics of the facts it can be deduced that the medical staff involved had no intention of causing any harm to Mrs. XX. The extent of the seriousness can be classified as mild overall, since for example in the case of the certificate, dated XX, there is no heading, but only a faded, almost illegible stamp of the referring doctor, who, through imprudence, used the stamp in question. The presence certificate of XX is different, which reports the U.O.C. and the Director of the department in the heading of the sheet”; - “the Data Controller and the Director of the General Affairs and Litigation UOC, in coordination with the undersigned new DPO, in February of the current year, and proceeding with a corporate reorganization, in compliance with the principles of privacy by design and privacy by default, have implemented task forces and urgent interventions, to prevent further similar conduct; reiterating that we are faced with a first and isolated event, the conduct in question can be classified as a “minor violation””; - “(…) the erroneous conduct in the data processing carried out by the Company is related to a single interested party, this latter circumstance attenuating the seriousness of the conduct”; - “it is concluded that, in any case, the intention of the AST of AP, following the incident, is to apologize to the interested party for any harm caused and to adopt further initiatives and actions, aimed at raising awareness among staff of compliance with the personal data regulation”. During the hearing, which was held on XX, the party intended to clarify that: - “AST draws attention to the profound organizational change undergone starting from XX, which led to the need to issue the articles of association of the Company itself and review all documents and procedures as well as the Company's compliance, previously managed centrally by ASUR Marche”; - “as soon as the facts underlying the complaint became known, the Company promptly took action to provide feedback to the Authority and give formal instructions again so that the correct behaviors required by the law were implemented”; - “the complex reorganization process did not allow a preparatory handover between the three DPOs who took turns in the last period”; - “new training was prepared for the Company's employees, in addition to that already carried out in previous years”. 3 Outcome of the investigation Having taken note of what the Company has represented in the documentation in the files and in the defense briefs, it is noted that: 1. “Personal data” means “any information relating to an identified or identifiable natural person (“data subject”)” and, “data relating to health” means “data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health” (Article 4, paragraph 1, nos. 1 and 15, of the Regulation). Recital no. 35 of the Regulation then specifies that data relating to health “include information on the natural person collected in the course of his or her registration for the purpose of receiving health care services”. 2. According to the Regulation, personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the “principle of data minimisation”)” and “processed in a manner that ensures appropriate security (…), including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (the “principle of integrity and confidentiality”), using appropriate technical or organisational measures (Article 5, paragraph 1, letters c) and f) of the Regulation). 3. Personal data must also be processed in compliance with the principle of data protection by design (privacy by design), according to which “both at the time of determining the means of processing and at the time of the processing itself, the controller must implement appropriate technical and organisational measures designed to implement the data protection principles effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects” (Article 25 of the Regulation). 4. According to the accountability principle, the data controller must comply with and be able to demonstrate both compliance with the principles and the obligations provided for by the Regulation (Articles 5, paragraph 2 and 24 of the Regulation). The data controller is therefore required to carry out an assessment of the relevance and non-excessiveness of the information processed, in order to ensure the effective application of the minimisation principle (Articles 5, paragraph 2 and 25 of the Regulation; see also points 49, 51 and paragraph 3.5 of the Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, adopted on XX). 5. The data controller is also required to adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the risks arising from unauthorized disclosure or access, in an accidental or illegal manner, to personal data transmitted, stored or otherwise processed (art. 32 of the Regulation). 6. With specific reference to the case in question, it is highlighted that healthcare organizations must implement specific procedures aimed at preventing, in relation to outsiders, an explicit correlation between the interested party and departments or structures, indicative of the existence of a particular state of health (see art. 83 of the Code and art. 22, paragraph 11, Legislative Decree 10 August 2018, no. 101 as well as the general provision of the Guarantor of 9 November 2005, web doc. no. 1191411, in which the Guarantor had expressly provided that "such precautions must also be oriented towards any certifications requested for administrative purposes not related to those of care (e.g., to justify an absence from work or the impossibility of appearing in a competitive procedure)" (par. 3, letter g) of the aforementioned provision; see art. 22, paragraph 4, of the aforementioned provision Legislative Decree no. 101/2018). The aforementioned orientation was also reiterated in Newsletter no. 398 of 9 February 2015, web doc. no. 3710265, in which the Guarantor specified that "in the certifications issued to patients or their companions to certify their presence in the hospital and justify, for example, absence from work, the indications of the facility where the service was provided, the stamp with the health professional's specialization, or in any case information that could lead to the state of health must not be reported (...) These precautions must also be observed when drawing up the certifications required for administrative purposes (e.g. to justify an absence from work or the impossibility of participating in a competition)" (on this topic, see also point 8.2. of the "Guidelines on the processing of personal data of workers for the purposes of managing the employment relationship in the public sector" - 14 June 2007, web doc. no. 1417809, in which it was specified that, with specific regard to the processing of data suitable for revealing the state of health of workers, the existence of specific regulatory obligations with regard to the worker to allow the employer to verify his real health conditions in the forms of the law, justifies that specific documentation be provided to the administration to which he belongs. justification for the absence, consisting of a medical certificate containing only the indication of the beginning and the presumed duration of the illness: so-called “prognosis”. In the absence of special provisions of a regulatory nature, which provide otherwise for specific professional figures, the public employer is not entitled to collect medical certificates also containing the indication of the diagnosis). 7. Article 157 of the Code provides that “Within the scope of the powers referred to in Article 58 of the Regulation and for the performance of its duties, the Guarantor may request the owner, the person in charge, the representative of the owner or the person in charge, the interested party or even third parties to provide information and to exhibit documents also with reference to the content of databases”. 4. Conclusions In light of the above assessments, taking into account the statements made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code (“False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”), the elements provided by the Company, in its capacity as data controller, in the defense briefs referred to above and during the hearing are not suitable for accepting the requests for archiving, not allowing the findings notified by the Office with the aforementioned act of initiation of the proceeding to be overcome. It should be noted, in fact, that the regulatory and procedural framework outlined above dates back to a time period far earlier than the reorganization of regional healthcare, which took place by Regional Law no. 19/2022 which provided, starting from the XX, the suppression of the ASUR Marche, and the replacement of the Territorial Health Authorities. The principles indicated above and the various occasions described in which the Guarantor provided a clear and specific framework of guarantees, have represented, for a long time, a well-established orientation, which should have been known and taken into consideration even before the changes to the new regional health system, with the consequent organizational difficulties, aggravated by the pandemic emergency. Furthermore, the rotation, in a short time, of several Data Protection Officers (whose designation must take place, pursuant to art. 37, par. 5, of the Regulation, on the basis of their professional qualities, in particular their specialist knowledge of data protection legislation and practices, and their ability to perform the tasks referred to in art. 39 of the same Regulation), does not exempt the data controller from verifying compliance with data protection legislation, both in relation to fulfilling the obligation to provide the information requested by the Guarantor, pursuant to art. 157 of the Code, and with reference to the preparation and adoption of measures aimed at preventing, with respect to outsiders (and, in particular, the employer), an explicit correlation between the data subject and departments or structures, indicative of the existence of a particular state of health. Furthermore, in highlighting that it is up to the data controller to evaluate the analysis of the possession of the requirements of the Data Protection Officer necessary for the performance of his duties, it is also noted that "the practice of establishing contacts, only occasionally, between the public body and its DPO (both internal and external) nullifies the sense of the presence of the DPO and, with it, the privacy by design and by default approach promoted by the Regulation, with direct consequences for the entities themselves in terms of accountability and failure to comply with regulatory obligations (for example, pursuant to Articles 82 and 83 of the Regulation). (...), it has been found that this attitude can be attributable to both parties: to the DPO, as he is often led to not adequately propose to the controller the activities necessary to conform the processing to the legislation on personal data protection; to the public body, due to the tendency to consider the appointment of the DPO only as a formal requirement, without recognizing or even enhancing the tasks and potential of this figure” (see points 5 and 8 of the “Guideline document on the designation, position and tasks of the Data Protection Officer (DPO) in the public sector”, document attached to the provision of 29 April 2021 no. 186, web doc. no. 9589467). Having said this, it is noted that the Company, by failing to provide feedback to the Authority’s request for information, formulated pursuant to art. 157 of the Code, has committed a violation of art. 157 and, by indicating, in the certification forms requested by the patient to justify her absence from work, the department where the interested party performed the healthcare service and the stamp with the healthcare professional's specialization, has processed health data in violation of the principle of minimization, integrity and confidentiality of data (articles 5, paragraph 1, letters c) and f) of the Regulation) and, by not having, since the preparation of the aforementioned certification models, adopted adequate measures to guarantee the effective application of the aforementioned principle of minimization, has not respected the principle of privacy by design and the obligations regarding the security of processing (articles 25 and 32 of the Regulation). For these reasons, the processing of health data carried out by the Company is found to be unlawful, in the terms set out in the reasons, due to the violation of articles 5, paragraph 1, letters c) and f), 25, 32 of the Regulation as well as art. 157 of the Code. In this context, considering that the conduct has exhausted its effects and noted that the Company has modified the methods of issuing certificates to users and justifications for absences in line with the above-mentioned legislation, verifying their correct application and has carried out specific training on the protection of personal data, the conditions for adopting the corrective measures referred to in art. 58, paragraph 2, of the Regulation do not currently exist. 5. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code). The violation of art. 5, paragraph 1, letter c) and f), 25 and 32 of the Regulation as well as art. 157 of the Code, caused by the conduct of the Company is subject to the application of the administrative pecuniary sanction pursuant to art. 83, par. 4, letter a) and par. 5, letter a) of the Regulation (see art. 166, paragraph 2, of the Code). Please note that the Guarantor, pursuant to art. 58, par. 2, letter i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to “impose an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor's website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In light of the above and, in particular, of the category of personal data affected by the violation, the number of data subjects (patients), including potentially involved, the nature of the processing, as well as the duration of the violation, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). Taking into account that the violation of Articles 5, par. 1, letters c) and f), 25, 32 of the Regulation occurred as a result of a single conduct (same processing or linked processing), Article 83, par. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation (which, in this case, concerns art. 5, par. 1, letters c) and f) of the Regulation). Having said this, having assessed certain elements as a whole and, in particular, that: - the Authority became aware of the event following a complaint by an interested party (art. 83, par. 2, letter h) of the Regulation); - the data processing carried out by the Company concerned data suitable for detecting information on the health of an interested party, but potentially, of other subjects who requested an administrative certification to justify absence from work (art. 83, par. 2, letters a) and g) of the Regulation); - from the perspective of the subjective element, the violation is negligent (art. 83, par. 2, letter b) of the Regulation); - the owner, in order to avoid the repetition of the event that occurred, has undertaken to introduce measures aimed at reducing the replicability of the event that occurred (art. 83, par. 2, letter c) of the Regulation); it is considered to determine the amount of the pecuniary sanction provided for by art. 83, par. 5 of the Regulation, in the amount of € 13,000.00 (thirteen thousand/00) for the violation of arts. 5, 25 and 32 of the same Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Considering that the distinct conduct relating to the violation of art. 157 of the Code is subject to the administrative pecuniary sanction referred to in art. 83, par. 5, of the Regulation (art. 166, paragraph 2 of the Code), the total amount of the fine is to be quantified taking into account the so-called “static” maximum established by the Regulation, equal to the maximum limit of 20,000,000 euros. In relation to this, it is believed that, in this circumstance, the level of severity, on the basis of the elements referred to in art. 83, paragraph 2, letter a), b) of the Regulation, is to be considered medium, taking into account the fact that no malicious conduct on the part of the data controller emerges. In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary fine should be determined in the amount of €4,000.00 (four thousand/00) for the violation of art. 157 of the Code. It is also believed that the accessory sanction of publication of this provision on the website of the Guarantor, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it is noted that the conditions set out in art. 17 of Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. GIVEN ALL THE ABOVE, THE GUARANTOR declares the unlawfulness of the processing of personal data carried out by the Territorial Health Authority of Ascoli Piceno, for the violation of the principles set out in art. 5, par. 1, letters c) and f), 25 and of the obligations set out in art. 32 of the Regulation, as well as art. 157 of the Code, in the terms set out in the reasons; ORDER the Territorial Health Authority of Ascoli Piceno, with registered office in Ascoli Piceno (AP), Via degli Iris – 63100, Tax Code/VAT number 02500670449, to pay the sum of €17,000.00 (seventeen thousand/00) as an administrative fine, pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation, for the violation indicated in this provision; it is represented that the offender, pursuant to Article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed; ORDERS the aforementioned Authority, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of €17,000.00 (seventeen thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS the publication of this provision in full on the website of the Guarantor, pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions for annotation in the internal register of the Authority pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 26 September 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei