Garante per la protezione dei dati personali (Italy) - 9795404
Garante per la protezione dei dati personali - 9795404 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 12 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.11.2020 |
Decided: | 16.06.2022 |
Published: | |
Fine: | 20000 EUR |
Parties: | Deutsche Bank an unnamed customer of Deutsche Bank |
National Case Number/Name: | 9795404 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
Initial Contributor: | Carloc |
The Italian DPA fined Deutsche Bank €20,000 for failing to respond timely to a data subject’s access request.
English Summary
Facts
The data subject is a customer of Deutsche Bank. Deutsche Bank is the data controller.
In 2017 the data subject entered into a loan agreement with the data controller. The data controller disclosed the data subject’s name to CRIF Italy, an Italian database for credit scoring. The data subject later learned about the disclosure. In July 2020 he submitted an access request with the controller, asking to provide him with the information as laid down under Article 13 GDPR (the data subject invoked Article 13 GDPR but apparently meant Article 15 GDPR, see comment below). The controller failed to reply.
In October 2020 the data subject filed a complaint with the Italian DPA. He claimed that the controller failed to respond to his request within the time limits laid out by Article 12(3) GDPR.
In June 2021, after the complaint was notified, the controller admitted that they failed to respond to the request in time and provided the data subject with the information under Article 15 GDPR (see comments for clarification). The controller claimed that the data subject’s request was only a small part of a longer communication, in which he complained that the disclosure of his personal data to CRIF Italy was unlawful. The controller claimed that they needed more time in order to properly address the data subject’s complaints in their entirety. The controller also claimed that they already provided the data subject with the information he requested when he agreed to the loan contract, in compliance with Article 13 GDPR.
Holding
The DPA reject the controller’s arguments entirely.
The DPA held that the controller violated Article 12 and Article 15 GDPR. The controller was under an obligation to respond to the data subject’s acccess request, even though the information he requested had already been provided at the time his personal data were collected, pursuant to Article 13 GDPR. Compliance with Article 13 GDPR at the moment of data collection does not exempt the controller from his obligation to respond to an access request under Article 15 GDPR.
The DPA also held that the controller has a duty to facilitate the exercise of the data subject’s rights (Article 12(2) GDPR). For this reason, the DPA rejected the controller's argument that it needed more time because data subject’s access request was part of a bigger request.
The DPA fined the data controller €20,000.
Comment
The data subject complained that the controller violated Articles 12 and 13 GDPR. However, the DPA investigated and eventually fined the controller for violating Article 15. The DPA does not explain this discrepancy, but it is likely that the DPA took a substantial approach to the case. The data subject’s complaint was ultimately about his right to access his data, and the fact that Article 13 was invoked instead of Article 15 was likely seen a mere formality by the DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9795404] Injunction order against Deutsche Bank S.p.A. - June 16, 2022 Record of measures n. 226 of June 16, 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; GIVEN the complaint presented by Mr. XX on 26/10/2020, pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by Deutsche Bank S.p.A was complained; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. The initiation of the procedure. With the complaint presented to this Authority on 26/10/2020, Mr. XX complained of an unlawful processing of personal data, carried out by Deutsche Bank S.p.A. (hereinafter "the Bank") consisting in reporting your name in CRIF S.p.A., in the absence of the notice pursuant to art. 4, paragraph 7, of the "Code of ethics and good conduct for information systems managed by private parties in terms of consumer credit, reliability and punctuality in payments". in the same complaint, the failure to respond to the request to exercise the rights, formulated against the Bank on 15/07/2020, was also complained, with which it also requested to read the information pursuant to art. 13 of EU Regulation 679/2016 (hereinafter the "Regulation"). Against the aforementioned request, duly notified by pec, no reply was received within the terms set out in art. 12, par. 3, of the aforementioned Regulation. With notes dated 10/02/2021 (prot. No. 8381) and 18/05/2021 (prot. No. 27511), the Bank was invited to provide observations on the facts of the complaint and to join the application for the exercise of rights, advanced by the complainant. The Bank, with a note dated 03/06/2021, provided a response to the aforementioned requests for information, representing, with reference to the failure to give notice of the report in CRIF, that it had sent the complainant, by registered mail, a communication concerning "Notice of imminent recording of data in credit information systems "at the address in its archives. This communication was made by the postal service with the purpose of "Non-existent address". The checks carried out by the Data Controller had, however, shown that the address used to send the notice communication had been indicated by Mr. XX in the form held by the Bank and that no request for modification of the same was received. With regard to the request to exercise the rights, the Bank, admitting that it had not done so previously, sent the complainant and the Authority what was requested when exercising the rights or a copy of the information pursuant to art. 13 of the Regulations and a form containing a summary of the applicant's personal data. The Office, on the basis of the statements made by the Bank, provided, with reference only to the latter profile, to notify the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 12, par. 3, and 15 of the Regulation (prot. N. 48577 of 09/28/2021). The Bank, on 28/10/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which it preliminarily declared that: - “with communication dated 3 June 2021 (…) the Bank provided the customer with the form containing the summary, pursuant to art. 15 GDPR, of the personal data processed and stored by the Bank, moreover acquired on the occasion of the stipulation of a loan agreement signed on 27 July 2017. With the aforementioned letter (...) a copy of the information referred to in 'art. 13 of the GDPR which, however, had already been delivered to the customer at the same time as the signing of the aforementioned loan agreement "; - the delay in providing feedback to the complainant's request was caused by a series of circumstances "not attributable to the will of the employees or the bank" which, in any case, "we believe did not cause the customer any harm"; - in particular, "the original request formulated by the client on 13 July 2020, forwarded through his lawyer on 15 July 2020, was not already addressed to the appointed e-mail address (...), but initially to the 'certified e-mail address of the complaints office and, in light of the reception problems manifested by this address, to the certified e-mail address of the Bank "; - moreover, "the request for access and the contextual request for a copy of the privacy information (...) appear to have been formulated in the context of a long but absolute generic communication from the customer (...) focused on describing and contesting the conduct required by the Bank regarding an alleged irregularity in the report made by the Bank itself to the Central Risks of the Bank of Italy and, only at the end, in also formulating the requests referred to in Articles 13 and 15 of the GDPR ". 2. The outcome of the investigation. Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Bank, in response to the request to exercise the rights formulated by the complainant on 13/07/2020, did not respond to the request for access to personal data formulated by the complainant, within the deadline set by the 'art. 12, par. 3, of the Regulation ("without undue delay and, in any case, at the latest within one month of receipt of the request"), nor did it inform the applicant, within the same term, of the reasons for the non-compliance as well as the possibility of propose a complaint to the Authority (Article 12, paragraph 4 of the Regulation). The argument put forward by the Bank, according to which the request to exercise the rights was presented as part of a broader and more articulated request by the customer which would have prevented from providing timely feedback, cannot be taken as a valid reason for exclusion. of responsibility. This also taking into account the provisions of art. 12, par. 2, of the Regulation according to which "the owner facilitates the exercise of the rights of the interested party, pursuant to articles 15 to 22". It appears, among other things, that the communication sent by the complainant on 13/07/2020 has been correctly notified to the Bank by certified e-mail (as shown in the delivery receipt produced in deeds) and contains analytically the questions on which it requests feedback. Furthermore, the thesis according to which the information pursuant to art. 13 of the Regulation and the data subject to the application were already known to the interested party, as, as is known, art. 15 of the Regulation recognizes, as a preliminary matter, to the interested party "the right to obtain from the data controller confirmation that the processing of personal data concerning him is in progress" and consequently, and if so, the right "to obtain access to the data "themselves and to further information. This also in order to verify the correctness and completeness of the data being processed. 3. Conclusions: illegality of the treatments carried out. In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance. For the above reasons, therefore, the complaint submitted pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 4. Order of injunction. The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (Article 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above. With reference to the elements listed in art. 83, par. 2, of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulation), that, in the present case, the following circumstances were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the fact that the reply to the interested party was provided only following the intervention of the Authority; - the fact that the violation is ascertained with reference to only one interested party; - the absence of previous relevant violations committed by the data controller; - the preparation of technical and organizational measures aimed at favoring the management of reports relating to the protection of personal data; - the degree of cooperation provided by the Bank during the procedure. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referring to the financial statements for the year 2020. Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the financial penalty in the amount of € 20,000.00 (twenty thousand) for the violation of Articles 12 and 15 of the Regulation. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website. Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulations, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 12, par. 3. and 15 of the Regulations; ORDER to Deutsche Bank S.p.A. in the person of the pro-tempore legal representative, with registered office in Milan, Piazza del Calendar, 3, P.I. 01340740156, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of € 20,000.00 (twenty thousand) as a pecuniary administrative sanction for the violations indicated in this provision; INJUNCES to the same Bank to pay the sum of € 20,000.00 (twenty thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1 September 2011 foreseen for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, June 16, 2022 PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei [doc. web n. 9795404] Injunction order against Deutsche Bank S.p.A. - June 16, 2022 Record of measures n. 226 of June 16, 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 on "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679"; GIVEN the complaint presented by Mr. XX on 26/10/2020, pursuant to art. 77 of the Regulation, with which a violation of the regulations on the protection of personal data by Deutsche Bank S.p.A was complained; HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000; RAPPORTEUR prof. Pasquale Stanzione; WHEREAS 1. The initiation of the procedure. With the complaint presented to this Authority on 26/10/2020, Mr. XX complained of an unlawful processing of personal data, carried out by Deutsche Bank S.p.A. (hereinafter "the Bank") consisting in reporting your name in CRIF S.p.A., in the absence of the notice pursuant to art. 4, paragraph 7, of the "Code of ethics and good conduct for information systems managed by private parties in terms of consumer credit, reliability and punctuality in payments". in the same complaint, the failure to respond to the request to exercise the rights, formulated against the Bank on 15/07/2020, was also complained, with which it also requested to read the information pursuant to art. 13 of EU Regulation 679/2016 (hereinafter the "Regulation"). Against the aforementioned request, duly notified by pec, no reply was received within the terms set out in art. 12, par. 3, of the aforementioned Regulation. With notes dated 10/02/2021 (prot. No. 8381) and 18/05/2021 (prot. No. 27511), the Bank was invited to provide observations on the facts of the complaint and to join the application for the exercise of rights, advanced by the complainant. The Bank, with a note dated 03/06/2021, provided a response to the aforementioned requests for information, representing, with reference to the failure to give notice of the report in CRIF, that it had sent the complainant, by registered mail, a communication concerning "Notice of imminent recording of data in credit information systems "at the address in its archives. This communication was made by the postal service with the purpose of "Non-existent address". The checks carried out by the Data Controller had, however, shown that the address used to send the notice communication had been indicated by Mr. XX in the form held by the Bank and that no request for modification of the same was received. With regard to the request to exercise the rights, the Bank, admitting that it had not done so previously, sent the complainant and the Authority what was requested when exercising the rights or a copy of the information pursuant to art. 13 of the Regulations and a form containing a summary of the applicant's personal data. The Office, on the basis of the statements made by the Bank, provided, with reference only to the latter profile, to notify the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code in relation to the violation of art. 12, par. 3, and 15 of the Regulation (prot. N. 48577 of 09/28/2021). The Bank, on 28/10/2021, sent its defense writings, pursuant to art. 18 of the law n. 689/1981, with which it preliminarily declared that: - “with communication dated 3 June 2021 (…) the Bank provided the customer with the form containing the summary, pursuant to art. 15 GDPR, of the personal data processed and stored by the Bank, however acquired on the occasion of the stipulation of a loan agreement signed on 27 July 2017. With the aforementioned letter (...) a copy of the information referred to in 'art. 13 of the GDPR which, however, had already been delivered to the customer at the same time as the signing of the aforementioned loan agreement "; - the delay in providing feedback to the complainant's request was caused by a series of circumstances "not attributable to the will of the employees or the bank" which, in any case, "we believe did not cause the customer any harm"; - in particular, "the original request formulated by the client on 13 July 2020, forwarded through his lawyer on 15 July 2020, was not already addressed to the appointed e-mail address (...), but initially to the 'certified e-mail address of the complaints office and, in light of the reception problems manifested by this address, to the certified e-mail address of the Bank "; - moreover, "the request for access and the contextual request for a copy of the privacy information (...) appear to have been formulated in the context of a long but absolute generic communication from the customer (...) focused on describing and contesting the conduct required by the Bank regarding an alleged irregularity in the report made by the Bank itself to the Central Risks of the Bank of Italy and, only at the end, in also formulating the requests referred to in Articles 13 and 15 of the GDPR ". 2. The outcome of the investigation. Upon examination of the documentation produced and the declarations made by the party during the proceedings, provided that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, it emerged that the Bank, in response to the request to exercise the rights formulated by the complainant on 13/07/2020, did not respond to the request for access to personal data formulated by the complainant, within the deadline set by the 'art. 12, par. 3, of the Regulations ("without undue delay and, in any case, at the latest within one month of receipt of the request"), nor did it inform the applicant, within the same term, of the reasons for the non-compliance as well as the possibility of propose a complaint to the Authority (Article 12, paragraph 4 of the Regulation). The argument put forward by the Bank, according to which the request to exercise the rights was presented as part of a broader and more articulated request by the customer which would have prevented from providing timely feedback, cannot be taken as a valid reason for exclusion. of responsibility. This also taking into account the provisions of art. 12, par. 2, of the Regulation according to which "the owner facilitates the exercise of the rights of the interested party, pursuant to articles 15 to 22". It appears, among other things, that the communication sent by the complainant on 13/07/2020 has been correctly notified to the Bank by certified e-mail (as shown in the delivery receipt produced in deeds) and contains analytically the questions on which it requests feedback. Furthermore, the thesis according to which the information pursuant to art. 13 of the Regulation and the data subject to the application were already known to the interested party, as, as is known, art. 15 of the Regulation recognizes, as a preliminary matter, to the interested party "the right to obtain from the data controller confirmation that the processing of personal data concerning him is in progress" and consequently, and if so, the right "to obtain access to the data "themselves and to further information. This also in order to verify the correctness and completeness of the data being processed. 3. Conclusions: illegality of the treatments carried out. In light of the foregoing assessments, it is noted that the statements made by the data controller in the defensive writings ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are insufficient to allow archiving, however, none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019, concerning the internal procedures of the Authority having external relevance. For the above reasons, therefore, the complaint submitted pursuant to art. 77 of the Regulation and, in the exercise of the corrective powers attributed to the Authority pursuant to art. 58, par. 2, of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation. 4. Order of injunction. The Guarantor, pursuant to art. 58, par. 2, lett. i) of the Regulations and art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (Article 18. L. 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, whose unlawfulness has been ascertained, within the terms shown above. With reference to the elements listed in art. 83, par. 2, of the Regulations for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, par. 1 of the Regulations), that, in the present case, the following circumstances were taken into consideration: - with regard to the nature, gravity and duration of the violation, the nature of the violation was considered relevant, which concerned the provisions relating to the exercise of the rights of the interested parties; as well as the fact that the reply to the interested party was provided only following the intervention of the Authority; - the fact that the violation is ascertained with reference to only one interested party; - the absence of previous relevant violations committed by the data controller; - the preparation of technical and organizational measures aimed at favoring the management of reports relating to the protection of personal data; - the degree of cooperation provided by the Bank during the procedure. In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (Article 83, paragraph 1, of the Regulation) to which the Authority must comply in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved and referring to the financial statements for the year 2020. Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the financial penalty in the amount of € 20,000.00 (twenty thousand) for the violation of Articles 12 and 15 of the Regulation. In this context, also in consideration of the type of violation ascertained, which concerned the rights of the interested party, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, this provision should be published on the Guarantor's website. Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR declares, pursuant to art. 57, par. 1, lett. f) and 83 of the Regulations, the unlawfulness of the processing carried out, in the terms set out in the motivation, for the violation of Articles 12, par. 3. and 15 of the Regulations; ORDER to Deutsche Bank S.p.A. in the person of the pro-tempore legal representative, with registered office in Milan, Piazza del Calendar, 3, P.I. 01340740156, pursuant to art. 58, par. 2, lett. i), of the Regulations, to pay the sum of € 20,000.00 (twenty thousand) as a pecuniary administrative sanction for the violations indicated in this provision; INJUNCES to the same Bank to pay the sum of € 20,000.00 (twenty thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the offender has the right to settle the dispute by paying - again in the manner indicated in the annex - of an amount equal to half of the sanction imposed within the term referred to in art. 10, paragraph 3, of the d. lgs. n. 150 of 1 September 2011 foreseen for the filing of the appeal as indicated below. HAS pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of regulation no. 1/2019. Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, June 16, 2022 PRESIDENT Stanzione THE RAPPORTEUR Stanzione THE SECRETARY GENERAL Mattei