Garante per la protezione dei dati personali (Italy) - 10095791
From GDPRhub
| Garante per la protezione dei dati personali - 10095791 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 25 GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 24.01.2023 |
| Decided: | 27.11.2024 |
| Published: | 20.02.2025 |
| Fine: | 10000 EUR |
| Parties: | Regione Molise |
| National Case Number/Name: | 10095791 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GDPD (in IT) |
| Initial Contributor: | Carloc |
The DPA fined a region €10,000 due to a data breach that made several data subjects' health records accessible to all users. The breach was caused by the insufficient security measures implemented by the region's sub-processor.
English Summary
Facts
The Region of Molise (the controller) used an information system to handle electronic health records and make them available to citizens. The controller relied on a number of processors and sub-processors, including IT services company Engineering Ingegneria Informatica S.p.a., the developer of the system (the sub-processor).
Data processing agreements were in place between controllers, processors, and sub-processors. These agreements included provisions on security measures for processing personal data. In particular, the agreement between the controller and Società Molise Dati S.p.a. (the processor) provided for the limitation of account privileges on a need-to-know basis.
A user logged into the records system with his patient-level account. He was then able to access files of other patients by changing the url address of the page. He accessed personal data such as personal details and addresses as well as medical records and other sensitive, health-related data.
The user informed the controller of the vulnerability. The vulnerability was immediately addressed by limiting access privileges for patient-level accounts. At the request of the controller, the processor assessed the software for similar vulnerabilities.
The controller notified the Italian authority of the data breach. Based on system logs, the controller found that only seven files were accessed without authorization.
The controller held that the breach did not result in a high risk for the data subjects and decided not to inform them of the breach. In this regard, the controller considered that the user who breached the data, reported the vulnerability himself and intended no harm to the data subjects. The authority did not challenge this view.
Holding
The authority held that the controller violated Articles 5(1)(f), 25, and 32 GDPR by failing to implement appropriate security measures. Therefore, the authority fined the controller €10,000.
The authority clarified that controllers are responsible for the security of the processing of personal data even when processors and sub-processors are involved. The authority referenced EDPB Guidelines in this regard[1].
Comment
The processing of health records involved many entities. Regione Molise and the Region’s Health Authority (Azienda Sanitaria Regionale per il Molise) were joint controllers. Regione Molise relied on Società Molise Dati S.p.a. (a company owned by Regione Molise itself) as a processor. In turn, Molise Dati S.p.a. engaged with a number of sub-processors, including telecom company TIM S.p.a. Finally, TIM S.p.a. relied on Engineering Ingegneria Informatica S.p.a. as a sub-processor.
The Italian authority fined Società Molise Dati S.p.a. and Engineering Ingegneria Informatica S.p.a. €10,000 each in two parallel decisions about the same data breach: see Garante per la protezione dei dati personali (Italy) - 10095761 (Società Molise Dati) and 10095810 (Engineering Ingegneria Informatica).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Newsletter of January 31, 2025 [web doc. no. 10095791] Measure of November 27, 2024 Register of measures no. 761 of November 27, 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stazione, president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councilor Fabio Mattei, secretary general; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); CONSIDERING Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “Code”); CONSIDERING Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved by Resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); SEEN the documentation in the files; SEEN the observations formulated by the general secretary pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. no. 1098801; REPORTER Prof. Pasquale Stazione; WHEREAS 1. The preliminary investigation activity. On 24 January 2023, the Molise Region (hereinafter the Region) sent to the Guarantor, pursuant to art. 33 of the Regulation, a notification of personal data breach, concerning the Regional Portal of the FSE (https://fse.regione.molise.it) which, due to a “vulnerability of the system”, had allowed a third party “through an intentional manipulation of the URL to perform a search for the data of other citizens present in the Regional Registry of Molise”. In particular, in the aforementioned notification, the Region declared that “on the FSE Portal of the Molise Region the user with the role “Assisted” was able, by exploiting a vulnerability of the system through an intentional manipulation of the URL, to perform a search for the data of other citizens present in the Regional Registry of Molise. Specifically, by manipulating the URL from https://fse.regione.molise.it/fseui/dashboard to https://fse.regione.molise.it/fseui/list the user was able to use the citizen search function and subsequently, by selecting the citizen, access the function for consulting the personal data and consulting the FSE of the citizen himself” (see notification of 24 January, section F, point 7). According to the documents, the number of assisted persons involved was 7. With regard to what was represented by the Region, the Office made two requests for information (notes of 21 February and 17 April 2023) - which were responded to with notes of 3 March and 5 May 2023 - in order to acquire more details about the violation and the interventions carried out to remove the highlighted vulnerability, as well as information on the roles of the various subjects who intervened in the treatments subject to the violation, on the technical and organizational measures relating to the procedures for identification, IT authentication (Identity Management) and authorization of the assisted persons for the purpose of consulting their documents present in the FSE, on the subjects responsible for designing such procedures and on the assessments carried out in order to the risks for the rights and freedoms of the interested parties arising from the violation, also in order to verify the existence of the conditions for communicating the same to the interested parties involved. In response to the aforementioned requests for information, the Region clarified that “on 17 January 2023, Mr. […] reported to this Body, via certified email […] a cybersecurity problem encountered while viewing his electronic health record” and that “access was possible by manually and forcibly altering the URL (not visible and accessible to users with the Patient role); the reporter, with the role of patient, forced the system by modifying the URL with the consequent use of the data search and consultation functionality. The search functionality was precluded in normal system navigation. It remains unknown how the patient obtained the exact URL “https://fse.regione.molise.it/fseui/list” in order to force the system” (see note of 3 March 2023, page 1 and attachment 1 and page 2 of attachment 2 to the same). With regard to the categories of data that the third party was able to consult by calling the URL https://fse.regione.molise.it/fseui/list, the Region declared that “they refer to: personal data (Name, Surname, Date of Birth, City of Birth); residence and domicile data; data relating to healthcare (ASL affiliation, District affiliation, General Practitioner, Exemptions); health documents and reports (e.g. Laboratory reports, specialist reports, etc.)” and that the “search must be done in a timely manner by entering the complete and valid Tax Code or by entering the Name, Surname and date of birth (the three data are mandatory to finalize the search)” (see note of 5 May 2023, page 3). With reference to the measures in place at the time of the violation, the Region recalled the document attached to the notification drawn up by the company Engineering Ingegneria Informatica S.P.A., designated as data controller, with which the same company communicated the data violation to the Region. Among the technical and organizational measures adopted with reference to the processing of the data subject to the violation described in the aforementioned document, the vulnerability assessment and penetration test activities carried out periodically by an independent designated team are indicated (see notification of 24 January 2023). In this regard, the Region also declared that "the technical authentication measures are all sent back to the regional proxy (managed by Molise Dati) for SPID and CIE access. The Web APP accesses the proxy via a URL including an authentication token. The system receives in response a body with the personal data which, depending on the type of authentication, varies. The middleware carries out checks in the Registry to verify whether the user is actually a user of the Molise region. Otherwise, it is sent back to the system authentication page. If so, at the time of access and selection of the role, the token is generated by the User Manager (software module for user management) in order to be authorized to use the API services for registry and document searches. […] the following roles have been configured: 1. Doctor/Healthcare Manager; 2. GP/PLS; 3. Pharmacist; 4. Administrative Operator; 5. Patient; 6. Guardian, Informal giver, Parent. For each of these roles, the types of interactions that can be carried out have been determined” (see note of 3 March 2023, pages 2 and 3 of Annex 2 to the same). In particular, the Region has specified that “following the analysis of the technical and functional requirements of the FSE in which Regione Molise, Molise Dati, Tim S.p.A. and Engineering S.p.A. participated. (Annex 6 called “FSE Regione Molise-Ruoli e permessi.pdf”), the system was designed and implemented from an IT perspective by Engineering S.p.A, which, therefore, represents the entity responsible for designing the IT identification and authentication procedures (Identity Management) as well as the IT authorization of the assisted persons for the purpose of consulting the documents present in the FSE and the measures to guarantee the confidentiality of the same documents” (see note of 5 May 2023, page 2). With reference to the measures adopted following the violation, the Region stated that “an analysis was conducted of the possible cause from which the report arose, therefore, an analysis was carried out of the logs of all the application modules at all levels and subsequently an analysis of the code was conducted to limit the bug and resolve it definitively. The first measure adopted was to inhibit the possibility of accessing the page https://fse.regione.molise.it/fseui/list via direct call from the browser. The second measure adopted was to implement, through controls inserted in the source code, a control that allows verifying that the web page https://fse.regione.molise.it/fseui/list is in no way visible and usable by authenticated users with the “Assisted” role” (see notification of 24 January 2023, section H, point 1). With regard to the measures adopted to prevent similar violations in the future, it was then declared that it had “requested Molise Dati to carry out an analysis aimed at evaluating the possible presence of similar errors in the software developed by the company Engineering SpA” (see notification of 24 January 2023, section H, point 2). With regard to the communication of the violation to the interested parties, the Region represented that the severity of the potential impact for the interested parties was “medium” since “the security flaw was reported by the same subject who found the possibility of access to unauthorized data. The same does not appear to have the intention to act in a prejudicial manner towards the interested parties”, that the violation “is not likely to present a high risk for the rights and freedoms of natural persons” and that “it was deemed not necessary to proceed with the communication to the interested parties, not identifying a high risk for their rights and freedoms. In particular, taking into account that the security breach was reported by the same subject who had carried out the unauthorized access, it was not deduced, on the part of the same, the intention to act in a prejudicial manner towards the interested parties” (see notification of 24 January 2023, section G, point 3, and section L, point 1 and note of 3 March 2023 page 2 in response to the request for information of 21 February 2023). Finally, the aforementioned Region declared that “on 11 May 2021 […] it signed, pursuant to art. 26 of EU Regulation 2016/679 (GDPR), with the Molise Regional Health Authority -ASReM a joint controllership agreement for the processing of health data” and that “this joint controllership agreement, in art. 2.3, provided that each joint controller could use external suppliers/subcontractors for the provision of any service relating to the management of the activities referred to in the aforementioned agreement” (see note of 3 March 2023, page 2 and note of 5 May 2023, attachment 2). On the basis of the above, with a note of 28 September 2023 (prot. 133809), the Office issued a notification of violation pursuant to art. 166, paragraph 5, of the Code to the Molise Region as it was found that the processing of personal data in question was carried out in a manner that did not comply with the principle of "integrity and confidentiality" (Article 5, paragraph 1, letter f), of the Regulation), by not adopting technical and organizational measures suitable for guaranteeing a level of security appropriate to the risk (Article 32 of the Regulation) and adequate, from the design of the processing carried out within the scope of the FSE, to effectively implement the principles of data protection and to integrate the necessary guarantees into the processing in order to satisfy the requirements of the Regulation and protect the rights of the interested parties, in violation of Article 25 of the Regulation. With a note dated 27 October 2023, the Region sent its defensive briefs in which it represented, in particular, that: "The Molise Region delegated (...) the technical implementation activity of the FSE to Molise Dati S.p.A., an in-house providing body of the Molise Region"; “In carrying out the assignment received, and having identified the need to turn to a specialized technological partner, Molise Dati S.p.A. adhered to the SPC Cloud Lot 1 Framework Contract of Consip S.p.A., stipulating, on 28 October 2020, the executive contract no. 2000379980709001COE with a temporary consortium composed of TIM S.p.A., Enterprise Services Italia S.r.l., Poste Italiane S.p.A., Postecom S.p.A. and Postel S.p.A.” “At the same time as stipulating the service contract, Molise Dati S.p.A. and TIM S.p.A. signed the deed of “appointment as data controller” attached to it, in which, for what is relevant here, the scope of the processing was delimited and the obligation of the supplier to: (…) adopt all technical and organizational measures that meet the requirements of the EU Regulation in order to ensure an adequate level of security of the processing”; “TIM S.p.A. identified Engineering Ingegneria Informatica S.p.A. as the additional controller of the processing operations carried out for the purposes of implementing the FSE, after stipulating, with the operator, a framework agreement for the provision of cloud enabling services in subcontract. The agreement stipulated by the parties expressly provided for the designation of Engineering Ingegneria Informatica S.p.A. as (further) data controller “in relation to the Framework Agreement signed on 20/07/2016 between Telecom and CONSIP…and/or the Executive Contracts signed between Telecom and the various Beneficiary Administrations”, with the subcontractor’s commitment to “…observe the conditions/instructions reported below and in the aforementioned letter” (see art. 21 of doc. E). Engineering Ingegneria Informatica S.p.A. therefore represented the entity responsible for the design and implementation, from a technical point of view, of the IT system used to manage the electronic health record, including the design of the procedures for identification and IT authentication (Identity Management) as well as IT authorization of the patients for the purposes of consulting the documents in the FSE and the measures to guarantee the confidentiality of the same documents”; with regard to the facts subject to the violation, “Molise Dati S.p.A. immediately started an investigation to verify the actual existence of the IT security problem reported by the citizen, asking the sub-manager Engineering Ingegneria Informatica S.p.A. to carry out all the most appropriate investigations. Following the checks carried out, on 21 January 2023 Engineering Ingegneria Informatica S.p.A. sent Molise Dati S.p.A. a document, called “report”, in which the actual presence of the bug detected by the reporter was acknowledged”; “on the FSE Portal of the Molise Region, the user with the “Assisted” role was able, by exploiting a vulnerability in the system through intentional manipulation of the URL, to carry out a search for the data of other citizens present in the Regional Registry of Molise. Specifically, by manipulating the URL from https://fse.regione.molise.it/fseui/dashboard to https://fse.regione.molise.it/fseui/list the user was able to use the citizen search functionality and subsequently, by selecting it, access the functionality for consulting the personal data and consulting the FSE of the citizen himself”; “Engineering Ingegneria Informatica S.p.A. simultaneously acknowledged that it had carried out an investigation into the causes of the violation and, once the bug had been identified, that it had taken steps to resolve it, carrying out the necessary interventions to avoid the possible reiteration of the security incident”; “The investigations carried out in greater depth at a later time allowed us to reconstruct the exact dynamics of the violation and the underlying technical vulnerabilities. According to what was ascertained, in fact, the reporting person, who had authenticated himself unambiguously as a “patient” through SPID, CIE or CNS, had manually manipulated the URL of the web page displayed upon access, changing the address “https://fse.regione.molise.it/fseui/dashboard” to “https://fse.regione.molise.it/fseui/list” and accessing the latter without having to pass an authentication procedure. From the second URL – the use of which was (and is) reserved for users authenticated as “Doctor/Healthcare Manager” – it was possible to use the search function of the individual registered citizens and, subsequently, by selecting any of the resulting names, access the consultation of the electronic health record of the selected patient”; “The underlying vulnerability – which could only be exploited by those authenticated subjects (and therefore identifiable and traceable) who, knowing the destination URL, had intentionally carried out such manipulation – was caused by a software coding error attributable to the work of the sub-controller of the treatment Engineering Ingegneria Informatica S.p.A”; “To date, as already reported, it is unknown how the whistleblower could have had knowledge of the exact URL “https://fse.regione.molise.it/fseui/list” and the possibility of accessing, through the same, the database underlying the FSE”; “the duration of the violation appears to be limited to the time period from 14 November to 30 December 2022, since – as shown by the log files – it is during this period that the whistleblower carried out unauthorized access to the personal data of other assisted persons”; “the number of interested parties involved in the violation is equal to 7”. In relation to what emerged from the Region's briefs, the Office has also initiated a sanctioning procedure against the companies Molise dati s.p.a. and Engineering ingegneria informatica s.p.a. (notes of 5 February 2024) the outcome of which was assessed with separate provisions examined at the same time as the present one. The involvement of the company Molise dati S.p.A. was carried out in consideration of what was represented by the aforementioned Region regarding having delegated "the technical implementation activity of the FSE to Molise Dati S.p.A., an in-house providing body of the Molise Region" which with "deed attached to the resolution of the Regional Council no. 143 of 20 May 2021” was designated “as the data controller” and that this appointment, in the documents, provides, among other things, the obligation to implement adequate security measures to protect the personal data being processed, including the “… definition of appropriate technical and organizational solutions aimed at regulating logical access… authorization profiles defined according to the “Need to Know” principle” and the “… execution of activities aimed at identifying vulnerabilities in applications and technical infrastructures functional to the provision of the service and activation of appropriate mitigation plans”. With regard to the company Engineering ingegneria informatica S.p.A, a sanctioning procedure has been initiated in consideration of what was represented by the aforementioned Region regarding the circumstance that “Engineering Ingegneria Informatica S.p.A. represented, therefore, the entity responsible for the design and implementation, from a technical point of view, of the IT system used for the management of the electronic health record, including the design of the procedures for identification and IT authentication (Identity Management) as well as the IT authorization of the patients for the purpose of consulting the documents present in the FSE and the measures to guarantee the confidentiality of the same documents”; at the request of Molise Dati S.p.A. “Engineering Ingegneria Informatica S.p.A. acknowledged that it “carried out an investigation into the causes of the violation and, once the bug was identified, that it took steps to resolve it, carrying out the necessary interventions to avoid the possible recurrence of the security incident” and that according to what was declared in the documents “the underlying vulnerability – which was exploitable only by those authenticated subjects (and therefore identifiable and traceable) who, knowing the destination URL, had intentionally carried out such manipulation – was caused by a software coding error attributable to the work of the sub-controller of the processing Engineering Ingegneria Informatica S.p.A”. 2. Outcome of the investigation. Having taken note of what is represented in the documentation in the files and in the defense briefs, it is noted that: pursuant to the Regulation, “health data” are considered to be personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health (Article 4, paragraph 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that health data “include information about the natural person collected in the course of his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”; the Regulation provides that personal data must be “processed in a manner that ensures appropriate security (…) including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality’) using appropriate technical or organisational measures” (art. 5, par. 1, letter f) of the Regulation). In this regard, art. 32 of the Regulation, concerning the security of processing, establishes that "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk" (paragraph 1) and that "in assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (paragraph 2); also taking into account the purpose of the FSE and the nature of the personal data processed, including those belonging to special categories, the processing carried out in the context in question requires the adoption of the highest security standards, in order not to compromise the confidentiality, integrity and availability of the personal data of millions of data subjects. On this basis, the security obligations imposed by the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, letters a) to d), all those necessary to mitigate the risks that the processing presents. art. 25, par. 1, of the Regulation provides that "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller [shall implement] appropriate technical and organisational measures, such as pseudonymisation, both at the time of determining the means for processing and at the time of the processing itself, designed to implement data protection principles, such as data minimisation, effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects" (see also recitals 75 and 78 of the Regulation). based on the principle of "data protection by design", the controller is therefore required to implement the data protection principles (art. 5 of the Regulation) by adopting appropriate technical and organisational measures and integrating the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights and freedoms of data subjects. Recital 78 of the Regulation suggests a responsibility of the controllers, namely to constantly assess whether they are using, at any time, the appropriate means of processing and whether the measures chosen effectively address existing vulnerabilities. Furthermore, controllers should carry out periodic reviews of the security measures put in place to protect personal data, as well as of the procedure for managing data breaches. The obligation to maintain, verify and update, where necessary, the processing also applies to pre-existing systems. This implies that systems designed before the entry into force of the Regulation must be subject to checks and maintenance to ensure the application of measures and safeguards that implement the principles and rights of data subjects in an effective manner (see the “Guidelines 4/2019 on Article 25 - Data protection by design and by default” adopted by the European Data Protection Board on 20 October 2020, esp. points 7, 38, 39 and 84); with particular reference to the principle of "integrity and confidentiality" (art. 5, par. 1, letter f), of the Regulation), the controller must (see the aforementioned "Guidelines 4/2019 on Article 25", esp. point 85) take into account the security requirements as soon as possible in the design and development of the system, constantly integrating and carrying out relevant tests; the violation of personal data which is the subject of this investigation was brought to the attention of the Authority by the aforementioned Region, to which it was represented by the data controller following the report of a client; it is up to the data controller to “implement appropriate and effective measures [and to …] demonstrate the compliance of the processing activities with the […] Regulation, including the effectiveness of the measures” adopted (recital 74 of the Regulation), even if it uses a processor to carry out some processing activities, to whom it must give specific instructions, including from a security perspective (recital 81 and art. 32, paragraphs 1, letter d), and 4, of the Regulation). In fact, the controller must implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in compliance with the Regulation (arts. 5, paragraph 2, and 24 of the Regulation; see the “Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, esp. point 41); as indicated in the aforementioned Guidelines 07/2020 on the concepts of data controller and data processor “Although the chain may be quite long, the data controller maintains a central role in determining the purposes and means of the processing” (point 152); in fact “even if decisions on non-essential means may be left to the data processor, the data controller must still establish certain elements in the data processing agreement such as, for example, in relation to the security requirement, the instruction to adopt all the measures required pursuant to Article 32 of the GDPR”. Having said that, the aforementioned Guidelines add that “In any case, the data controller remains responsible for implementing appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation (point 41 of the Guidelines and Article 24 of the Regulation)”; from the examination of the information and documentation provided by the Region, it emerges that the FSE Portal of the Molise Region, made available at https://fse.regione.molise.it, due to a “vulnerability” allowed an authenticated user with the role of “assisted” “through an intentional manipulation of the URL, to carry out a search for the data of other citizens present in the Regional Registry of Molise”, in the absence of a verification of the authorization permissions attributed to the user for access to such data; the data controller had not adopted adequate measures and guarantees to effectively implement the principle of “integrity and confidentiality” (see paragraph 3.3), also taking into account the risks for the rights and freedoms of the interested parties arising from the processing in question. In light of the above, the extremes of a violation of the principle of “data protection by design” pursuant to art. 25, par. 1, of the Regulation by this Region are identified; with specific reference to the roles of the processing carried out through the FSE, attention is drawn to the provisions of the new sector regulation dictated by the decree of the Ministry of Health of 7 September 2023 which identifies for each of the purposes pursued through the FSE the subjects who assume the role of data controllers, to which the regions and autonomous provinces are required to comply (see opinion of the Guarantor of 8 June 2023, web doc. no. 9900433). 3. Conclusions. In light of the assessments referred to above, taking into account the declarations made by the controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor” ˗ the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding, since, moreover, none of the cases provided for by art. 11 of the Guarantor Regulation no. 1/2019 apply. For these reasons, the unlawfulness of the processing of personal data carried out by the Molise Region in the terms set out in the reasons is noted, in violation of articles 5, par. 1, letter f), 25 and 32 of the Regulation. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. 4. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (art. 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). Violation of art. 5, par. 1, letter f), 25 and 32 of the Regulation entails the application of the administrative sanction provided for by art. 83, par. 4 and 5 of the Regulation. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by the Molise Region, which has been found to be unlawful, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "if, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum fine provided for by the same art. 83, par. 5. In light of the above, it is believed that the level of severity of the violation committed by the Molise Region is low (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be “effective, proportionate and dissuasive in each individual case” (art. 83, par. 1 of the Regulation), it is represented that, in the case in question, the circumstances reported below were taken into account: the Authority became aware of the event following the notification of the personal data violation made by the Molise Region, which with reference to the processing in question, also in light of the specific sector regulations, operates as data controller; the processing in question concerns data suitable for detecting health information (personal and residence data, data relating to healthcare received (local health authority of affiliation, district of affiliation, name of general practitioner, any ownership of exemptions), health data inferable from documents and health reports possibly present in the specific electronic health record (e.g. laboratory reports, specialist reports, etc.) of 7 subjects who were exposed to possible illicit access for approximately 45 days (from 14 November to 30 December 2022); the type of vulnerability found was neither easy to detect nor easy to exploit, requiring prior knowledge of the destination URL https://fse.regione.molise.it/fseui/list and intentional manipulation of the URL; the Region has demonstrated a high degree of cooperation by working to immediately introduce suitable measures to overcome the vulnerabilities highlighted above; the Molise Region has not been the recipient of other sanctioning and corrective measures in relation to the case in question. In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply to the Molise Region the administrative sanction of the payment of a sum equal to Euro 10,000.00 (ten thousand/00). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. GIVEN ALL THE ABOVE, THE GUARANTOR a) pursuant to art. 57, par. l, letter a) and 83 of the Regulation, declares the unlawfulness of the processing of personal data carried out by the Molise Region with headquarters in Via Insorti d’Ungheria, n. 81 – 86100 Campobasso (CB), C.F. / P. IVA 00169440708, for the violation of the principles of integrity and confidentiality and data protection by design and by default” (articles 5, par. 1, letter f), 25 and 32 of the Regulation), in the terms set out in the reasons; ORDERS b) pursuant to art. 58, par. 2, letter i) of the Regulation, to the aforementioned Region, as the data controller in question, to pay the sum of EUR 10,000.00 (ten thousand/00) as an administrative pecuniary sanction for having violated articles 5, par. 1, letter f), 25 and 32 of the Regulation, as described above; ORDER c) the Molise Region to pay the aforementioned sum of Euro 10,000.00 (ten thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - again according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. ORDERS d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; e) pursuant to art. 154 bis, paragraph 3 of the Code, provides for the publication of this provision on the website of the Guarantor; f) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, November 27, 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei SEE ALSO Newsletter of January 31, 2025 [web doc. no. 10095791] Provision of November 27, 2024 Register of provisions no. 761 of November 27, 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY’S MEETING, which was attended by Prof. Pasquale Stazione, president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councillor Fabio Mattei, general secretary; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”); SEEN Legislative Decree no. 196 of 30 June 2003, “Code on the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor for the protection of personal data, approved by resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”); HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. no. 1098801; REPORTER Prof. Pasquale Stazione; WHEREAS 1. The preliminary investigation. On 24 January 2023, the Molise Region (hereinafter the Region) sent the Guarantor, pursuant to art. 33 of the Regulation, a notification of violation of personal data, concerning the regional FSE Portal (https://fse.regione.molise.it) which, due to a “vulnerability of the system”, had allowed a third party “through intentional manipulation of the URL to carry out a search for the data of other citizens present in the Regional Registry of Molise”. In particular, in the aforementioned notification, the Region declared that “on the FSE Portal of the Molise Region, the user with the “Assisted” role was able, by exploiting a vulnerability of the system through intentional manipulation of the URL, to carry out a search for the data of other citizens present in the Regional Registry of Molise. Specifically, by manipulating the URL from https://fse.regione.molise.it/fseui/dashboard to https://fse.regione.molise.it/fseui/list the user was able to use the citizen search function and subsequently, by selecting it, access the function for consulting the personal data and consulting the FSE of the citizen himself” (see notification of 24 January, section F, point 7). According to what was declared in the documents, the number of assisted persons involved was 7. With regard to what was represented by the Region, the Office made two requests for information (notes of 21 February and 17 April 2023) - which were responded to with notes of 3 March and 5 May 2023 - in order to acquire more details about the violation and the interventions carried out to remove the highlighted vulnerability, as well as information on the roles of the various subjects who intervened in the treatments subject to the violation, on the technical and organizational measures relating to the procedures for identification, IT authentication (Identity Management) and authorization of the assisted parties for the purpose of consulting their documents present in the FSE, on the subjects responsible for designing such procedures and on the assessments carried out in order to the risks for the rights and freedoms of the interested parties deriving from the violation, also in order to verify the existence of the conditions for the communication of the same to the interested parties involved. In response to the aforementioned requests for information, the Region clarified that “on 17 January 2023, Mr. […] reported to this Body, via certified email […] a cybersecurity problem encountered while viewing his electronic health record” and that “access was possible by manually and forcibly altering the URL (not visible and accessible to users with the Patient role); the reporter, with the role of patient, forced the system by modifying the URL with the consequent use of the data search and consultation functionality. The search functionality was precluded in normal system navigation. It remains unknown how the patient obtained the exact URL “https://fse.regione.molise.it/fseui/list” in order to force the system” (see note of 3 March 2023, page 1 and attachment 1 and page 2 of attachment 2 to the same). With regard to the categories of data that the third party was able to consult by calling the URL https://fse.regione.molise.it/fseui/list, the Region declared that “they refer to: personal data (Name, Surname, Date of Birth, City of Birth); residence and domicile data; data relating to healthcare (ASL affiliation, District affiliation, General Practitioner, Exemptions); health documents and reports (e.g. Laboratory reports, specialist reports, etc.)” and that the “search must be done in a timely manner by entering the complete and valid Tax Code or by entering the Name, Surname and date of birth (the three data are mandatory to finalize the search)” (see note of 5 May 2023, page 3). With reference to the measures in place at the time of the violation, the Region recalled the document attached to the notification drawn up by the company Engineering Ingegneria Informatica S.P.A., designated as data controller, with which the same company communicated the data violation to the Region. Among the technical and organizational measures adopted with reference to the processing of the data subject to the violation described in the aforementioned document, the vulnerability assessment and penetration test activities carried out periodically by an independent designated team are indicated (see notification of 24 January 2023). In this regard, the Region also declared that "the technical authentication measures are all sent back to the regional proxy (managed by Molise Dati) for SPID and CIE access. The Web APP accesses the proxy via a URL including an authentication token. The system receives in response a body with the personal data which, depending on the type of authentication, varies. The middleware carries out checks in the Registry to verify whether the user is actually a user of the Molise region. Otherwise, it is sent back to the system authentication page. If so, at the time of access and selection of the role, the token is generated by the User Manager (software module for user management) in order to be authorized to use the API services for registry and document searches. […] the following roles have been configured: 1. Doctor/Healthcare Manager; 2. GP/PLS; 3. Pharmacist; 4. Administrative Operator; 5. Patient; 6. Guardian, Informal giver, Parent. For each of these roles, the types of interactions that can be carried out have been determined” (see note of 3 March 2023, pages 2 and 3 of Annex 2 to the same). In particular, the Region has specified that “following the analysis of the technical and functional requirements of the FSE in which Regione Molise, Molise Dati, Tim S.p.A. and Engineering S.p.A. participated. (Annex 6 called “FSE Regione Molise-Ruoli e permessi.pdf”), the system was designed and implemented from an IT perspective by Engineering S.p.A, which, therefore, represents the entity responsible for designing the IT identification and authentication procedures (Identity Management) as well as the IT authorization of the assisted persons for the purpose of consulting the documents present in the FSE and the measures to guarantee the confidentiality of the same documents” (see note of 5 May 2023, page 2). With reference to the measures adopted following the violation, the Region stated that “an analysis was conducted of the possible cause from which the report arose, therefore, an analysis was carried out of the logs of all the application modules at all levels and subsequently an analysis of the code was conducted to limit the bug and resolve it definitively. The first measure adopted was to inhibit the possibility of accessing the page https://fse.regione.molise.it/fseui/list via direct call from the browser. The second measure adopted was to implement, through controls inserted in the source code, a control that allows verifying that the web page https://fse.regione.molise.it/fseui/list is in no way visible and usable by authenticated users with the “Assisted” role” (see notification of 24 January 2023, section H, point 1). With regard to the measures adopted to prevent similar violations in the future, it was then declared that it had “requested Molise Dati to carry out an analysis aimed at evaluating the possible presence of similar errors in the software developed by the company Engineering SpA” (see notification of 24 January 2023, section H, point 2). With regard to the communication of the violation to the interested parties, the Region represented that the severity of the potential impact for the interested parties was “medium” since “the security flaw was reported by the same subject who found the possibility of access to unauthorized data. The same does not appear to have the intention to act in a prejudicial manner towards the interested parties”, that the violation “is not likely to present a high risk for the rights and freedoms of natural persons” and that “it was deemed not necessary to proceed with the communication to the interested parties, not identifying a high risk for their rights and freedoms. In particular, taking into account that the security breach was reported by the same subject who had carried out the unauthorized access, it was not deduced, on the part of the same, the intention to act in a prejudicial manner towards the interested parties” (see notification of 24 January 2023, section G, point 3, and section L, point 1 and note of 3 March 2023 page 2 in response to the request for information of 21 February 2023). Finally, the aforementioned Region declared that “on 11 May 2021 […] signed, pursuant to art. 26 of EU Regulation 2016/679 (GDPR), with the Molise Regional Health Authority -ASReM a joint-controller agreement in the processing of health data” and that “this joint-controller agreement, in art. 2.3, provided that each joint-controller could use external suppliers/subcontractors for the provision of any service relating to the management of the activities referred to in the aforementioned agreement” (see note of 3 March 2023, page 2 and note of 5 May 2023, attachment 2). On the basis of the above, with a note of 28 September 2023 (prot. 133809), the Office issued a notification of violation pursuant to art. 166, paragraph 5, of the Code to the Molise Region as it was found that the processing of personal data in question was carried out in a manner that did not comply with the principle of "integrity and confidentiality" (Article 5, paragraph 1, letter f), of the Regulation), by not adopting technical and organizational measures suitable for guaranteeing a level of security appropriate to the risk (Article 32 of the Regulation) and adequate, from the design of the processing carried out within the scope of the FSE, to effectively implement the principles of data protection and to integrate the necessary guarantees into the processing in order to satisfy the requirements of the Regulation and protect the rights of the interested parties, in violation of Article 25 of the Regulation. With a note dated 27 October 2023, the Region sent its defensive briefs in which it represented, in particular, that: "The Molise Region delegated (...) the technical implementation activity of the FSE to Molise Dati S.p.A., an in-house providing body of the Molise Region"; “In carrying out the assignment received, and having identified the need to turn to a specialized technological partner, Molise Dati S.p.A. adhered to the SPC Cloud Lot 1 Framework Contract of Consip S.p.A., stipulating, on 28 October 2020, the executive contract no. 2000379980709001COE with a temporary consortium composed of TIM S.p.A., Enterprise Services Italia S.r.l., Poste Italiane S.p.A., Postecom S.p.A. and Postel S.p.A.” “At the same time as stipulating the service contract, Molise Dati S.p.A. and TIM S.p.A. signed the deed of “appointment as data controller” attached to it, in which, for what is relevant here, the scope of the processing was delimited and the obligation of the provider was established to: (…) adopt all technical and organizational measures that satisfy the requirements of the EU Regulation in order to ensure an adequate level of security of the processing”; “TIM S.p.A.identified Engineering Ingegneria Informatica S.p.A. as the additional data controller for the processing operations carried out for the purposes of implementing the FSE, following the stipulation, with the operator, of a framework agreement for the provision of subcontracted cloud enabling services. The agreement stipulated by the parties expressly provided for the designation of Engineering Ingegneria Informatica S.p.A. as (additional) data controller “in relation to the Framework Contract signed on 20/07/2016 between Telecom and CONSIP…and/or the Executive Contracts signed between Telecom and the various Beneficiary Administrations”, with the commitment of the subcontractor to “…observe the conditions/instructions reported below and in the aforementioned letter” (see art. 21 of doc. E). Engineering Ingegneria Informatica S.p.A. therefore, represented the entity responsible for the design and implementation, from a technical point of view, of the IT system used to manage the electronic health record, including the design of the procedures for identification and IT authentication (Identity Management) as well as IT authorization of patients for the purpose of consulting the documents in the FSE and the measures to guarantee the confidentiality of the same documents"; with regard to the facts subject to the violation, "Molise Dati S.p.A. immediately started an investigation aimed at verifying the actual existence of the IT security problem reported by the citizen, asking the sub-manager Engineering Ingegneria Informatica S.p.A. to carry out all the most appropriate investigations. Following the checks carried out, on 21 January 2023 Engineering Ingegneria Informatica S.p.A. sent Molise Dati S.p.A. a document, called "report", in which the actual presence of the bug detected by the reporter was acknowledged"; “on the FSE Portal of the Molise Region, the user with the “Assisted” role was able, by exploiting a vulnerability in the system through intentional manipulation of the URL, to search for the data of other citizens present in the Regional Registry of Molise. Specifically, by manipulating the URL from https://fse.regione.molise.it/fseui/dashboard to https://fse.regione.molise.it/fseui/list, the user was able to use the citizen search function and subsequently, by selecting it, access the functionality for consulting the personal data and consulting the FSE of the citizen himself”; “Engineering Ingegneria Informatica S.p.A. simultaneously acknowledged that it had carried out an investigation into the causes of the violation and, once the bug had been identified, that it had taken steps to resolve it, carrying out the necessary interventions to avoid the possible recurrence of the security incident”; “The investigations carried out in greater depth at a later time allowed us to reconstruct the exact dynamics of the violation and the underlying technical vulnerabilities. According to what was ascertained, in fact, the whistleblower, having authenticated himself unambiguously as a “patient” via SPID, CIE or CNS, had manually manipulated the URL of the web page displayed upon access, changing the address “https://fse.regione.molise.it/fseui/dashboard” to “https://fse.regione.molise.it/fseui/list” and accessing the latter without having to pass an authentication procedure. From the second URL – the use of which was (and is) reserved for users authenticated as “Doctor/Healthcare Manager” – it was possible to use the search function of the individual registered citizens and, subsequently, by selecting any of the resulting names, access the consultation of the electronic health record of the selected patient”; “The underlying vulnerability – which could only be exploited by those authenticated subjects (and therefore identifiable and traceable) who, knowing the destination URL, had intentionally carried out such manipulation – was caused by a software coding error attributable to the work of the sub-controller of the treatment Engineering Ingegneria Informatica S.p.A”; “To date, as already reported, it is unknown how the whistleblower could have had knowledge of the exact URL “https://fse.regione.molise.it/fseui/list” and the possibility of accessing, through the same, the database underlying the FSE”; “the duration of the violation appears to be limited to the time period from 14 November to 30 December 2022, since – as shown by the log files – it is during this period that the whistleblower carried out unauthorized access to the personal data of other assisted persons”; “the number of interested parties involved in the violation is equal to 7”. In relation to what emerged from the Region's briefs, the Office has also initiated a sanctioning procedure against the companies Molise dati s.p.a. and Engineering ingegneria informatica s.p.a. (notes of 5 February 2024) the outcome of which was assessed with separate provisions examined at the same time as the present one. The involvement of the company Molise dati S.p.A. was carried out in consideration of what was represented by the aforementioned Region regarding having delegated "the technical implementation activity of the FSE to Molise Dati S.p.A., an in-house providing body of the Molise Region" which with "deed attached to the resolution of the Regional Council no. 143 of 20 May 2021” was designated “as the data controller” and that this appointment, in the documents, provides, among other things, the obligation to implement adequate security measures to protect the personal data being processed, including the “… definition of appropriate technical and organizational solutions aimed at regulating logical access… authorization profiles defined according to the “Need to Know” principle” and the “… execution of activities aimed at identifying vulnerabilities in applications and technical infrastructures functional to the provision of the service and activation of appropriate mitigation plans”. With regard to the company Engineering ingegneria informatica S.p.A, a sanctioning procedure has been initiated in consideration of what was represented by the aforementioned Region regarding the circumstance that “Engineering Ingegneria Informatica S.p.A. represented, therefore, the entity responsible for the design and implementation, from a technical point of view, of the IT system used for the management of the electronic health record, including the design of the procedures for identification and IT authentication (Identity Management) as well as the IT authorization of the patients for the purpose of consulting the documents present in the FSE and the measures to guarantee the confidentiality of the same documents”; at the request of Molise Dati S.p.A. “Engineering Ingegneria Informatica S.p.A. acknowledged that it “carried out an investigation into the causes of the violation and, once the bug was identified, that it had taken steps to resolve it, carrying out the necessary interventions to avoid the possible recurrence of the security incident” and that according to what was stated in the documents “the underlying vulnerability – which was exploitable only by those authenticated subjects (and therefore identifiable and traceable) who, knowing the destination URL, had intentionally carried out such manipulation – was caused by a software coding error attributable to the work of the sub-controller of the processing Engineering Ingegneria Informatica S.p.A”. 2. Outcome of the investigation activity. Having taken note of what is represented in the documentation in the files and in the defensive briefs, it is noted that: pursuant to the Regulation, “health data” are considered to be personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her state of health (Article 4, paragraph 1, no. 15, of the Regulation). Recital no. 35 of the Regulation then specifies that health data “include information about the natural person collected in the course of his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify that natural person for health purposes”; the Regulation provides that personal data must be “processed in a manner that ensures appropriate security (…) including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality’) using appropriate technical or organisational measures” (Article 5, paragraph 1, letter f) of the Regulation). In this regard, art. 32 of the Regulation, concerning the security of processing, establishes that "taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk" (para. 1) and that "in assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (para. 2); also taking into account the purpose of the FSE and the nature of the personal data processed, including those belonging to special categories, the processing carried out in the context in question requires the adoption of the highest security standards, in order not to compromise the confidentiality, integrity and availability of the personal data of millions of data subjects. On this basis, the security obligations imposed by the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, letters a) to d), all those necessary to mitigate the risks posed by the processing. Article 25, paragraph 1, of the Regulation provides that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller, both at the time of determining the means for processing and at the time of the processing itself, [shall implement] appropriate technical and organisational measures, such as pseudonymisation, designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects” (see also recitals 75 and 78 of the Regulation). According to the principle of “data protection by design”, the data controller is therefore required to implement the data protection principles (Article 5 of the Regulation) by adopting appropriate technical and organizational measures and integrating the necessary safeguards into the processing to meet the requirements of the Regulation and protect the rights and freedoms of data subjects. Recital 78 of the Regulation suggests a responsibility of the controllers, namely to constantly assess whether they are using, at any time, the appropriate means of processing and whether the measures chosen effectively address existing vulnerabilities. Furthermore, controllers should carry out periodic reviews of the security measures put in place to protect personal data, as well as the procedure for managing data breaches. The obligation to maintain, verify and update, where necessary, the processing also applies to pre-existing systems. This implies that systems designed before the entry into force of the Regulation must be subject to checks and maintenance to ensure the application of measures and safeguards that implement the principles and rights of data subjects in an effective manner (see the “Guidelines 4/2019 on Article 25 - Data protection by design and by default” adopted by the European Data Protection Board on 20 October 2020, esp. points 7, 38, 39 and 84); with particular reference to the principle of “integrity and confidentiality” (Article 5, paragraph 1, letter f), of the Regulation), the controller must (see the aforementioned “Guidelines 4/2019 on Article 25”, esp. point 85) take into account the security requirements as soon as possible in the design and development of the system, constantly integrating and carrying out relevant tests; the personal data breach which is the subject of this investigation was brought to the attention of the Authority by the aforementioned Region, to which it was represented by the data controller following a report from a client; it is up to the data controller to “implement adequate and effective measures [and to …] demonstrate the compliance of the processing activities with the […] Regulation, including the effectiveness of the measures” adopted (recital 74 of the Regulation), even if it uses a data controller to carry out certain processing activities, to whom it must give specific instructions, including from a security perspective (recital 81 and art. 32, paragraphs 1, letter d), and 4, of the Regulation). In fact, the controller must implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the Regulation (Articles 5, paragraph 2, and 24 of the Regulation; see the “Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, especially point 41); as indicated in the aforementioned Guidelines 07/2020 on the concepts of controller and processor “Although the chain may be quite long, the controller maintains a central role in determining the purposes and means of the processing” (point 152); in fact “even if decisions on non-essential means can be left to the processor, the controller must still establish certain elements in the data processing agreement such as, for example, in relation to the security requirement, the instruction to take all the measures required under Article 32 of the GDPR”. That said, the aforementioned Guidelines add that "In any case, the data controller remains responsible for implementing appropriate technical and organizational measures to ensure, and be able to demonstrate, that the processing is carried out in accordance with the regulation (point 41 of the Guidelines and art. 24 of the Regulation)"; from the examination of the information and documentation provided by the Region, it emerges that the FSE Portal of the Molise Region, made available at the address https://fse.regione.molise.it, due to a "vulnerability" has allowed an authenticated user with the role of "assisted" "through an intentional manipulation of the URL, to carry out a search for the data of other citizens present in the Regional Registry of Molise", in the absence of a verification of the authorization permissions attributed to the user for access to such data; the data controller had not adopted adequate measures and guarantees to effectively implement the principle of "integrity and confidentiality" (see paragraph 3.3), also taking into account the risks to the rights and freedoms of the data subjects arising from the processing in question. In light of the above, the extremes of a violation of the principle of "data protection by design" pursuant to art. 25, par. 1, of the Regulation by this Region are identified; with specific reference to the roles of the processing carried out through the FSE, attention is drawn to the provisions of the new sector regulation dictated by the decree of the Ministry of Health of 7 September 2023 which identifies for each of the purposes pursued through the FSE the subjects who assume the role of data controllers, to which the regions and autonomous provinces are required to comply (see opinion of the Guarantor of 8 June 2023, web doc. no. 9900433). 3. Conclusions. In light of the above assessments, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding, since, moreover, none of the cases provided for by art. 11 of the Guarantor Regulation no. 1/2019 apply. For these reasons, the processing of personal data carried out by the Molise Region in the terms set out in the reasons is found to be unlawful, in violation of articles 5, par. 1, letter f), 25 and 32 of the Regulation. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. 4. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). Violation of arts. 5, par. 1, letter f), 25 and 32 of the Regulation entails the application of the administrative sanction provided for by art. 83, par. 4 and 5 of the Regulation. The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by the Molise Region, which has been found to be unlawful, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that "if, in relation to the same processing or connected processing, a data controller [...] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the maximum fine provided for by the same art. 83, par. 5. In light of the above, it is believed that the level of severity of the violation committed by the Molise Region is low (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60). With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be “effective, proportionate and dissuasive in each individual case” (art. 83, par. 1 of the Regulation), it is represented that, in the case in question, the circumstances reported below were taken into account: the Authority became aware of the event following the notification of the personal data violation made by the Molise Region, which with reference to the processing in question, also in light of the specific sector regulations, operates as data controller; the processing in question concerns data suitable for detecting health information (personal and residence data, data relating to healthcare received (local health authority of affiliation, district of affiliation, name of general practitioner, any ownership of exemptions), health data inferable from documents and health reports possibly present in the specific electronic health record (e.g. laboratory reports, specialist reports, etc.) of 7 subjects who were exposed to possible illicit access for approximately 45 days (from 14 November to 30 December 2022); the type of vulnerability found was neither easy to detect nor easy to exploit, requiring prior knowledge of the destination URL https://fse.regione.molise.it/fseui/list and intentional manipulation of the URL; the Region has demonstrated a high degree of cooperation by working to immediately introduce suitable measures to overcome the vulnerabilities highlighted above; the Molise Region has not been the recipient of other sanctioning and corrective measures regarding the case in question. In light of the above elements and the assessments made, it is believed, in this case, to apply to the Molise Region the administrative sanction of the payment of a sum equal to Euro 10,000.00 (ten thousand/00). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. GIVEN ALL THE ABOVE, THE GUARANTOR a) pursuant to art. 57, par. l, letter a) and 83 of the Regulation, declares the unlawfulness of the processing of personal data carried out by the Molise Region with headquarters in Via Insorti d’Ungheria, no. 81 – 86100 Campobasso (CB), C.F. / VAT number 00169440708, for the violation of the principles of integrity and confidentiality and data protection by design and by default” (articles 5, par. 1, letter f), 25 and 32 of the Regulation), in the terms set out in the reasons; ORDERS b) pursuant to art. 58, par. 2, letter i) of the Regulation, to the aforementioned Region, as the data controller in question, to pay the sum of EUR 10,000.00 (ten thousand/00) as an administrative pecuniary sanction for having violated articles 5, par. 1, letter f), 25 and 32 of the Regulation, as described above; ORDER c) the Molise Region to pay the aforementioned sum of Euro 10,000.00 (ten thousand/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - again according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. ORDERS d) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; e) pursuant to art. 154 bis, paragraph 3 of the Code, provides for the publication of this provision on the website of the Guarantor; f) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 27 November 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei
