Garante per la protezione dei dati personali (Italy) - 9446730

From GDPRhub
Garante per la protezione dei dati personali - 9446730
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 13 GDPR
Article 23 GDPR
Article 32 GDPR
Article 57 GDPR
Article 58(2)(c) GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published:
Fine: None
Parties: Cavauto srl.
Employee
National Case Number/Name: 9446730
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Autorità Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA decided on March 26th 2020 to impose on Cavauto srl., an appointed car dealer, a fine of € 10.000,00 as well as other measurements to ensure compliance with the GDPR. The Italian DPA held that Cavauto accessed and processed personal data of its employee saved on the employee´s business computer and generally failed to comply with principles in terms of personal data protection in violation of Articles 5, 6, 13, 23 and 32 GDPR. The employer dismissed the employee after a disciplinary proceeding on the basis of the personal data found on the computer and subsequently refused to recognize her right of access to personal data left behind in the company.

English Summary

Facts

After a complaint was lodged by the data subject, the Italian DPA proceeded with the examination of the case in accordance with national law, evaluating the statements of the controller and the acquired documents. It was established that the controller had accessed the online browsing history on the business computer used by the data subject, as well as other personal data stored in it, taken into account that the password used to get access to the computer was known not only to the employee but also to the legal representative of the company. It was ascertained that the data subject was not sufficiently informed about the possible proceedings, namely the possible controls carried out by the controller at any moment, neither in regard to browsing history, E-Mail nor other work tools. The information contained in the “internal regulation” is, according to the Italian DPA, too generic in order to comply with the GDPR, failing to inform about the “essential characteristics” of the personal data processing. In fact, in only indicates the possibility of “regular controls”, not delineating however the specific modalities, which violates the principle of data limitation as well as the principle of transparency and fairness. Furthermore, the employer Cavauto limited the right of access to personal data after the dismissal, handing out only the USB-memory stick and some of the agenda-pages, motivating its actions with the need to keep proof for justifying the dismissal in the ongoing judicial proceeding.

Dispute

Is the employer allowed to process personal data kept at work-place, without prior and detailed information about the exact modalities of possible controls? Is he allowed to consequently limit the exercise of the data subjects right of access to its personal data, which was dismissed subsequently to a disciplinary proceeding, initiated on the basis of personal data found on the business computer?


Holding

In applying art. 57 and 58 GDPR, the Italian DPA imposed a limitation on the processing of personal data taken by the browsing history for the ongoing judicial proceeding, ordered the controller to comply with the employees request to access to the personal data stored in the company, ordered the controller to bring its processing operations into compliance with Art. 32 GDPR within sixty (60) days of notification of the decision, imposed an obligation to adapt its internal regulation, specifically regarding the use of business computers and the internet-browsing, to the GDPR, imposed a fine in the amount of € 10.000 and ordered Cavauto srl. to communicate the proposed changes in view of compliance with GDPR. The Italian DPA did not decide on whether the use of personal data acquired in violation of the GDPR and national law can be used in a civil proceeding in which the rightfulness of the dismissal of an employee is discussed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Order injunction against Cavauto s.r.l. - 26 March 2020

Register of measures
No 65 of 26 March 2020

THE DATA PROTECTION SUPERVISOR

At today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Augusta Iannini, Vice President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter 'the Regulation');

HAVING REGARD to the Personal Data Protection Code, laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter 'the Code');

HAVING REGARD to the "Guidelines for electronic mail and internet", adopted by measure no. 13 of 1 March 2007 (published in the Official Journal of 10 March 2007, no. 58);

HAVING REGARD to the complaint submitted to the Guarantor pursuant to Article 77 of Regulation XX concerning the processing of personal data relating to the data subject carried out by Cavauto s.r.l.;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary-General pursuant to Article 15 of the Garante Regulation No 1/2000;

REPORTER Dr. Antonello Soro;

PRESENTED

1.  The complaint against the company and the investigation activity.

1.1 By complaint of 24 July 2018 Ms XX (represented and defended by lawyer XX) asked the Authority to order the blocking or prohibition of the processing of personal data, considered unlawful, carried out by Cavauto s.r.l. (hereinafter: the company) through access to the browsing history and other data collected during the employment relationship also through the company's pc, subsequently used in a disciplinary procedure against the complainant concluded with the dismissal (see disciplinary complaint of 29.5.2018 and dismissal letter of 5.6.2018, attached to the complaint). The complaint also asks the complainant to enjoin the company to satisfy 'the right of access [...] to [...] the computer supplied until the date of termination of employment in order to identify and obtain the deletion of files containing personal data [...]; the electronic mail file of the customercare@cavauto address. com in order to identify and obtain the deletion of emails containing personal content [...]; to the company's premises in order to obtain the recovery of all personal documents stored in paper form in the desk and chest of drawers used by the company; to the pages of the personal diary retained by the company in order to identify and obtain the destruction of personal content' (see complaint cited above), p. 6-7).

According to the complainant, these processing operations ˗ and, in particular, access to the PC provided "for exclusive use [...] and provided with a password" for the performance of one's duties, also containing data "of a personal and family nature" ˗ would have taken place "without [the complainant] being notified or even present" (see complaint cit., p. 3). Moreover, the company would not have informed the interested party about "the prohibition to use the company's PC and internet for non-work purposes" or to consult "the personal e-mail that it used also for work reasons", nor about the possibility for the employer to carry out checks, specifying the type, on the correct use of company tools.

1.2. The company, in response to the request for elements (dated 24.9.2018) made by the Office, stated that:

a. the "PC assigned to the former employee [...] had a single but corporate password, so as to allow access only to the [complainant] and, if necessary, to Mr XX, as direct superior";

b. access to the complainant's PC 'limited itself [...] to collecting the history of the sites visited by the employee and did not extend to other data, neither to the custody@cavauto account nor to the personal gmail account';

c. access to the PC was carried out 'in the context of defensive investigations, [...] by Mr XX, the company's legal representative, in the presence of the company's external technician [...]';

d. the PC used by the complainant 'was using the Google Chrome browser which records browsing data history, as there is no company server on which such data is recorded [...]';

e. the company "provided oral and written information at the time of the assignment of the work tools which was subsequently made known through the publication of the internal rules on the use of electronic tools on the virtual notice board available on the company intranet";

f. 'for defensive purposes, the [complainant's] request for access to the PC and the data contained therein could not be granted, since the electronic tool was sealed after inspection by the legal representative [...] and is no longer in use, since it constitutes a source of evidence in court'.

1.3. With reply notes of 19 December 2018 and 1 March 2019 the complainant reiterated the requests already made to the Authority, representing ˗ among other things ˗ that "the use [...] of the company pc has always been in compliance with the directives received and any use other than strictly working has always been [...] known and tolerated" as it has not affected the working performance (note 19.12.2018, p. 3). Furthermore, he complained that the regulation referred to by the company, concerning the use of the company's instruments and possible controls, has a date (21.5.2018) subsequent to the date on which the complainant's computer was accessed (16.5.2018) (note 1.3.2019, p. 4-5).

1.4. On 17 May 2019, pursuant to Article 166, paragraph 5, of the Code, the Office notified the company of the alleged violations of the Regulation found. By note of 16 June 2019 the company, represented and defended by lawyers XX and XX, represented that:

a. the attribution to the (former) employee of a password to access the PC shared with the legal representative was assessed as an "appropriate" measure, both because "no personal data should have been transmitted, stored or otherwise processed through the company PC, as required by company practice, by the instructions given at the time of hiring and by company policies prohibiting the use of electronic work tools for private purposes" and because the employee had not been assigned a "personal company" account (note 16.6.2019, p. 2);

b. 'oral and written information was provided at the time of the assignment of the work tools, which was subsequently made known through the publication of the internal rules [...] on the virtual notice board available on the company intranet' (note cit., p. 2);

c. 'a mere listing of websites cannot be considered 'personal data''. (footnote cit., p. 3);

d. "d. 'even if the legal basis for the processing [...] must be found in the 'pursuit of a legitimate interest' of the data controller in accordance with Article 6.1(f) and recital 47 of the Regulation' (footnote cit., p. 3);

e. in response to the requests for access made by the complainant, the company, in accordance with the provisions of the regulation, handed over a USB key and the diary, even though it was deprived of some pages, while in relation to all the data present in the PC and the pages removed from the diary "it was not able to comply with such requests for "defensive" reasons", in accordance with the provisions of Article 6.1 letter f) and recital 47 of the Regulation" (note cit., p. 3). 2-undecies, letter e) of the Code; in fact, at the time of the presentation of the request "a dispute between the parties was already underway" which then resulted in the appeal against the dismissal; the existence of "conditions which legitimized a partial limitation of the right of access" was communicated, in accordance with the provisions of Art. 2-undecies, para 3, of the Code, with a note of the company's attorney dated 10 July 2018 (note cit, p. 5);

f. the rules in force with regard to remote control are not applicable, either because 'mere knowledge of internet traffic [...] does not constitute 'personal data'' or because 'in the present case [...] control [...] is 'defensive' [...] outside the scope of the applicability of Article 4 of the Workers' Statute' (footnote cit., p. 5-6).

1.5. During the hearing requested by the company and held on 24 July 2019, the legal representative pointed out that the conduct deemed "incorrect" by the employee occurred in contrast with the provisions (also) of the Internal Company Regulations dated 17 October 2017, provided in copy. The company also considered that it had acted legitimately in its control activities also on the basis of what was published on a website linked to a specialized newspaper (Il Sole 24 Ore, 29.5.2018, "Employees' PCs are controllable").

2. The outcome of the investigation.

As a result of the examination of the statements made to the Authority during the proceedings as well as the documentation acquired, it appears that the company, in its capacity as owner, has carried out some processing operations of personal data relating to the complainant - in a period of time immediately prior and immediately subsequent to the application in national law, as of 25 May 2018, of Regulation (EU) 2016/679 - which do not comply with the rules on the protection of personal data, as described below.

2.1. Provided that, unless the fact does not constitute a more serious offence, whoever, in proceedings before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor", on the merits it emerged that the company, in the person of the legal representative, on 16 May 2018 (as attested by the same owner in the disciplinary challenge of 29.5.2018) has made access to the PC provided in use to the complainant by extracting the history of Internet access made available by Google Chrome. Access by the employer was allowed by sharing the access password between the complainant and the legal representative of the company. There is no evidence at this stage that the company has decided to change the described password management practice.
Such sharing is in contrast with the obligation to adopt security measures aimed at ensuring "a minimum level of protection of personal data" (see art. 33 of Legislative Decree no. 196 of 30.6.2003, Personal Data Protection Code, text in force at the time of the facts).

In fact, in the context of computer authentication systems, the authentication credentials assigned to the persons in charge consist, at least, of an identification code associated with a keyword known exclusively to the data subject. Instead of the keyword, having regard to the concrete nature of the information contained in the system, devices may be delivered in the exclusive availability of the person concerned (see what has already been established in the Technical Regulations on minimum security measures, rules 1-11, Annex B of the Code, text prior to the amendments made by Legislative Decree no. 101/2018).

This principle has been incorporated in art. 32 of the Regulation, according to which the data controller, in order to guarantee the confidentiality and integrity of computer systems, must adopt "adequate technical and organizational measures to ensure a level of security appropriate to the risk". Moreover, according to art. 5, par. 1, letter f) of the Regulation, the data controller must guarantee "adequate security of personal data" by applying the principles of "integrity and confidentiality" to the processing carried out.

2.2. It also appears that access to the PC assigned to the complainant, in the absence of the same, took place without the data subject having been provided with adequate information. In fact, the individual information, signed by the complainant on 14.10.2016, does not contain any indication on the use of electronic mail, internet access and other work tools, nor on the type of controls that the employer reserves the right to activate.

With regard to the alleged information that, by admission of the same complainant (see letter of 4th June, 2018 in deeds), it would appear to have been given informally, no proof has been provided by the company that it was exhaustive and, in any case, in compliance with the most factual criteria expressed by the jurisprudence of the Guarantor (see for all measures containing the "Guidelines of the Guarantor by e-mail and Internet" (adopted by the Authority on 1st March, 2007 and published in the Official Gazette No. 58 of 10th March, 2007). On the other hand, it is noted that the documents containing the "Internal Regulations" relative (also) to the use of the work instruments adopted by the Company, both in the version dated 17.10.2017 (delivered to the Authority only on 24.7.2019) and in the version dated 21.5.2018 (subsequent, in any case, to the facts subject to complaint), are without subscription and without elements suitable to indicate the certain date.

This being the case, in any case, the provision contained in the text of the aforesaid regulation in relation to the controls that can be activated on Internet browsing ("Internet browsing is prohibited for reasons other than those functional to the work activity itself; for the protection of the company's assets, Internet connections will be regularly checked on each client in compliance with privacy regulations"), where it seems to provide for "regular" checks (without specifying the modalities) on Internet connections does not appear to comply with the principles of lawfulness and proportionality (see art. 5, par. 1, lett. a) and c), of the Regulation; see also "Guidelines for e-mail and internet", cited in the introduction, points 5.2. and 6.1.).

The data controller, therefore, has not complied with the obligation to provide the data subject with prior information on the essential characteristics of the processing carried out (see art. 13 of the Code, text in force at the time of access to the complainant's PC; the obligation to provide information to the data subject is, under current legislation, established by art. 13 of the Regulation). In the context of the employment relationship, the obligation to inform the employee is also an expression of the general principle of correctness of treatment (see 11, paragraph 1, letter a) of the Code, text in force at the time of access to the complainant's PC; this principle has been incorporated in art. 5, paragraph 1, letter a) of the Regulation; see European Court of Human Rights, Grand Chamber, case of Bărbulescu v. Romania, Application no. 61496/08, 5 September 2017, spec. no. 140). The provisions laid down in Article 6 of the Regulation concerning the criteria for entitlement are also infringed.

2.3. The data controller found the access requests submitted by the complainant (on 4 and 12 July 2018) only partially, rejecting access to the data contained in the PC with the exception of those transferred to a USB key and to some pages of the diary used by the complainant removed before delivery, as well as the request to verify the existence of further personal documents within the room assigned to the complainant.

The limitations to the exercise of the rights, including the right of access, were regulated, pursuant to art. 23 of the Regulations, by art. 2-undecies of the Code which came into force after the submission of the request and the feedback note by the data controller. However, in application of general principles and in accordance with the provisions of the previous Code, on the basis of the above mentioned rule in force, the right of access may be limited by the data controller only in the presence of one of the specific conditions indicated and provided that reasons are given to the data subject. In the case in point, in rejecting the request for access, no specific reasons have been indicated for the protection of the rights referred to the data in question. In fact, with the note of 10.7.2018 (Annex 5, company note of 26.10.2018), it was communicated to the complainant that on the company computer and on the mailbox "there should not be "files containing personal data, saved in the memory of the computer itself, and internet history related to [...] private life"" and that "the personal assets of the worker [...] if they have not all been returned". Nothing, therefore, has been represented with regard to any postponement or limitation or exclusion of the right of access claimed against the holder.

3. Conclusion: unlawfulness of the processing. Corrective measures pursuant to Article 58(2) of the Regulation.

For the above reasons, the processing of personal data carried out by the company is certainly unlawful under Articles 5 and 6 of the Regulation, and also constitutes a violation of Article 4 of Law no. 300/1970 as amended by Legislative Decree no. 151/2015. Further profiles of illegality have been ascertained in relation to the violation of security measures, regulated at the time of the facts by Article 33 of the Code in force at the time of access to the complainant's PC. Considering also that the company has not changed its policy in this regard, Article 32 of the Regulation is applicable in this regard. The processing also took place in violation of Article 13 of the Code in force at the time of access to the complainant's PC in the terms set out above. Considering also that the company has not modified its information documents on this point, Article 13 of the Regulation is applicable in this regard. The unsuitable and partial response provided to the request for access in relation to art. 23 of the Regulation was also unlawful.

On the other hand, it is not necessary to make an assessment of the legitimacy of the allegedly "defensive" control carried out by the company after the complainant's failure to comply with its official duties, as this issue may, if anything, be subject to examination by the judicial authorities.

In light of the above, given the corrective powers granted by Article 58, paragraph 2 of the Regulation, in the light of the circumstances of the specific case:

- the prohibition of further processing of data extracted from the Internet history (art. 58, par. 2, letter f) of the Regulation), without prejudice to their preservation for the exclusive purpose of protecting rights in court - in relation to the case pending before the ordinary judicial authorities - taking into account that, pursuant to art. 160-bis of the Code, "The validity, effectiveness and usability in court proceedings of acts, documents and measures based on the processing of personal data not in compliance with provisions of law or Regulation remain governed by the relevant procedural provisions";

- the company is enjoined to comply with the request for access to the complainant's data (art. 58, par. 2, letter c) Regulations) contained in the company's PC as well as to the other personal data currently held (including, if necessary, in the mail account customercare@cavauto.com, even if the address is not individualized), with particular reference to the agenda pages retained by the company at the time of return and to any data contained in further documents if necessary present in the spaces and furnishings assigned to the employee (see reply note of the complainant 1.3.2019);

- the company is ordered to comply with the provisions of art. 32 of the Regulation on security measures (art. 58, par. 2, letter d) Regulation);

- the company is required to comply with the Regulation, also with reference to the provisions of the internal regulations, providing for measures aimed at preventing the risk of improper or promiscuous use of PCs and company systems, also with reference to employees' Internet browsing, in any case refraining from excessively general provisions relating to the methods of controls;

- in addition to the corrective measures, a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

4. Order for an injunction.

Pursuant to art. 58(2)(i) of the Regulation and art. 166(3) and (7) of the Code, the Guarantor shall order the application of the pecuniary administrative sanction provided for in art. 83(5)(a) of the Regulation, through the adoption of an injunction order (art. 18, Law no. 24.11.1981, no. 1). 689), in relation to the processing of personal data relating to the complainant carried out by the company through the methods of access to the history of Internet browsing, as well as through the unsuitable and partial response provided to the request for access, in the terms set out above, in relation to Articles 5, 6, 13, 32 and 88 of the Regulation, the outcome of the procedure referred to in Article 166, paragraph 5 conducted in contradictory manner with the owner of the treatment (see point 1.4. and 1.5. above).

Considered that paragraph 3 of Article 83 of the Regulation should be applied where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation", considering that the established violations of Article. 5 of the Regulation, are to be considered more serious, since they relate to the non-observance of several principles of a general nature applicable to the processing of personal data, the total amount of the sanction is calculated so as not to exceed the maximum amount specified for the aforementioned violation. Consequently, the sanction provided for in Article 83(5)(a) and (c) of the Regulation, which sets the maximum amount at 20 million euros or, for companies, 4% of the annual worldwide turnover of the previous year, whichever is higher, is applied.

With reference to the elements listed in Article 83(2) of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83(1) of the Regulation), it is represented that, in the present case, the following circumstances have been considered:

a) in relation to the nature, seriousness and duration of the violation, the nature of the violation was considered relevant and concerned the general principles of the processing; the violations also concerned the provisions on the exercise of rights, on security measures, on the legal basis of the processing and on information;

(b) with regard to the intentional or negligent nature of the breach and the degree of liability of the data controller, the negligent conduct of the company and the degree of liability of the company which failed to comply with data protection rules in relation to a number of provisions was taken into account;

c) the company has overall and actively cooperated with the Authority during the proceedings;

e) the absence of specific precedents (relating to the same type of processing) charged to the company.

It is also considered that the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere when determining the amount of the sanction (Article 83, paragraph 1, of the Regulation) are relevant in the case in point, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness, first of all the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2018. It is also deemed necessary to take into account all the corrective measures actually adopted against the company. Lastly, account is taken of the administrative sanctions imposed under the previous regime for the corresponding administrative offences and the extent of the penalties imposed in similar cases.

In the light of the above elements and the assessments made, it is considered that, in the case in point, an administrative penalty of EUR 10,000.00 (ten thousand) should be applied to Cavauto s.r.l..

In this context it is also considered, in consideration of the nature and seriousness of the violations ascertained, that pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this measure should be published on the website of the Guarantor.

It is also considered that the conditions set forth in Article 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

It should be noted that, pursuant to article 170 of the Code, anyone who, being required to do so, fails to comply with this prohibition measure shall be punished by imprisonment from three months to two years; in any case, the sanction set forth in article 83, paragraph 5, letter e) of the Regulation may be applied at administrative level.

ALL THIS BEING SAID, THE GUARANTOR

pursuant to Articles 57(1)(f) and 58(2)(c), (d), (f) and (i) of the Rules:

1. orders Cavauto s.r.l. to limit the processing of data extracted from the Internet history (art. 58, par. 2, letter f) of the Regulation) to the sole storage for the sole purpose of protecting rights in court, within the limits of art. 160-bis of the Code;

2. orders Cavauto s.r.l. to comply with the request for access to the data contained in the company's PC as well as other personal data currently held, with particular reference to the agenda pages retained by the company at the time of return (art. 58, par. 2, letter c) Regulations);

3. orders Cavauto s.r.l. to comply with the provisions of art. 32 of the Regulation on security measures, within 60 days of receipt of this measure (art. 58, par. 2, letter d) Regulation);

4. orders Cavauto s.r.l. to conform its internal policy to the Regulation by providing for measures aimed at preventing the risk of improper or promiscuous use of PCs and company systems, also with reference to employees' Internet browsing, within 60 days of receipt of this measure (art. 58, par. 2, letter d) Regulation);

5. inflicts on Cavauto s.r.l., in addition to the corrective measures, the pecuniary administrative sanction provided for by art. 83, par. 5, letter a) of the Regulation, ordering and at the same time enjoining the aforesaid offender to pay the sum of € 10,000.00 (ten thousand) according to the methods indicated in the attachment, within 30 days from the notification of this measure, under penalty of the adoption of the consequent executive acts in accordance with art. 27 of Law no. 689/1981; this without prejudice to Cavauto s.r.l.'s right to settle the dispute by paying an amount equal to half of the penalty imposed within 30 days from the date of notification of this measure, pursuant to art. 166, paragraph 8 of the Code;

6. orders, pursuant to art. 166, paragraph 7, of the Code, the publication of this measure/injunction on the website of the Guarantor;

7. considers that the conditions set out in Article 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met;

8. requests Cavauto s.r.l. to communicate what initiatives have been undertaken in order to implement the provisions of this measure and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this measure; failure to do so may result in the application of the administrative penalty provided for in art. 83, paragraph 5, letter e) of the Regulation.

Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this measure may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, within thirty days from the date of notification of the measure itself, or sixty days if the claimant resides abroad.

Rome, 26 March 2020

THE PRESIDENT
Soro

THE REPORTER
Soro

THE SECRETARY GENERAL
Busia