Garante per la protezione dei dati personali (Italy) - 9845156
Garante per la protezione dei dati personali - 9845156 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5 GDPR Article 9 GDPR Article 13 GDPR Article 14 GDPR Article 35 GDPR Article 58 GDPR Article 82 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 15.12.2022 |
Published: | 07.02.2023 |
Fine: | 55000 EUR |
Parties: | n/a |
National Case Number/Name: | 9845156 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Italian DPA (in IT) |
Initial Contributor: | LR |
The Italian DPA fined a health authority €55,000 for the unlawful processing of special category health data. The controller sought to compile a list of patients vulnerable to major complications from Covid-19 infection.
English Summary
Facts
This case concerns the Friuli Centrale University Health Authority, the controller, which (upon instruction from the Friuli Venezia Giulia Regional Council) instructed GPs to validate a list of patients compiled for the supposed purpose of “statistical stratification”. These patients, the data subjects, had been previously identified by the Health Authority, according to its own (unknown) criteria, as being in complex and comorbid conditions and therefore at a high risk of major complications from covid-19 infections. The personal information processed included details of therapies, pathological status, family addresses, living conditions/habits and the procedure for collecting this information imposed upon GPs a disclosure of their patient’s health data without the chance to check if consent had been obtained.
The Italian DPA commenced a preliminary investigation in which they requested specific information from the controller concerning: the initiatives taken to ensure the data was processed lawfully; the purpose of the processing; the methods for obtaining informed consent; a description of whether the data was special category health data or anonymised data; and the impact assessment carried out.
The controller responded to the request by stating, firstly, that the activity is based on a legal provision related to the current state of emergency. Secondly, the three lawful bases for processing (depending on the type of data) are: Article 9(2)(h) GDPR (necessary for the purposes of preventive or occupational medicine); Article 9(2)(i) GDPR (for reasons of public interest in the area of public health); and Article 9(2)(g) GDPR (for reasons of substantial public interest). Thirdly, the use of an algorithm was only applied to the data of those who had consented to extraction for this purpose. Finally, that they did not deem it necessary to carry out an impact assessment, as they did not perceive a high risk for the rights and freedoms of natural persons. In further submissions to the investigation, the controller confirmed that the number of data subjects affected by the activities described was more than 40,000.
Holding
Issuing its final decision, the Italian DPA identified three key issues in this case: the absence of an appropriate legal basis for treatment; the information provided to interested parties (transparency); and the lack of any impact assessment.
Firstly, concerning the lawful basis for processing, the DPA asserts that the profiling of patients, consisting of an automated processing of personal data aimed at analysing and predicting the evolution of the individual’s health situation and the possible correlation with other elements of clinical risk, can only be carried out in compliance with specific requirements and adequate guarantees for the rights and freedoms of the interested parties. In particular, the processing at issue can only be carried out on the basis of the specific informed consent of the data subject (Article 9(2)(a) GDPR). The controller’s argument that processing was based on Articles 9(2)(h) or (g) GDPR were dismissed because, among other things, the processing operations could not be considered ‘necessary’ for the treatment of the patient. Accordingly, the controller, by processing special category data without a valid lawful basis, had infringed Article 5(1)(a) and 9 GDPR.
Regarding the second issue (transparency), the controller did not provide any clarification or information in its defence concerning the alleged failure to provide data subjects with information on the processing of personal data. Accordingly, given that none of the exemptions set out in Article 14(5) GDPR apply in this case, the DPA found a violation of the principle of transparency in Article 5(1)(a) GDPR and the obligations outlined in Article 14 GDPR.
Finally, concerning the lack of any impact assessment, the DPA found that the controller’s assertion that such an assessment was not required could not be upheld. The processing in question concerned data relating to the health of a large number of vulnerable individuals, and so the failure to conduct an impact assessment constituted a violation of Article 35 GDPR.
In light of the above violations, the DPA imposed an administrative fine of €55,000 (Article 58(2)(i) GDPR). In doing so, they took into account: the large number of data subjects affected; the emergency pandemic context; the lack of any reports or complaints from data subjects; and the full cooperation of the controller with the investigation. The DPA also ordered the controller to delete the relevant data within 90 days (Article 58(2)(d) GDPR) and to, within 20 days of this deadline, communicate the measures taken to comply with the order (Article 58(1)(a) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO: Newsletter of January 24, 2023 [doc. web no. 9845156] Corrective and sanctioning measure against the Friuli Centrale University Company - 15 December 2022 Register of measures no. 416 of 15 December 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter the “Code”); CONSIDERING the decree law of 19 May 2020, n. 34 law, converted with amendments into law 17 July 2020, n. 77, and, in particular, the art. 7 relating to predictive methodologies of the evolution of the population's health needs; CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); HAVING REGARD to the documentation in the deeds; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000; Speaker the lawyer Guido Scorza; WHEREAS 1. Premise It has been reported to this Authority that the resolution of the Friuli Venezia Giulia Region Council, no. 1737 of 20 November 2020, instructed General Practitioners (hereinafter also GPs only) to validate, for the purpose of pro rata payment of part of the variable fee, "through the regional IT portal, a list of users/assisted patients previously identified by the Healthcare Authority, according to its own (unknown) criterion, such as in conditions of complexity and comorbidity for the (apparent) purpose of statistical stratification by filling in computer files in which to report personal bio-humoral data, therapies, pathological status, family addresses, conditions/ life habits, etc.”. Together with the report, a copy of the attachment to the aforementioned resolution was provided containing the "memorandum of understanding between the FVG Region and the trade union organizations of GPs for the regulation of relations for the two-year period 2020 -2021 and of the activities connected to the epidemiological emergency from Covid-19 ”. The first of the objectives indicated in the aforementioned report concerns the "stratification, complexity and comorbidities at high risk of major complications from Covid-19 infections", with respect to which in the "notes" section of the report synthetic indications are provided on the preparation of the lists of patients to be submitted to the initiative medicine plans and on the ways in which they are downloaded, through the company Insiel, "from the portal of continuity of care" and then made available to the health authorities. It was also reported that the aforementioned resolution would require GPs to communicate data on the health of their patients without the possibility for them to verify "whether the Healthcare Company has [previously] given consent" to the processing of their personal data for purposes of "statistical stratification", also highlighting how this specific discipline provides for "the anonymous transmission of data for statistical or administrative purposes". 2. The preliminary investigation In relation to the above, the Office has started a preliminary investigation (note of the XX, prot. n. XX) requesting the Friuli Venezia Giulia Region and the Friuli Centrale University Company (hereinafter respectively also just the Region or Company or ASUFC) specific information elements regarding in particular: the initiatives taken in order to ensure that the treatments necessary to carry out the aforesaid initiative medicine activities were implemented in compliance with the regulations on the protection of personal data, with particular reference to what is indicated in the provisions of the Guarantor adopted on the subject (Opinion to the Council of State on the new ways of allocating the health fund among the regions proposed by the Ministry of Health and based on population stratification, of 5 March 2020, web doc. n. 9304455, opinion on the draft law of the Autonomous Province of Trento containing specific provisions on proactive medicine, of 8 May 2020, web doc. No. 9344635, opinion on the draft regulation relating to the implementing provisions of the Trentino provincial law for proactive medicine in the provincial health service, of 1 ° October 2020, web doc. 9469372, provision dated 17 December 2020, web doc. n. 9529527; provision imenti of February 24, 2022 n. 63, 64, 65, 66, 67, 65, 68, 69 and 70, doc. web no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524); the purposes pursued with the data processing envisaged by the report attached to the aforementioned resolution, and for each of them the relative legal basis of the processing, as well as the relative owners and managers, pursuant to articles 9, 24 and 28 of the Regulation; if the treatment, although aimed at the pursuit of treatment purposes, is not strictly necessary for this purpose, the methods of prior acquisition of the informed and explicit consent of the interested parties, pursuant to art. 9, par. 2, lit. a) of the Regulation; the description of the personal data flows indicated in the report attached to the aforementioned resolution, specifying whether the processing concerned health data or anonymous and aggregated data; the impact assessment carried out, pursuant to art. 35 of the Regulation, considering that we are dealing with large-scale processing of particular categories of personal data and therefore at high risk. With a note of the XX (prot. n. XX), the Company replied to the request for information declaring that: the activity referred to in the resolution of the Regional Council n. 1737 of 20 November 2020 cannot qualify as initiative medicine as defined by the Ministry of Health; this activity is based on the art. 1, first paragraph, of the d.l. 34/2020, where it is provided that "the regions and the autonomous provinces adopt plans to strengthen and reorganize the assistance network", as well as on the fourth paragraph of the same provision, according to which "the regions and the autonomous provinces, to guarantee the maximum level of assistance compatible with the needs of public health and safety of care in favor of infected subjects identified through health risk monitoring activities, as well as all fragile people whose condition is aggravated by the ongoing emergency, if they have not already done, they increase and direct the therapeutic and assistance actions at home level (...)"; "therefore, it is an activity that is based on a law related to the current state of emergency"; "The purpose pursued with the processing of data envisaged by the agreement attached to the resolution, as already anticipated, is the care of the patient by the GP, pursuant to art. 9, par. 2, lit. h) of the GDPR”; “The ASUFC is involved for a much more limited purpose, i.e. for the payment to the GP of the fees envisaged in relation to the measure of achievement of the objectives. The specific treatment by the Company is therefore based on the art. 9, par. 2, lit. i) and lett. g) and, in particular on the planning, management, control and evaluation of health care, including the establishment, management, planning and control of relations between the administration and the subjects accredited or affiliated with the NHS (art 2-sexies, second paragraph, letter V, Code)"; “the Friuli Centrale University Health Authority is the owner of the data used, extracted from its data warehouse”; “The algorithm used for data extraction is provided to Insiel by the Regional Agency for Coordination for Health. It provides that only the data of those who have given their consent to the consultation of the FSE by the GP can be extracted”; the list thus extracted of the patients was sent to the GPs for all the activities envisaged for the payment of the fee; "the Company did not deem it necessary to carry out an impact assessment, for the treatment of its competence, not recognizing a high risk for the rights and freedoms of natural persons, taking into consideration the nature, object, context and the purposes of the processing, given the emergency framework in which the processing itself is inserted”; “In conclusion: the treatment in question is based on a legal provision, concerns pseudonymized data in the extraction phase, pursues the purpose of care and, for the part of the Company's operational competence, has purposes of significant public interest; it is carried out in an emergency context, in order to protect all patients in a fragile condition, whose exposure to the virus could have lethal results". The Region, with note of the XX prot. no. XX stated that: “as regards, in particular, objective n. 1 [of the recalled understanding] relating to the validation [of the] list of clients in conditions of complexity and comorbidity (target population) for the purpose of making the Lists available on the Continuity of Care Portal, the General Managers of the Company pertaining to the individual are invited GP to provide INSIEL as soon as possible, as for previous years, the operational indication to make the relative functions visible only for those patients who have given their specific consent to the communication of their data to their GP”. It was also specified that, for this purpose, "ARCS has provided the methodological support for the preparation of the algorithm for defining the lists of fragile subjects belonging to the RUB 4 and 5 categories. The tool used by ARCS for the preparation of the algorithm does not contains patient name information but an anonymous numeric identifier, subject to change every 6 months. Within the syntactic rules used, an extraction filter was inserted for subjects belonging to the RUB 4 and 5 categories who had already given their consent to visibility by the GP. (...). The lists, already purged, are published by INSIEL, on behalf of the Healthcare Companies, for each GP who, being able to identify their patients, proceed with the validation of the same". With reference to the aforementioned personal data processing operations, the Region declared that "the identification of assisted persons and their inclusion in the lists finds the legal basis in the generic consent provided by the interested party and relating to the visibility by the GP". In relation to the need to draw up an impact assessment, it was also represented that "no initiative medicine activity can, therefore, be recognized in the activity described above and, consequently, no specific risk assessment activity is necessary primarily on the part of the Region, which in any case never has access to personal data, nor by the regional health authorities". 3. The legislation on the protection of personal data and the specific regulation of the relevant sectors According to the Regulation, "personal data" means "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social" (art. 4, point 1, of the Regulation). Pseudonymisation means “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person" (Cons. 26 and art. 4 (5) of the Regulation). The legislation on the protection of personal data does not apply to "anonymous information, i.e. information that does not relate to an identified or identifiable natural person or to personal data made anonymous enough to prevent or no longer allow identification of the interested party” (see Cons. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 2014). Anonymised data is such only if it does not in any way allow the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to whom (owner or other subject) try to use these tools to identify a data subject. Anonymisation cannot be considered achieved through the mere removal of the personal details of the interested party or their replacement with a pseudonymous code. An anonymisation process cannot effectively be defined as such if it is not suitable for preventing anyone using such data, in combination with "reasonably available" means, from: 1. isolate a person in a group (single-out); 2. link anonymised data to data referable to a person present in a separate set of data (linkability); 3. deduce new information referable to a person from anonymised data (inference) (cf. Opinion 05/2014 - WP 216 on anonymisation techniques, adopted on 10 April 2014). That said, the processing of personal data must take place in compliance with the established principles and additional rules of the Regulation and the relevant provisions of the Code. In relation to the case in question, reference is made to the principles of lawfulness, correctness and transparency and purpose limitation according to which personal data must be processed in a lawful, correct and transparent manner and collected for specific, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with these purposes (Article 5, paragraph 1, letter a) and b), of the Regulation; see also Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation of 2 April 2013).). More specifically, the Regulation provides for a general prohibition on the processing of particular categories of data, including those relating to the health of the data subjects, unless one of the particular exemptions from this prohibition pursuant to art. 9, par. 2 of the same Regulation. In this regard, the cases in which: - the interested party has given his explicit consent, except in cases where the law of the Union or of the Member States provides otherwise (Article 9, paragraph 2, letter a) of the Regulation); - the processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject (Article 9, paragraph 2, letter g) of the Regulation). In this case, the art. 2-sexies of the Code according to which "the processing of particular categories of personal data pursuant to article 9, paragraph 1, of the Regulation, necessary for reasons of significant public interest pursuant to paragraph 2, letter g), of the same article, are allowed if they are provided for by European Union law or, in the internal legal system, by provisions of law or regulation or by general administrative acts that specify the types of data that can be processed, the operations that can be performed and the reason for relevant public interest, as well as appropriate and specific measures to protect the fundamental rights and interests of the data subject”; - the processing is necessary for the purposes of preventive medicine or occupational medicine, assessment of the employee's ability to work, diagnosis, assistance or health or social therapy or management of health or social systems and services on the basis of Union or State law states or in accordance with the contract with a health professional (Article 9, paragraph 2, letter h) and par. 3 of the Regulation and 75 of the Code; provision of the Guarantor containing Clarifications on the application of the regulations for the treatment of data relating to health in the healthcare sector of 7 March 2019 doc. website 9091942). With reference to the principle of transparency, the related information charges pursuant to articles 13 and 14 of the Regulation, according to which each treatment must be preceded by a suitable information also in order to allow the interested parties to exercise the rights due to them (art. 15-22 of the Regulation). This principle also requires that information and communications relating to the processing of personal data be made in a concise, transparent, intelligible and easily accessible form, with simple and clear language (cons. 39 and 58 and art. 12 of the Regulation). The Regulation also provides that "when a type of processing, when it involves in particular the use of new technologies, given the nature, object, context and purposes of the processing, may present a high risk for the rights and the freedoms of natural persons, the data controller carries out, before proceeding with the treatment, an assessment of the impact of the foreseen treatments on the protection of personal data. A single evaluation can examine a set of similar treatments that present similar high risks" (art. 35; Group art. 29 Guidelines n. 248 concerning "The assessment of the impact on data protection as well as the criteria for establishing whether a treatment" adopted in amended form on 4.10.2017). In this regard, it should be noted, from the outset, that this requirement has not been waived by the emergency regulations adopted with reference to the pandemic context, as can be seen, for example, from the authorization provided by the Authority on the impact assessment carried out by the Ministry of Health with reference to the treatments carried out within the national contact tracing system - App Immuni (see provisions of 1 June 2020, 25 February 2021 and 24 November 2022), as well as the provisions adopted on the matter in the emergency context (see provisions of 13 May 2021, web doc. No. 9685332, of 13 January 2022, web doc. No. 9744496). Noting that the initiative examined envisaged the extraction of data on the health of the patients from the Datawarehouse of the Company through the company Insiel SPA, an in-house ICT company of the Region, appointed as Data Processor, through the use of an algorithm provided by the regional agency for the coordination of health, the following is also highlighted. This activity determines the collection and processing of health data in order to create, with reference to specific pathologies (which, in the case in question, are those that can expose the most fragile assistants to contracting more serious infections from SARS Cov-2) , a health risk profile of the person concerned, useful for implementing preventive interventions to take charge of the patient. The activity of stratification of the health risk of the population is configured as an administrative activity prodromal to the care activity, consisting in taking charge of the patient, as it allows to classify the assisted persons considered to be at greater risk, in order to prepare in their compare an early and specific taking charge activity. 3.1 Stratification activities of the assisted population With specific reference to the treatments carried out by health bodies for purposes of public interest, also in the light of what is indicated by the Ministry of Health1 on the matter and supported by the Guarantor in the numerous provisions on the aforementioned subject), these treatment operations fall within the scope of the so-called "initiative medicine", even if addressed, in the present case, only to the emergency context. This is because, through these treatments, a stratification of the patients of the Regional Health Service is carried out on the basis of information relating to the individual state of health, for the relative placement in health risk classes, in order to identify assistance models aimed at the active promotion of health interventions that aim at an early taking charge of them (see also the aforementioned opinion on the draft law of the Autonomous Province of Trento which contains specific provisions on self-initiated medicine, of 8 May 2020, web doc. n. 9344635, opinion on the draft regulation relating to the implementing provisions of the Trentino provincial law for initiative medicine in the provincial health service, of 1 October 2020, web doc. n. 9469372, provision against the South East Tuscany Local Health Authority of 17 December 2020, web doc. n. 9529527, provisions n. 63, 64, 65, 66, 67, 65, 68, 69 and 70 of 24 February 2022 web doc. no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524). 3.2. Patient care activities With specific reference to the purposes of treatment and prevention, it should be noted that the Guarantor has already highlighted that such treatments must be considered additional and independent of those strictly necessary for ordinary treatment and prevention activities (Article 9, paragraph 2, letter h ) of the Regulation), and therefore can only be carried out on the basis of the specific informed consent of the interested party (Article 9, paragraph 2, letter a) of the Regulation) (see ex multis, opinion on the draft law of the Autonomous Province of Trento which contains specific provisions on initiative medicine, of 8 May 2020, web doc. n. 9344635). 3.3. The treatments carried out through the electronic health record It should also be noted that through the Electronic Health Record (FSE) the aims set by the specific sector regulations can be pursued and in particular of: a) diagnosis, treatment and rehabilitation; a-bis) prevention; a-ter) international prophylaxis; b) study and scientific research in the medical, biomedical and epidemiological fields; c) health planning, verification of the quality of care and assessment of health care (art. 12, 18 October 2012, n. 179, converted with amendments into law 17 December 2012, n. 221, and dpcm 29 September 2015, n. 178). Among the aims that can be pursued through the ESF, therefore, the one relating to predictive or initiative medicine does not appear. In fact, even in the recent interventions carried out on the subject, the legislator has not extended this purpose to those that can be pursued through the ESF. The data accessible through the ESF, deprived of direct identification elements, may instead be processed by the Ministry of Health, also through interconnection with other data sources, for the purposes and with the methods that will be established by decree of the Minister of Health, which must be adopted with the opinion of the Guarantor, in compliance with the provisions of the Regulation, the Code, the Digital Administration Code and the guidelines of the Agency for Digital Italy on interoperability (Article 2-sexies, paragraph 1-bis) (see also opinions issued on 22 August 2022, n. 294 and 295 web doc. n. 9802752 and 9802729). The fact that the interested party's consent has been given to the processing of data present in the EHR for treatment purposes does not therefore legitimize the subjects who access this information tool to process the information contained therein to outline specific health risk profiles of the interested party. 3.4. Statistical activity Bearing in mind that during the preliminary investigation, reference was made to a "statistical stratification" activity, it should finally be noted that the processing of personal data, carried out for these purposes by subjects participating in the national statistical system (SISTAN), must in any case take place in compliance, not only with the pertinent provisions of the Regulation (articles 5, paragraph 1, letter c) and e) and 89) and of the Code (articles 2-sexies, paragraph 2, letter cc) and 104 et seq.), but also of the Deontological Rules for treatments for statistical or scientific research purposes carried out within the National Statistical System, Annex A4 to the Code, as well as the specific sector discipline referred to in Legislative Decree no. 322/1989, containing "Regulations on the National Statistical System and on the reorganization of the National Statistical Institute". 4. The disciplinary procedure Following the aforementioned findings, the Office, with deed no. XX of the XX, notified the Azienda Universitaria Friuli Centrale, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, paragraph 2, of the Regulation, inviting the aforesaid holder to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law n. 689 of 11/24/1981). In particular, the Office has detected the existence of elements suitable for configuring, by the Friuli Centrale University Company, the violation of the legislation on the protection of personal data in relation to the processing of personal data relating to health, even if treated in pseudonymized form, in the absence of a suitable legal prerequisite and, therefore, in violation of the principles applicable to the treatment referred to in articles 5, par. 1 lit. a), b), 9, of the Regulation, as well as of the articles 2-sexies and 75 of the Code; in violation of the principle of transparency, not having provided the interested parties with specific information regarding such processing of personal data as envisaged by articles 13 and 14 of the Regulation; in violation of the owner's obligations regarding the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation. With the note of the XX, prot. no. XX, the ASUFC sent its defense writings by advancing a formal request for a hearing. In the aforementioned writings, the Company further declared that the aforementioned resolution "attaches the memorandum of understanding between the Region and the OO.SS. of GPs (...), to which the objectives pursuant to point 8 of the two-year period 2021/21 are attached (...). As you can see, goal no. 1 refers to actions, pertaining to GPs, consisting of the «Validation of the list of patients in conditions of complexity and comorbidity (target population) published on the Care Continuity Portal». The objective specifies the following: «Lists defined by the ARCS epidemiological office made available in the Continuity of Care Portal by Insiel no later than 10 December 2020 as a preparatory condition for subsequent taking charge activities»". The Company has also changed its position in relation to the role assumed in relation to the processing of the data in question by declaring that "it cannot be considered the data controller with reference to the previous or subsequent operations of the processing chain, of which it neither determines nor the purposes nor the tools” and that “from this point of view, it is not clear how the ASUFC could escape the fulfillment of an agreement with the trade unions. of the MM.MM.GG., approved by the Regional Council, without exposing oneself to civil and tax liability". This except to declare further, in the same briefs, that "Given the context of the provision and considering the objectives of the RGPD, the art. 9, par. 2, lit. h) it must be considered as having direct effect, in the sense that it is suitable for attributing to a public healthcare company, such as the ASUFC, the right to process the data of its patients for the purposes indicated therein, in compliance with the provisions of the par. 3 and 4 of this provision" On the 20th date, the requested hearing was held in which, in addition to what has already been represented above, the Company declared in particular that: - “[...] The case goes beyond the paradigm of initiative medicine that the Guarantor most recently outlined in the Report to Parliament. In this case there is no stratification aimed at identifying new pathologies of the patients. The factual situation is as follows. At the end of 2020, according to the guidelines of the Ministry of Health and the Istituto Superiore di Sanità, it was deemed necessary to proceed with the vaccination of fragile subjects. The Region has therefore made an agreement with the GPs also in order to provide for the remuneration of the services provided. It was established that frail patients would be contacted again to be urged for the flu vaccination. Situation similar to what is done at national level for example. for "Regional Screenings" for which profiling is envisaged on which the Company will provide technical-operational details. - In our Region, among other things, there are some very small Municipalities in which GPs work with "ancient" methods therefore the Region has offered, through the "Continuity of care portal", to prepare the list of patients who have given consent to the visibility of the data contained in the FSE by the GP. The GP then contacted the fragile patients to invite them to get the vaccine. The data of the vaccinated subjects was returned by the GPs to the Region through the same Portal, an IT tool of the Region. - Asking for the consent of an entire population would have prevented the right to treatment and the salvation of life of patients under treatment. The Health Trusts are instrumental entities of the Region, so they could not oppose the treatment envisaged by the Regional Resolution. - The Care Continuity Portal is a regional tool that directly transfers data to GPs. We as a company pay GPs who have achieved the target set by the Region. The GP already knows the fragility of his patient. The Company simply pays the GP for any objectives achieved". It is worth highlighting here that the Office, in the context of the preliminary investigation started against the ASUFC, in acknowledging that the treatment in question had also involved the other regional health authorities, started a preliminary investigation against the latter, of the Regional Health Coordination Company of the Autonomous Region of Friuli Venezia Giulia and of the Friuli Venezia Giulia Region and of the company Insiel spa (note of the XX, prot. n. XX). In particular, the Office asked the Region and Insiel S.p.a. to indicate the specific databases from which the information used to carry out the aforementioned activity of stratification of the assisted was extracted and the related data controllers and processors; the type of information and clinical documents that have been processed for the stratification activity, highlighting any techniques used to ensure the non-identifiability, even indirectly, of the interested parties; the legal basis of the aforementioned treatments; the number of clients involved in the aforementioned stratification activity. In response to the aforementioned request for information, the Friuli Venezia Giulia Region, with a note of the XX (prot. n. XX), declared, in particular, that: - "the undersigned, as a superordinate body, manages the governance of the health infrastructure within the scope of its tasks of health planning, verification of the quality of care and evaluation of health care. Healthcare companies, for the area of their competence, are the owners of the data contained in the databases of the infrastructure pursuant to article 24 of the GDPR. ARCS is the Regional Health Coordination Company and carries out support and liaison activities between the Region and the Companies. Insiel S.p.A. is the in-house company appointed by the companies responsible pursuant to art. 28 of the GDPR”; - "to deal with the spread of infections and above all to prevent improper access to hospital facilities, in compliance with DL 23/2020 and DL 34/2020, it promoted vaccination by activating GPs on the basis of the agreement referred to in resolution no. 1737/2020”; - "In this process, the Region, signatory of the AIR agreement with the GPs, had the role of organization and government by delegating to the Healthcare Companies and to the GPs, holders for their respective areas of competence of the health data of their patients, as well as to the appointed, the implementation of the program envisaged by the AIR”; - "The cohort of subjects thus identified by each doctor therefore becomes the basis for the evaluation of subsequent activities: (...) if it has not already been compiled, as required by current legislation (The concept of of a synthetic health profile or "patient summary", which is the electronic health and social document drawn up and updated by the general practitioner or pediatrician of free choice, which summarizes the patient's clinical history and his known current situation. is to favor the continuity of care, allowing a rapid classification of the patient at the time of contact with the NHS)"; - "the lists made available to GPs, as expressly indicated in the AIR agreement, are defined using the tool called ACG through the selection of patients to whom the system has assigned RUB 4 and 5 classes". In particular, it has been shown that the "RUBs (Resource Utilization Bands) are synthetic measures of the degree of care complexity of a population understood in terms of expected consumption of resources" and that they "classify the level expected absorption of health resources, (...) and do not provide an economic quantification or a description of the type of expected resources".- The algorithm of the "Johns Hopkins ACG System is implemented (...) by Insiel which obtains the results" , i.e. the list of patients that has been provided to each general practitioner (GP) and in relation to their patients, which will be validated or modified, if necessary, on the basis of the information available to them. Insiel S.p.a., with a note dated XX (prot. n. XX), as head of the regional healthcare companies, declared, in particular, that: − “The information used to perform the requested processing activity was extracted from the regional data warehouse. Each Healthcare Company (ASU GI, ASU FC, AS FO) is the Data Controller of the personal data of its clients contained in the aforementioned regional data warehouse". The ARCS represented that Insiel would have fed the "Johns Hopkins ACG System" with input datasets, containing information on codified diagnoses, drugs taken, costs incurred by the SSR, age and gender (cf. ARCS note of the XX, protocol XX). According to what was declared in the deeds, the processed data were pseudonymized through the application of random numerical codes elaborated by ARCS for the attribution "of the filters on the Rub 4 and 5 classes and on the presence of consent to view the health record" and made available to the Insiel company. This company, "In order to communicate the data to each GP in relation to its patients, added the tax code, surname and name to the extraction and made the list of patients available on the regional application Portal of Continuity of Care according to the following path: − GP tax code − GP regional code − assisted tax code − assisted surname − assisted name − age class − integrated care plan − pneumococcal vaccines − ACG-RUB”. Finally, in relation to the number of patients involved in the aforementioned treatment operations, it was represented that the list consists of over 40,000 (of which 17,729 pertaining to ASUFC). In the light of these findings, the Office requested further information from the Region, Insiel S.p.a. and the regional health authorities regarding the specific databases through which Insiel fed the John Hopkins ACGsystem from which the information used to carry out the stratification activity of the patients in question was extracted, as well as to indicate whether the aforementioned databases owned by the individual healthcare companies correspond to those used by them to feed the ESF or, if not, to indicate from which databases (note of the XX, prot. n. XX). The Friuli Venezia Giulia Region, with a note of the XX (prot. n. XX), specified that "GPs could have independently drawn up the aforementioned lists where the completion of the patient summary had been concluded, which has not yet happened. Therefore, given the particular moment of emergency, the writer has provided indications to the authorized and enabled subjects to give GPs the necessary technical support for the definition of the lists". The Region also provided a note from Insiel S.p.a., of the XX (prot. n. XX), with which the Company indicated the databases used for the aforementioned activities, which also include those of the electronic health record. Therefore, the completion of the preliminary framework was only possible after the acquisition of the elements provided by all the data controllers involved in the matter in question. 5. Outcome of the preliminary investigation Having acknowledged what is represented by the Company in the documentation in the deeds and in the defense briefs, in the light of the aforementioned regulatory framework and what emerged in the context of the information acquired from the Friuli Venezia Giulia Region, from Insiel s.p.a. and by ARCS the preliminary assessments of the Office are confirmed, within the limits set out in the following reasons. 5.1 Absence of a suitable legal basis for the treatment The Company, in excluding that the treatments carried out relate to "initiative medicine" activities, argued that the same were based on a law related to the state of emergency and, in particular, in art. 1, first paragraph, of the d.l. 34/2020, where it is provided that "the regions and the autonomous provinces adopt plans to strengthen and reorganize the assistance network", as well as on the fourth paragraph of the same provision, according to which "the regions and the autonomous provinces, to guarantee the maximum level of assistance compatible with the needs of public health and safety of care in favor of infected subjects identified through health risk monitoring activities, as well as all fragile people whose condition is aggravated by the ongoing emergency, if they have not already done, they increase and direct the therapeutic and assistance actions at home level (...)". In this regard, it should be noted that the assumption of lawfulness of such treatments cannot be found in the aforementioned art. 1 of the legislative decree 34 of 2020, in consideration of the fact that this provision gives the regions the task of defining plans to strengthen and reorganize the care network for the implementation of which the activity of stratification of the health population through the use of algorithms or other artificial intelligence systems. As already reiterated by the Authority also in the opinion to the Council of State, the profiling of the user of the health service, be it regional or national, determining an automated processing of personal data aimed at analyzing and predicting the evolution of the health situation of the individual patient and any correlation with other elements of clinical risk (in this case, Sars Cov-2 infection), can only be carried out in compliance with specific requirements and adequate guarantees for the rights and freedoms of the interested parties (see art. 4, paragraph 1, no. 4 articles 13, paragraph 1, letter f); 14, par. 2, lit. g), 15, para. 1, lit. h) art. 21, par. 1 and 35, paragraph 3, lett. a) of the Regulation), or on the basis of a provision that has the requisites established by the regulations on the protection of personal data, referred to in the aforementioned article 2-sexies, paragraph 1, of the Code. The use of predictive medicine systems by the Ministry of Health has in fact been provided for by a specific regulatory provision, or by the aforementioned art. 7 of the so-called "Relaunch" decree (d.l. n. 34 of 2020), which expressly provides that the aforementioned Dicastery, within the scope of its institutional duties and in particular, of the functions relating to general guidelines and coordination in the field of prevention, diagnosis, treatment and rehabilitation of diseases, as well as technical health planning and guidance, coordination, monitoring of the regional technical health activity, can process personal data, also relating to the health of the patients, collected in the information systems of the National Health Service, for the development of predictive methodologies of the evolution health needs (art. 7, paragraph 1, legislative decree n. 34/20). This article refers to a regulation, to be adopted with a decree of the Minister of Health, subject to the opinion of the Guarantor, in which personal data are identified, also relating to the particular categories of data that can be processed, the operations that can be performed, the methods for acquiring data from the information systems of the subjects who hold them and the appropriate and specific measures to protect the rights of the interested parties, as well as the retention times of the processed data (Article 7, paragraph 2). Therefore, it is not possible to find the legal basis of the treatments carried out by the Company in the art. 1 of the legislative decree 34 of 2020, given that the legislator, precisely in this regulatory act, when he wanted to attribute institutional functions related to the development of predictive methodologies in the health sector to a public entity, did so expressly, identifying a regulatory path compliant with the provisions of the discipline in on the protection of personal data (art. 7). The aforementioned treatment operations cannot even fall within the category of those "necessary" for the care of the patient, pursuant to art. 9, par. 2 lett. h) of the Regulation and as indicated in the aforementioned provision of the Guarantor of 7 March 2019 doc. website 9091942). Finally, the aforementioned operations were not even based on the explicit consent of the interested parties by express admission of the Company itself which declared, in fact, that "Asking the consent of an entire population would have prevented the right to treatment and the saving of life of patients under treatment ”. Furthermore, with specific reference to the circumstance that only the data of those who have given their consent to consult the EHR would have been extracted from the Insiel company, taking into account the specific purposes pursued through the Dossier which do not include those of self-initiated medicine, it is represented that the consent expressed for the treatments carried out through the FSE cannot be considered a suitable prerequisite of lawfulness for the treatments in question carried out by the Company. Given all of the above, it has been ascertained that the Company, in its capacity as owner, has processed personal data, including those relating to the health of the patients of the regional health service, in the absence of a suitable legal basis and therefore in violation of the principles applicable to the processing and the provisions of articles 5, par. 1, lit. a), 9, of the Regulation, as well as of the art. 2-sexies of the Code. In this regard, taking into account that Insiel has extracted data on the health of patients from the Company's databases without the express authorization of the data controller, thus implementing the aforementioned regional resolution, it should be reiterated that the circumstance that a third party, in the event examination represented by the Region, asks an owner (Health Agency) also through the person in charge (Insiel) to carry out processing operations on personal data in respect of which the latter is the owner, also indicating the methods, does not exclude that it is up to this lastly, also on the basis of the principle of accountability (articles 5, paragraphs 2 and 24 of the Regulation), evaluate the legitimacy of the request and, in particular, the existence of a suitable legal basis to carry out the processing operations requested, both more than, in the present case, the aforesaid operations concerned data on the health of a large number of patients at a regional level through the use of algorithms ( see in particular provision of the Guarantor n. 63, 64, 65, 66, 67, 68, 69 and 70 of 24 February 2022, doc. web no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524). It is also represented that, as highlighted in the 07/2020 Guidelines on the concepts of data controller and data processor of the EDPB of 7 July 2021, it is the task of the data controller, in this case the Company, to decide what the data controller must do in relation to personal data, who has the duty to comply with the instructions of the data controller, but also has the general obligation to comply with the sector legislation (paragraphs 139, 147). It is also up to the data controller to adopt the final decision approving the methods of carrying out the processing as well as requesting any changes (point 30 of the aforementioned Guidelines). Although the Company has not authorized the treatment linked to the stratification of the assisted population through the processing of data present in the databases it owns, at the state of the documents it does not appear that it has intervened against Insiel to prevent such treatment or to ask for it termination if deemed unlawful. 5.2. Information for interested parties In its defense briefs, the data controller has not provided clarifications regarding the dispute relating to the violation of the obligation to provide the interested parties with information on the processing of personal data pursuant to articles 13 and 14 of the Regulation. Given this, given that for the treatments carried out, none of the exemptions from the performance of this information obligation, pursuant to art. 14, par. 5 of the Regulation and that the data were obtained by the Company by accessing its Datawarehouses, the violation of the principle of transparency pursuant to art. 5, par. 1, lit. a) and in art. 14 of the Regulation. 5.3 Impact assessment The treatments carried out by the Company concerned data relating to the health of a large number of vulnerable subjects, therefore the position of the data controller cannot be shared on the basis of which a prior impact assessment, pursuant to art. 35 of the Regulation, it would not have been necessary, this having regard to the provisions of the aforementioned provision which establishes the circumstance in which the obligation to carry out this fulfillment exists, the criteria identified by the Group art. 29 in the Guidelines concerning "Guidelines on data protection impact assessment and determination of the possibility that the processing "may present a high risk" for the purposes of Regulation (EU) 2016/679, adopted on 4 April 2017 as amended and most recently adopted on 4 October 2017, as well as the numerous previous pronouncements of the Guarantor. Contrary to what was believed by the Company, the case in question falls within those for which the data controller is required to carry out, "before proceeding with the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data" (art. 35 of the Regulation). This is because, for the treatment in question, there are certainly two of the criteria indicated by the European Data Protection Committee to identify the cases in which a treatment must be the subject of an impact assessment. In particular, reference is made to the following criteria: processing of "sensitive data or data of a highly personal nature" and of "data relating to vulnerable data subjects" including patients (see Guidelines on impact assessment on data protection and determining whether the processing "may present a high risk" for the purposes of Regulation (EU) 2016/679 adopted on 4 April 2017, as amended and last adopted on 4 October 2017, and endorsed by the European Committee for data protection on 25 May 2018 - WP 248 rev.01, III, letter B, points 4 and 7). Furthermore, it is believed that, with reference to the present case, the criteria relating to the "processing of data on a large scale" may also be satisfied considering that, according to what was declared by the Company, the processing concerned over 17,000 data subjects and the use innovation or the application of new technological or organizational solutions (see the aforementioned Guidelines, III, letter B, points 5 and 8). The emergency provisions adopted in recent months provide for emergency interventions which involve the processing of data and which are the result of a delicate balance between public health needs and those relating to the protection of personal data, in accordance with the provisions of the Regulation for the pursuit of reasons of public interest in the sectors of public health (cf. art. 9, paragraph 1, letter i)). Of course, it remains understood that the processing of personal data connected to the management of the aforementioned health emergency must take place in compliance with the regulations in force on the protection of personal data and, in particular, with the principles applicable to the treatment, pursuant to articles 5 and 25, par. 2, of the Regulation, partially referred to above. Given this, it should be noted that the aforesaid emergency legislation has not derogated from the provisions on the protection of personal data relating to the assessment of the impact on data protection (Article 35 of the Regulation), as demonstrated by the numerous interventions by the Authority on the matter . In fact, the Guarantor intervened with reference to the impact assessment with reference to the treatments carried out in an emergency context in relation to the national contact tracing system - Immuni App (see provisions of 1 June 2020, 25 February 2021 and 24 November 2022), to the Covid-19 green certifications (so-called green pass, see opinion of 9 June 2021, web doc. n. 96680064, opinion of 31 August 2021, web doc. n. 9694010, opinion of 11 October 2021, web doc. n 9707431, of 27 January 2022, web doc. n. 9742129 and of 18 February 2022, web doc. n. 9746905) and to specific treatments carried out by Healthcare Companies in relation to the emergency from Covid-19 (see provisions of 13 May 2021, web doc. No. 9685332, of 13 January 2022, web doc. No. 9744496). Therefore, the violation of the obligation pursuant to art. 35 of the Regulation. 6. Conclusions In the light of the assessments referred to above, taking into account the statements made by the Company during the investigation and considering that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor", the elements provided by the data controller in the defense briefs do not allow to overcome all the findings notified by the Office with the act of initiation of the procedure, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019. For these reasons, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Friuli Centrale University Company is noted in violation of the principles of processing pursuant to articles 5, par. 1 lit. a), 9, of the Regulation, as well as of the art. 2-sexies of the Code; in violation of the principle of transparency, not having provided the interested parties with specific information regarding such processing of personal data envisaged by art. 14 of the Regulation; in violation of the owner's obligations regarding the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation. The violation of the aforementioned provisions also renders the administrative sanction envisaged by art. 83, par. 4 and 5 of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation. In this context, considering the absence of a suitable legal prerequisite for the processing of the data in question and that the ASUFC has not provided indications regarding the cancellation of the same, it is deemed necessary to enjoin the aforementioned Company, pursuant to art. . 58, par. 2, lit. d), of the Regulation, the cancellation of the data resulting from the aforementioned processing of the information present in the company databases covered by this provision to be completed within 90 days of the adoption of this provision. 7. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code) The violation of the articles 5 par. 1, lit. a), 9, 14 and 35 of the Regulation as well as of the art. of the articles 2-sexies of the Code, caused by the conduct of the Friuli Centrale University Company is subject to the application of the administrative pecuniary sanction, pursuant to art. 83, par. 4, lit. a) and 5, lett. a) and b) of the Regulation. The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 83, par. 2 of the Regulation. In relation to the violation of personal data notified by the data controller, pursuant to art. 33 of the Regulation, it is noted that: - the conduct involved data relating to the health of over 40,000 patients of the regional health service, of which over 17,000 from the ASUFC; - the treatment took place in the emergency context caused by the covid-19 pandemic; - the Guarantor has not received any reports or complaints from specific interested parties in relation to the question examined; - the Company cooperated fully with the Authority during the investigation and in this proceeding; - despite having been the recipient of another sanction measure, the same concerns other types of treatment (health dossier) with reference to which the controller operates through the same data processor (decision of despite having been the recipient of another sanction measure, the same concerns other cases of treatment (health dossier) with reference to which the data controller operates through the same data controller (provision of 26.5.2022, web doc. 9790365); Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 4 letter. a) and 5, lett. a) and b) of the Regulation, in the amount of €55,000 (fifty-five thousand) for the violation of articles 5, par. 1 lit. a), 9, 14 and 35 of the Regulation, and of the art. 2 sexies of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1 and 3, of the Regulation, effective, proportionate and dissuasive. It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTEE declares the illegality of the processing of personal data carried out by the Azienda Universitaria Friuli Centrale, for the violation of the art. 5, par. 1, lit. a), 9, 14 and 35 of the Regulation and of the art. 2-sexies of the Code in the terms set out in the justification. ORDER pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Friuli Centrale University Company with registered office in Via Pozzuolo n° 330, 33100 Udine, C.F. and VAT number 02985660303, to pay the sum of €55,000 (fifty-five thousand) as an administrative fine for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ENJOYS to the aforementioned Company: - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €55,000 (fifty-five thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981; - pursuant to art. 58, par. 2, lit. d), of the Regulation, to the Giuliano Isontina University Company within 90 days of notification of this provision, to proceed with the cancellation of the data resulting from the processing of the information present in the company databases covered by this provision. - pursuant to art. 58, par. 1 lit. a) of the Regulation and 157 of the Code, to communicate which initiatives have been undertaken in order to implement the above enjoined with this provision and in any case to provide adequately documented feedback, within 20 days of the expiry of the aforementioned term; any failure to reply may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation HAS pursuant to art. 166, paragraph 7, of the Code, the entire publication of this provision on the website of the Guarantor and believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 15 December 2022 PRESIDENT Station THE SPEAKER Zest THE SECRETARY GENERAL Matthew (1) By "initiative medicine" we mean a model of care oriented towards the "active promotion" of the health of the individual, especially if suffering from chronic diseases or disabilities, and towards empowering people in their own treatment path (source: Ministry of Health http://www.salute.gov.it/portale/temi/p2_6.jsp?id=496 &area=Cure%20primarie&menu=cure, see, among many references, Ministry of Health, General Assembly of the Superior Health Council , "Telemedicine - national guidelines", 10 July 2012, see par. 2.3.2, Decree 02 April 2015, n. 70 - Regulation establishing the definition of qualitative, structural, technological and quantitative standards relating to hospital assistance, Agreement between the Government, the Regions and the autonomous Provinces of Trento and Bolzano on the planning guidelines for the use by the Regions of the restricted resources pursuant to article 1, paragraphs 34 and 34 bis, of the law of 23 December 1996, n. 662 for the realization of the objectives activities of a priority nature and of national importance for the year 2014. SEE ALSO: Newsletter of January 24, 2023 [doc. web no. 9845156] Corrective and sanctioning measure against the Friuli Centrale University Company - 15 December 2022 Register of measures no. 416 of 15 December 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation"); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter the “Code”); CONSIDERING the decree law of 19 May 2020, n. 34 law, converted with amendments into law 17 July 2020, n. 77, and, in particular, the art. 7 relating to predictive methodologies of the evolution of the population's health needs; CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); HAVING REGARD to the documentation in the deeds; HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000; Speaker the lawyer Guido Scorza; WHEREAS 1. Premise It has been reported to this Authority that the resolution of the Friuli Venezia Giulia Region Council, no. 1737 of 20 November 2020, instructed General Practitioners (hereinafter also GPs only) to validate, for the purpose of pro rata payment of part of the variable fee, "through the regional IT portal, a list of users/assisted patients previously identified by the Healthcare Authority, according to its own (unknown) criterion, such as in conditions of complexity and comorbidity for the (apparent) purpose of statistical stratification by filling in computer files in which to report personal bio-humoral data, therapies, pathological status, family addresses, conditions/ life habits, etc.”. Together with the report, a copy of the attachment to the aforementioned resolution was provided containing the "memorandum of understanding between the FVG Region and the trade union organizations of GPs for the regulation of relations for the two-year period 2020 -2021 and of the activities connected to the epidemiological emergency from Covid-19 ”. The first of the objectives indicated in the aforementioned report concerns the "stratification, complexity and comorbidities at high risk of major complications from Covid-19 infections", with respect to which in the "notes" section of the report synthetic indications are provided on the preparation of the lists of patients to be submitted to the initiative medicine plans and on the ways in which they are downloaded, through the company Insiel, "from the portal of continuity of care" and then made available to the health authorities. It was also reported that the aforementioned resolution would require GPs to communicate data on the health of their patients without the possibility for them to verify "whether the Healthcare Company has [previously] given consent" to the processing of their personal data for purposes of "statistical stratification", also highlighting how this specific discipline provides for "the anonymous transmission of data for statistical or administrative purposes". 2. The preliminary investigation In relation to the above, the Office has started a preliminary investigation (note of the XX, prot. n. XX) requesting the Friuli Venezia Giulia Region and the Friuli Centrale University Company (hereinafter respectively also just the Region or Company or ASUFC) specific information elements regarding in particular: the initiatives taken in order to ensure that the treatments necessary to carry out the aforesaid initiative medicine activities were implemented in compliance with the regulations on the protection of personal data, with particular reference to what is indicated in the provisions of the Guarantor adopted on the matter (Opinion to the Council of State on the new ways of allocating the health fund among the regions proposed by the Ministry of Health and based on population stratification, of 5 March 2020, web doc. n. 9304455, opinion on the draft law of the Autonomous Province of Trento containing specific provisions on proactive medicine, of 8 May 2020, web doc. No. 9344635, opinion on the draft regulation relating to the implementing provisions of the Trentino provincial law for proactive medicine in the provincial health service, of 1 ° October 2020, web doc. 9469372, provision dated 17 December 2020, web doc. n. 9529527; provision imenti of February 24, 2022 n. 63, 64, 65, 66, 67, 65, 68, 69 and 70, doc. web no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524); the purposes pursued with the data processing envisaged by the report attached to the aforementioned resolution, and for each of them the relative legal basis of the processing, as well as the relative owners and managers, pursuant to articles 9, 24 and 28 of the Regulation; if the treatment, although aimed at the pursuit of treatment purposes, is not strictly necessary for this purpose, the methods of prior acquisition of the informed and explicit consent of the interested parties, pursuant to art. 9, par. 2, lit. a) of the Regulation; the description of the personal data flows indicated in the report attached to the aforementioned resolution, specifying whether the processing concerned health data or anonymous and aggregated data; the impact assessment carried out, pursuant to art. 35 of the Regulation, considering that we are dealing with large-scale processing of particular categories of personal data and therefore at high risk. With a note of the XX (prot. n. XX), the Company replied to the request for information declaring that: the activity referred to in the resolution of the Regional Council n. 1737 of 20 November 2020 cannot qualify as initiative medicine as defined by the Ministry of Health; this activity is based on the art. 1, first paragraph, of the d.l. 34/2020, where it is provided that "the regions and the autonomous provinces adopt plans to strengthen and reorganize the assistance network", as well as on the fourth paragraph of the same provision, according to which "the regions and the autonomous provinces, to guarantee the maximum level of assistance compatible with the needs of public health and safety of care in favor of infected subjects identified through health risk monitoring activities, as well as all fragile people whose condition is aggravated by the ongoing emergency, if they have not already done, they increase and direct the therapeutic and assistance actions at home level (...)"; "therefore, it is an activity that is based on a law related to the current state of emergency"; "The purpose pursued with the processing of data envisaged by the agreement attached to the resolution, as already anticipated, is the care of the patient by the GP, pursuant to art. 9, par. 2, lit. h) of the GDPR”; “The ASUFC is involved for a much more limited purpose, i.e. for the payment to the GP of the fees envisaged in relation to the measure of achievement of the objectives. The specific treatment by the Company is therefore based on the art. 9, par. 2, lit. i) and lett. g) and, in particular on the planning, management, control and evaluation of health care, including the establishment, management, planning and control of relations between the administration and the subjects accredited or affiliated with the NHS (art 2-sexies, second paragraph, letter V, Code)"; “the Friuli Centrale University Health Authority is the owner of the data used, extracted from its data warehouse”; “The algorithm used for data extraction is provided to Insiel by the Regional Agency for Coordination for Health. It provides that only the data of those who have given their consent to the consultation of the FSE by the GP can be extracted”; the list thus extracted of the patients was sent to the GPs for all the activities envisaged for the payment of the fee; "the Company did not deem it necessary to carry out an impact assessment, for the treatment of its competence, not recognizing a high risk for the rights and freedoms of natural persons, taking into consideration the nature, object, context and the purposes of the processing, given the emergency framework in which the processing itself is inserted"; “In conclusion: the treatment in question is based on a legal provision, concerns pseudonymized data in the extraction phase, pursues the purpose of care and, for the part of the Company's operational competence, has purposes of significant public interest; it is carried out in an emergency context, in order to protect all patients in a fragile condition, whose exposure to the virus could have lethal results". The Region, with note of the XX prot. no. XX stated that: “as regards, in particular, objective n. 1 [of the recalled understanding] relating to the validation [of the] list of clients in conditions of complexity and comorbidity (target population) for the purpose of making the Lists available on the Continuity of Care Portal, the General Managers of the Company pertaining to the individual are invited GP to provide INSIEL as soon as possible, as for previous years, the operational indication to make the relative functions visible only for those patients who have given their specific consent to the communication of their data to their GP”. It was also specified that, for this purpose, "ARCS has provided the methodological support for the preparation of the algorithm for defining the lists of fragile subjects belonging to the RUB 4 and 5 categories. The tool used by ARCS for the preparation of the algorithm does not contains patient name information but an anonymous numeric identifier, subject to change every 6 months. Within the syntactic rules used, an extraction filter was inserted for subjects belonging to the RUB 4 and 5 categories who had already given their consent to visibility by the GP. (...). The lists, already purged, are published by INSIEL, on behalf of the Healthcare Companies, for each GP who, being able to identify their patients, proceed with the validation of the same". With reference to the aforementioned personal data processing operations, the Region declared that "the identification of assisted persons and their inclusion in the lists finds the legal basis in the generic consent provided by the interested party and relating to the visibility by the GP". In relation to the need to draw up an impact assessment, it was also represented that "no initiative medicine activity can, therefore, be recognized in the activity described above and, consequently, no specific risk assessment activity is necessary primarily on the part of the Region, which in any case never has access to personal data, nor by the regional health authorities". 3. The legislation on the protection of personal data and the specific regulation of the relevant sectors According to the Regulation, "personal data" means "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social" (art. 4, point 1, of the Regulation). Pseudonymisation means “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and subject to technical and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person" (Cons. 26 and art. 4 (5) of the Regulation). The legislation on the protection of personal data does not apply to "anonymous information, i.e. information that does not relate to an identified or identifiable natural person or to personal data made anonymous enough to prevent or no longer allow identification of the interested party” (see Cons. 26 of the Regulation and WP29 Opinion 05/2014 on Anonymisation techniques, adopted on 10 April 2014). Anonymised data is such only if it does not in any way allow the direct or indirect identification of a person, taking into account all the means (economic, information, technological resources, skills, time) available to whom (owner or other subject) try to use these tools to identify a data subject. Anonymisation cannot be considered achieved through the mere removal of the personal details of the interested party or their replacement with a pseudonymous code. An anonymisation process cannot effectively be defined as such if it is not suitable for preventing anyone using such data, in combination with "reasonably available" means, from: 1. isolate a person in a group (single-out); 2. link anonymised data to data referable to a person present in a separate set of data (linkability); 3. deduce new information referable to a person from anonymised data (inference) (cf. Opinion 05/2014 - WP 216 on anonymisation techniques, adopted on 10 April 2014). That said, the processing of personal data must take place in compliance with the established principles and additional rules of the Regulation and the relevant provisions of the Code. In relation to the case in question, reference is made to the principles of lawfulness, correctness and transparency and purpose limitation according to which personal data must be processed in a lawful, correct and transparent manner and collected for specific, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with these purposes (Article 5, paragraph 1, letter a) and b), of the Regulation; see also Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation of 2 April 2013).). More specifically, the Regulation provides for a general prohibition on the processing of particular categories of data, including those relating to the health of the data subjects, unless one of the particular exemptions from this prohibition pursuant to art. 9, par. 2 of the same Regulation. In this regard, the cases in which: - the interested party has given his explicit consent, except in cases where the law of the Union or of the Member States provides otherwise (Article 9, paragraph 2, letter a) of the Regulation); - the processing is necessary for reasons of substantial public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject (Article 9, paragraph 2, letter g) of the Regulation). In this case, the art. 2-sexies of the Code according to which "the processing of particular categories of personal data pursuant to article 9, paragraph 1, of the Regulation, necessary for reasons of significant public interest pursuant to paragraph 2, letter g), of the same article, are allowed if they are provided for by European Union law or, in the internal legal system, by provisions of law or regulation or by general administrative acts that specify the types of data that can be processed, the operations that can be performed and the reason for relevant public interest, as well as appropriate and specific measures to protect the fundamental rights and interests of the data subject”; - the processing is necessary for the purposes of preventive medicine or occupational medicine, assessment of the employee's ability to work, diagnosis, assistance or health or social therapy or management of health or social systems and services on the basis of Union or State law states or in accordance with the contract with a health professional (Article 9, paragraph 2, letter h) and par. 3 of the Regulation and 75 of the Code; provision of the Guarantor containing Clarifications on the application of the regulations for the treatment of data relating to health in the healthcare sector of 7 March 2019 doc. website 9091942). With reference to the principle of transparency, the related information charges pursuant to articles 13 and 14 of the Regulation, according to which each treatment must be preceded by a suitable information also in order to allow the interested parties to exercise the rights due to them (art. 15-22 of the Regulation). This principle also requires that information and communications relating to the processing of personal data be made in a concise, transparent, intelligible and easily accessible form, with simple and clear language (cons. 39 and 58 and art. 12 of the Regulation). The Regulation also provides that "when a type of processing, when it involves in particular the use of new technologies, given the nature, object, context and purposes of the processing, may present a high risk for the rights and the freedoms of natural persons, the data controller carries out, before proceeding with the treatment, an assessment of the impact of the foreseen treatments on the protection of personal data. A single evaluation can examine a set of similar treatments that present similar high risks" (art. 35; Group art. 29 Guidelines n. 248 concerning "The assessment of the impact on data protection as well as the criteria for establishing whether a treatment" adopted in amended form on 4.10.2017). In this regard, it should be noted, from the outset, that this requirement has not been waived by the emergency regulations adopted with reference to the pandemic context, as can be seen, for example, from the authorization provided by the Authority on the impact assessment carried out by the Ministry of Health with reference to the treatments carried out within the national contact tracing system - App Immuni (see provisions of 1 June 2020, 25 February 2021 and 24 November 2022), as well as the provisions adopted on the matter in the emergency context (see provisions of 13 May 2021, web doc. No. 9685332, of 13 January 2022, web doc. No. 9744496). Noting that the initiative examined envisaged the extraction of data on the health of the patients from the Datawarehouse of the Company through the company Insiel SPA, an in-house ICT company of the Region, appointed as Data Processor, through the use of an algorithm provided by the regional agency for the coordination of health, the following is also highlighted. This activity determines the collection and processing of health data in order to create, with reference to specific pathologies (which, in the case in question, are those that can expose the most fragile assistants to contracting more serious infections from SARS Cov-2) , a health risk profile of the person concerned, useful for implementing preventive interventions to take charge of the patient. The activity of stratification of the health risk of the population is configured as an administrative activity prodromal to the care activity, consisting in taking charge of the patient, as it allows to classify the assisted persons considered to be at greater risk, in order to prepare in their compare an early and specific taking charge activity. 3.1 Stratification activities of the assisted population With specific reference to the treatments carried out by health bodies for purposes of public interest, also in the light of what is indicated by the Ministry of Health1 on the matter and supported by the Guarantor in the numerous provisions on the aforementioned subject), these treatment operations fall within the scope of the so-called "initiative medicine", even if addressed, in the present case, only to the emergency context. This is because, through these treatments, a stratification of the patients of the Regional Health Service is carried out on the basis of information relating to the individual state of health, for the relative placement in health risk classes, in order to identify assistance models aimed at the active promotion of health interventions that aim at an early taking charge of them (see also the aforementioned opinion on the draft law of the Autonomous Province of Trento which contains specific provisions on self-initiated medicine, of 8 May 2020, web doc. n. 9344635, opinion on the draft regulation relating to the implementing provisions of the Trentino provincial law for initiative medicine in the provincial health service, of 1 October 2020, web doc. n. 9469372, provision against the South East Tuscany Local Health Authority of 17 December 2020, web doc. n. 9529527, provisions n. 63, 64, 65, 66, 67, 65, 68, 69 and 70 of 24 February 2022 web doc. no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524). 3.2. Patient care activities With specific reference to the purposes of treatment and prevention, it should be noted that the Guarantor has already highlighted that such treatments must be considered additional and independent of those strictly necessary for ordinary treatment and prevention activities (Article 9, paragraph 2, letter h ) of the Regulation), and therefore can only be carried out on the basis of the specific informed consent of the interested party (Article 9, paragraph 2, letter a) of the Regulation) (see ex multis, opinion on the draft law of the Autonomous Province of Trento which contains specific provisions on initiative medicine, of 8 May 2020, web doc. n. 9344635). 3.3. The treatments carried out through the electronic health record It should also be noted that through the Electronic Health Record (FSE) the aims set by the specific sector regulations can be pursued and in particular of: a) diagnosis, treatment and rehabilitation; a-bis) prevention; a-ter) international prophylaxis; b) study and scientific research in the medical, biomedical and epidemiological fields; c) health planning, verification of the quality of care and assessment of health care (art. 12, 18 October 2012, n. 179, converted with amendments into law 17 December 2012, n. 221, and dpcm 29 September 2015, n. 178). Among the aims that can be pursued through the ESF, therefore, the one relating to predictive or initiative medicine does not appear. In fact, even in the recent interventions carried out on the subject, the legislator has not extended this purpose to those that can be pursued through the ESF. The data accessible through the ESF, deprived of direct identification elements, may instead be processed by the Ministry of Health, also through interconnection with other data sources, for the purposes and with the methods that will be established by decree of the Minister of Health, which must be adopted with the opinion of the Guarantor, in compliance with the provisions of the Regulation, the Code, the Digital Administration Code and the guidelines of the Agency for Digital Italy on interoperability (Article 2-sexies, paragraph 1-bis) (see also opinions issued on 22 August 2022, n. 294 and 295 web doc. n. 9802752 and 9802729). The fact that the interested party's consent has been given to the processing of data present in the EHR for treatment purposes does not therefore legitimize the subjects who access this information tool to process the information contained therein to outline specific health risk profiles of the interested party. 3.4. Statistical activity Bearing in mind that during the preliminary investigation, reference was made to a "statistical stratification" activity, it should finally be noted that the processing of personal data, carried out for these purposes by subjects participating in the national statistical system (SISTAN), must in any case take place in compliance, not only with the pertinent provisions of the Regulation (articles 5, paragraph 1, letter c) and e) and 89) and of the Code (articles 2-sexies, paragraph 2, letter cc) and 104 et seq.), but also of the Deontological Rules for treatments for statistical or scientific research purposes carried out within the National Statistical System, Annex A4 to the Code, as well as the specific sector discipline referred to in Legislative Decree no. 322/1989, containing "Regulations on the National Statistical System and on the reorganization of the National Statistical Institute". 4. The disciplinary procedure Following the aforementioned findings, the Office, with deed no. XX of the XX, notified the Azienda Universitaria Friuli Centrale, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in article 58, paragraph 2, of the Regulation, inviting the aforesaid holder to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law n. 689 of 11/24/1981). In particular, the Office has detected the existence of elements suitable for configuring, by the Friuli Centrale University Company, the violation of the legislation on the protection of personal data in relation to the processing of personal data relating to health, even if treated in pseudonymized form, in the absence of a suitable legal prerequisite and, therefore, in violation of the principles applicable to the treatment referred to in articles 5, par. 1 lit. a), b), 9, of the Regulation, as well as of the articles 2-sexies and 75 of the Code; in violation of the principle of transparency, not having provided the interested parties with specific information regarding such processing of personal data as envisaged by articles 13 and 14 of the Regulation; in violation of the owner's obligations regarding the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation. With the note of the XX, prot. no. XX, the ASUFC sent its defense writings by advancing a formal request for a hearing. In the aforementioned writings, the Company further declared that the aforementioned resolution "attaches the memorandum of understanding between the Region and the OO.SS. of GPs (...), to which the objectives pursuant to point 8 of the two-year period 2021/21 are attached (...). As you can see, goal no. 1 refers to actions, pertaining to GPs, consisting of the «Validation of the list of patients in conditions of complexity and comorbidity (target population) published on the Care Continuity Portal». The objective specifies the following: «Lists defined by the ARCS epidemiological office made available in the Continuity of Care Portal by Insiel no later than 10 December 2020 as a preparatory condition for subsequent taking charge activities»". The Company has also changed its position in relation to the role assumed in relation to the processing of the data in question by declaring that "it cannot be considered the data controller with reference to the previous or subsequent operations of the processing chain, of which it neither determines nor the purposes nor the tools” and that “from this point of view, it is not clear how the ASUFC could escape the fulfillment of an agreement with the trade unions. of the MM.MM.GG., approved by the Regional Council, without exposing oneself to civil and tax liability". This except to declare further, in the same briefs, that "Given the context of the provision and considering the objectives of the RGPD, the art. 9, par. 2, lit. h) it must be considered as having direct effect, in the sense that it is suitable for attributing to a public healthcare company, such as the ASUFC, the right to process the data of its patients for the purposes indicated therein, in compliance with the provisions of the par. 3 and 4 of this provision" On the 20th date, the requested hearing was held in which, in addition to what has already been represented above, the Company declared in particular that: - “[...] The case goes beyond the paradigm of initiative medicine that the Guarantor most recently outlined in the Report to Parliament. In this case there is no stratification aimed at identifying new pathologies of the patients. The factual situation is as follows. At the end of 2020, according to the guidelines of the Ministry of Health and the Istituto Superiore di Sanità, it was deemed necessary to proceed with the vaccination of fragile subjects. The Region has therefore made an agreement with the GPs also in order to provide for the remuneration of the services provided. It was established that frail patients would be contacted again to be urged for the flu vaccination. Situation similar to what is done at national level for example. for "Regional Screenings" for which profiling is envisaged on which the Company will provide technical-operational details. - In our Region, among other things, there are some very small Municipalities in which GPs work with "ancient" methods therefore the Region has offered, through the "Continuity of care portal", to prepare the list of patients who have given consent to the visibility of the data contained in the FSE by the GP. The GP then contacted the fragile patients to invite them to get the vaccine. The data of the vaccinated subjects was returned by the GPs to the Region through the same Portal, an IT tool of the Region. - Asking for the consent of an entire population would have prevented the right to treatment and the salvation of life of patients under treatment. The Health Trusts are instrumental entities of the Region, so they could not oppose the treatment envisaged by the Regional Resolution. - The Care Continuity Portal is a regional tool that directly transfers data to GPs. We as a company pay GPs who have achieved the target set by the Region. The GP already knows the fragility of his patient. The Company simply pays the GP for any objectives achieved". It is worth highlighting here that the Office, in the context of the preliminary investigation started against the ASUFC, in acknowledging that the treatment in question had also involved the other regional health authorities, started a preliminary investigation against the latter, of the Regional Health Coordination Company of the Autonomous Region of Friuli Venezia Giulia and of the Friuli Venezia Giulia Region and of the company Insiel spa (note of the XX, prot. n. XX). In particular, the Office asked the Region and Insiel S.p.a. to indicate the specific databases from which the information used to carry out the aforementioned activity of stratification of the assisted was extracted and the related data controllers and processors; the type of information and clinical documents that have been processed for the stratification activity, highlighting any techniques used to ensure the non-identifiability, even indirectly, of the interested parties; the legal basis of the aforementioned treatments; the number of clients involved in the aforementioned stratification activity. In response to the aforementioned request for information, the Friuli Venezia Giulia Region, with a note of the XX (prot. n. XX), declared, in particular, that: - "the undersigned, as a superordinate body, manages the governance of the health infrastructure within the scope of its tasks of health planning, verification of the quality of care and evaluation of health care. Healthcare companies, for the area of their competence, are the owners of the data contained in the databases of the infrastructure pursuant to article 24 of the GDPR. ARCS is the Regional Health Coordination Company and carries out support and liaison activities between the Region and the Companies. Insiel S.p.A. is the in-house company appointed by the companies responsible pursuant to art. 28 of the GDPR"; - "to deal with the spread of infections and above all to prevent improper access to hospital facilities, in compliance with DL 23/2020 and DL 34/2020, it promoted vaccination by activating GPs on the basis of the agreement referred to in resolution no. 1737/2020"; - "In this process, the Region, signatory of the AIR agreement with the GPs, had the role of organization and government by delegating to the Healthcare Companies and to the GPs, holders for their respective areas of competence of the health data of their patients, as well as to the appointed, the implementation of the program envisaged by the AIR”; - "The cohort of subjects thus identified by each doctor therefore becomes the basis for the evaluation of subsequent activities: (...) if it has not already been compiled, as required by current legislation (The concept of of a synthetic health profile or "patient summary", which is the electronic health and social document drawn up and updated by the general practitioner or pediatrician of free choice, which summarizes the patient's clinical history and his known current situation. is to favor the continuity of care, allowing a rapid classification of the patient at the time of contact with the NHS)”; - "the lists made available to GPs, as expressly indicated in the AIR agreement, are defined using the tool called ACG through the selection of patients to whom the system has assigned RUB 4 and 5 classes". In particular, it has been shown that the "RUBs (Resource Utilization Bands) are synthetic measures of the degree of care complexity of a population understood in terms of expected consumption of resources" and that they "classify the level expected absorption of health resources, (...) and do not provide an economic quantification or a description of the type of expected resources".- The algorithm of the "Johns Hopkins ACG System is implemented (...) by Insiel which obtains the results" , i.e. the list of patients that has been provided to each general practitioner (GP) and in relation to their patients, which will be validated or modified, if necessary, on the basis of the information available to them. Insiel S.p.a., with a note dated XX (prot. n. XX), as head of the regional healthcare companies, declared, in particular, that: − “The information used to perform the requested processing activity was extracted from the regional data warehouse. Each Healthcare Company (ASU GI, ASU FC, AS FO) is the Data Controller of the personal data of its clients contained in the aforementioned regional data warehouse". The ARCS represented that Insiel would have fed the "Johns Hopkins ACG System" with input datasets, containing information on codified diagnoses, drugs taken, costs incurred by the SSR, age and gender (cf. ARCS note of the XX, protocol XX). According to what was declared in the deeds, the processed data were pseudonymized through the application of random numerical codes elaborated by ARCS for the attribution "of the filters on the Rub 4 and 5 classes and on the presence of consent to view the health record" and made available to the Insiel company. This company, "In order to communicate the data to each GP in relation to its patients, added the tax code, surname and name to the extraction and made the list of patients available on the regional application Portal of Continuity of Care according to the following path: − GP tax code − GP regional code − assisted tax code − assisted surname − assisted name − age class − integrated care plan − pneumococcal vaccines − ACG-RUB”. Finally, in relation to the number of patients involved in the aforementioned treatment operations, it was represented that the list consists of over 40,000 (of which 17,729 pertaining to ASUFC). In the light of these findings, the Office requested further information from the Region, Insiel S.p.a. and the regional health authorities regarding the specific databases through which Insiel fed the John Hopkins ACGsystem from which the information used to carry out the stratification activity of the patients in question was extracted, as well as to indicate whether the aforementioned databases owned by the individual healthcare companies correspond to those used by them to feed the ESF or, if not, to indicate from which databases (note of the XX, prot. n. XX). The Friuli Venezia Giulia Region, with a note of the XX (prot. n. XX), specified that "GPs could have independently drawn up the aforementioned lists where the completion of the patient summary had been concluded, which has not yet happened. Therefore, given the particular moment of emergency, the writer has provided indications to the authorized and enabled subjects to give GPs the necessary technical support for the definition of the lists". The Region also provided a note from Insiel S.p.a., of the XX (prot. n. XX), with which the Company indicated the databases used for the aforementioned activities, which also include those of the electronic health record. Therefore, the completion of the preliminary framework was only possible after the acquisition of the elements provided by all the data controllers involved in the matter in question. 5. Outcome of the preliminary investigation Having acknowledged what is represented by the Company in the documentation in the deeds and in the defense briefs, in the light of the aforementioned regulatory framework and what emerged in the context of the information acquired from the Friuli Venezia Giulia Region, from Insiel s.p.a. and by ARCS the preliminary assessments of the Office are confirmed, within the limits set out in the following reasons. 5.1 Absence of a suitable legal basis for the treatment The Company, in excluding that the treatments carried out relate to "initiative medicine" activities, argued that the same were based on a law related to the state of emergency and, in particular, in art. 1, first paragraph, of the d.l. 34/2020, where it is provided that "the regions and the autonomous provinces adopt plans to strengthen and reorganize the assistance network", as well as on the fourth paragraph of the same provision, according to which "the regions and the autonomous provinces, to guarantee the maximum level of assistance compatible with the needs of public health and safety of care in favor of infected subjects identified through health risk monitoring activities, as well as all fragile people whose condition is aggravated by the ongoing emergency, if they have not already done, they increase and direct the therapeutic and assistance actions at home level (...)". In this regard, it should be noted that the assumption of lawfulness of such treatments cannot be found in the aforementioned art. 1 of the legislative decree 34 of 2020, in consideration of the fact that this provision gives the regions the task of defining plans to strengthen and reorganize the care network for the implementation of which the activity of stratification of the health population through the use of algorithms or other artificial intelligence systems. As already reiterated by the Authority also in the opinion to the Council of State, the profiling of the user of the health service, be it regional or national, determining an automated processing of personal data aimed at analyzing and predicting the evolution of the health situation of the individual patient and any correlation with other elements of clinical risk (in this case, Sars Cov-2 infection), can only be carried out in compliance with specific requirements and adequate guarantees for the rights and freedoms of the interested parties (see art. 4, paragraph 1, no. 4 articles 13, paragraph 1, letter f); 14, par. 2, lit. g), 15, para. 1, lit. h) art. 21, par. 1 and 35, paragraph 3, lett. a) of the Regulation), or on the basis of a provision that has the requisites established by the regulations on the protection of personal data, referred to in the aforementioned article 2-sexies, paragraph 1, of the Code. The use of predictive medicine systems by the Ministry of Health has in fact been provided for by a specific regulatory provision, or by the aforementioned art. 7 of the so-called "Relaunch" decree (d.l. n. 34 of 2020), which expressly provides that the aforementioned Dicastery, within the scope of its institutional duties and in particular, of the functions relating to general guidelines and coordination in the field of prevention, diagnosis, treatment and rehabilitation of diseases, as well as technical health planning and guidance, coordination, monitoring of the regional technical health activity, can process personal data, also relating to the health of the patients, collected in the information systems of the National Health Service, for the development of predictive methodologies of the evolution health needs (art. 7, paragraph 1, legislative decree n. 34/20). This article refers to a regulation, to be adopted with a decree of the Minister of Health, subject to the opinion of the Guarantor, in which personal data are identified, also relating to the particular categories of data that can be processed, the operations that can be performed, the methods for acquiring data from the information systems of the subjects who hold them and the appropriate and specific measures to protect the rights of the interested parties, as well as the retention times of the processed data (Article 7, paragraph 2). Therefore, it is not possible to find the legal basis of the treatments carried out by the Company in the art. 1 of the legislative decree 34 of 2020, given that the legislator, precisely in this regulatory act, when he wanted to attribute institutional functions related to the development of predictive methodologies in the health sector to a public entity, did so expressly, identifying a regulatory path compliant with the provisions of the discipline in regarding the protection of personal data (art. 7). The aforementioned treatment operations cannot even fall within the category of those "necessary" for the care of the patient, pursuant to art. 9, par. 2 lett. h) of the Regulation and as indicated in the aforementioned provision of the Guarantor of 7 March 2019 doc. website 9091942). Finally, the aforementioned operations were not even based on the explicit consent of the interested parties by express admission of the Company itself which declared, in fact, that "Asking the consent of an entire population would have prevented the right to treatment and the saving of life of patients under treatment ”. Furthermore, with specific reference to the circumstance that only the data of those who have given their consent to consult the EHR would have been extracted from the Insiel company, taking into account the specific purposes pursued through the Dossier which do not include those of self-initiated medicine, it is represented that the consent expressed for the treatments carried out through the FSE cannot be considered a suitable prerequisite of lawfulness for the treatments in question carried out by the Company. Given all of the above, it has been ascertained that the Company, in its capacity as owner, has processed personal data, including those relating to the health of the patients of the regional health service, in the absence of a suitable legal basis and therefore in violation of the principles applicable to the processing and the provisions of articles 5, par. 1, lit. a), 9, of the Regulation, as well as of the art. 2-sexies of the Code. In this regard, taking into account that Insiel has extracted data on the health of patients from the Company's databases without the express authorization of the data controller, thus implementing the aforementioned regional resolution, it should be reiterated that the circumstance that a third party, in the event examination represented by the Region, asks an owner (Health Agency) also through the person in charge (Insiel) to carry out processing operations on personal data in respect of which the latter is the owner, also indicating the methods, does not exclude that it is up to this lastly, also on the basis of the principle of accountability (articles 5, paragraphs 2 and 24 of the Regulation), evaluate the legitimacy of the request and, in particular, the existence of a suitable legal basis to carry out the processing operations requested, both more than, in the present case, the aforesaid operations concerned data on the health of a large number of patients at a regional level through the use of algorithms ( see in particular provision of the Guarantor n. 63, 64, 65, 66, 67, 68, 69 and 70 of 24 February 2022, doc. web no. 9752177, 9752221, 9752260, 9752299, 9752410, 9752433, 9752490 and 9752524). It is also represented that, as highlighted in the 07/2020 Guidelines on the concepts of data controller and data processor of the EDPB of 7 July 2021, it is the task of the data controller, in this case the Company, to decide what the data controller must do in relation to personal data, who has the duty to comply with the instructions of the data controller, but also has the general obligation to comply with the sector legislation (paragraphs 139, 147). It is also up to the data controller to adopt the final decision approving the methods of carrying out the processing as well as requesting any changes (point 30 of the aforementioned Guidelines). Although the Company has not authorized the treatment linked to the stratification of the assisted population through the processing of data present in the databases it owns, at the state of the documents it does not appear that it has intervened against Insiel to prevent such treatment or to ask for it termination if deemed unlawful. 5.2. Information for interested parties In its defense briefs, the data controller has not provided clarifications regarding the dispute relating to the violation of the obligation to provide the interested parties with information on the processing of personal data pursuant to articles 13 and 14 of the Regulation. Given this, given that for the treatments carried out, none of the exemptions from the performance of this information obligation, pursuant to art. 14, par. 5 of the Regulation and that the data were obtained by the Company by accessing its Datawarehouses, the violation of the principle of transparency pursuant to art. 5, par. 1, lit. a) and in art. 14 of the Regulation. 5.3 Impact assessment The treatments carried out by the Company concerned data relating to the health of a large number of vulnerable subjects, therefore the position of the data controller cannot be shared on the basis of which a prior impact assessment, pursuant to art. 35 of the Regulation, it would not have been necessary, this having regard to the provisions of the aforementioned provision which establishes the circumstance in which the obligation to carry out this fulfillment exists, the criteria identified by the Group art. 29 in the Guidelines concerning "Guidelines on data protection impact assessment and determination of the possibility that the processing "may present a high risk" for the purposes of Regulation (EU) 2016/679, adopted on 4 April 2017 as amended and most recently adopted on 4 October 2017, as well as the numerous previous pronouncements of the Guarantor. Contrary to what was believed by the Company, the case in question falls within those for which the data controller is required to carry out, "before proceeding with the processing, an assessment of the impact of the envisaged processing operations on the protection of personal data" (art. 35 of the Regulation). This is because, for the treatment in question, there are certainly two of the criteria indicated by the European Data Protection Committee to identify the cases in which a treatment must be the subject of an impact assessment. In particular, reference is made to the following criteria: processing of "sensitive data or data of a highly personal nature" and of "data relating to vulnerable data subjects" including patients (see Guidelines on impact assessment on data protection and determining whether the processing "may present a high risk" for the purposes of Regulation (EU) 2016/679 adopted on 4 April 2017, as amended and last adopted on 4 October 2017, and endorsed by the European Committee for data protection on 25 May 2018 - WP 248 rev.01, III, letter B, points 4 and 7). Furthermore, it is believed that, with reference to the present case, the criteria relating to the "processing of data on a large scale" may also be satisfied considering that, according to what was declared by the Company, the processing concerned over 17,000 data subjects and the use innovation or the application of new technological or organizational solutions (see the aforementioned Guidelines, III, letter B, points 5 and 8). The emergency provisions adopted over the last few months provide for emergency interventions which involve the processing of data and which are the result of a delicate balance between public health needs and those relating to the protection of personal data, in accordance with the provisions of the Regulation for the pursuit of reasons of public interest in the sectors of public health (cf. art. 9, paragraph 1, letter i)). Of course, it remains understood that the processing of personal data connected to the management of the aforementioned health emergency must take place in compliance with the regulations in force on the protection of personal data and, in particular, with the principles applicable to the treatment, pursuant to articles 5 and 25, par. 2, of the Regulation, partially referred to above. Given this, it should be noted that the aforementioned emergency legislation has not derogated from the provisions on the protection of personal data relating to the assessment of the impact on data protection (Article 35 of the Regulation), as demonstrated by the numerous interventions of the Authority on the subject . In fact, the Guarantor intervened with reference to the impact assessment with reference to the treatments carried out in an emergency context in relation to the national contact tracing system - Immuni App (see provisions of 1 June 2020, 25 February 2021 and 24 November 2022), to the Covid-19 green certifications (so-called green pass, see opinion of 9 June 2021, web doc. n. 96680064, opinion of 31 August 2021, web doc. n. 9694010, opinion of 11 October 2021, web doc. n 9707431, dated 27 January 2022, web doc. n. 9742129 and dated 18 February 2022, web doc. n. 9746905) and to specific treatments carried out by Healthcare Companies in relation to the emergency from Covid-19 (see provisions of 13 May 2021, web doc. No. 9685332, of 13 January 2022, web doc. No. 9744496). Therefore, the violation of the obligation pursuant to art. 35 of the Regulation. 6. Conclusions In the light of the assessments referred to above, taking into account the statements made by the Company during the investigation and considering that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor", the elements provided by the data controller in the defense briefs do not allow to overcome all the findings notified by the Office with the act of initiation of the procedure, since none of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019. For these reasons, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Friuli Centrale University Company is noted in violation of the principles of processing pursuant to articles 5, par. 1 lit. a), 9, of the Regulation, as well as of the art. 2-sexies of the Code; in violation of the principle of transparency, not having provided the interested parties with specific information regarding such processing of personal data envisaged by art. 14 of the Regulation; in violation of the owner's obligations regarding the impact assessment on the protection of personal data pursuant to art. 35 of the Regulation. The violation of the aforementioned provisions also renders the administrative sanction envisaged by art. 83, par. 4 and 5 of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation. In this context, considering the absence of a suitable legal prerequisite for the processing of the data in question and that the ASUFC has not provided indications regarding the cancellation of the same, it is deemed necessary to enjoin the aforementioned Company, pursuant to art. . 58, par. 2, lit. d), of the Regulation, the cancellation of the data resulting from the aforementioned processing of the information present in the company databases covered by this provision to be completed within 90 days of the adoption of this provision. 7. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code) The violation of the articles 5 par. 1, lit. a), 9, 14 and 35 of the Regulation as well as of the art. of the articles 2-sexies of the Code, caused by the conduct of the Friuli Centrale University Company is subject to the application of the administrative pecuniary sanction, pursuant to art. 83, par. 4, lit. a) and 5, lett. a) and b) of the Regulation. The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019). The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 83, par. 2 of the Regulation. In relation to the violation of personal data notified by the data controller, pursuant to art. 33 of the Regulation, it is noted that: - the conduct involved data relating to the health of over 40,000 patients of the regional health service, of which over 17,000 from the ASUFC; - the treatment took place in the emergency context caused by the covid-19 pandemic; - the Guarantor has not received any reports or complaints from specific interested parties in relation to the question examined; - the Company cooperated fully with the Authority during the investigation and in this proceeding; - despite having been the recipient of another sanction measure, the same concerns other types of treatment (health dossier) with reference to which the controller operates through the same data processor (decision of despite having been the recipient of another sanction measure, the same concerns other cases of treatment (health dossier) with reference to which the data controller operates through the same data controller (provision of 26.5.2022, web doc. 9790365); Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 4 letter. a) and 5, lett. a) and b) of the Regulation, in the amount of €55,000 (fifty-five thousand) for the violation of articles 5, par. 1 lit. a), 9, 14 and 35 of the Regulation, and of the art. 2 sexies of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1 and 3, of the Regulation, effective, proportionate and dissuasive. It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing. Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTEE declares the illegality of the processing of personal data carried out by the Azienda Universitaria Friuli Centrale, for the violation of the art. 5, par. 1, lit. a), 9, 14 and 35 of the Regulation and of the art. 2-sexies of the Code in the terms set out in the justification. ORDER pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the Friuli Centrale University Company with registered office in Via Pozzuolo n° 330, 33100 Udine, C.F. and VAT number 02985660303, to pay the sum of €55,000 (fifty-five thousand) as an administrative fine for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed. ENJOYS to the aforementioned Company: - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €55,000 (fifty-five thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981; - pursuant to art. 58, par. 2, lit. d), of the Regulation, to the Giuliano Isontina University Company within 90 days of notification of this provision, to proceed with the cancellation of the data resulting from the processing of the information present in the company databases covered by this provision. - pursuant to art. 58, par. 1 lit. a) of the Regulation and 157 of the Code, to communicate which initiatives have been undertaken in order to implement the above enjoined with this provision and in any case to provide adequately documented feedback, within 20 days of the expiry of the aforementioned term; any failure to reply may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation HAS pursuant to art. 166, paragraph 7, of the Code, the entire publication of this provision on the website of the Guarantor and believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 15 December 2022 PRESIDENT Station THE SPEAKER Zest THE SECRETARY GENERAL Matthew (1) By "initiative medicine" we mean a model of care oriented towards the "active promotion" of the health of the individual, especially if suffering from chronic diseases or disabilities, and towards empowering people in their own treatment path (source: Ministry of Health http://www.salute.gov.it/portale/temi/p2_6.jsp?id=496 &area=Cure%20primarie&menu=cure, see, among many references, Ministry of Health, General Assembly of the Superior Health Council , "Telemedicine - national guidelines", 10 July 2012, see par. 2.3.2, Decree 02 April 2015, n. 70 - Regulation establishing the definition of qualitative, structural, technological and quantitative standards relating to hospital assistance, Agreement between the Government, the Regions and the autonomous Provinces of Trento and Bolzano on the planning guidelines for the use by the Regions of the restricted resources pursuant to article 1, paragraphs 34 and 34 bis, of the law of 23 December 1996, n. 662 for the realization of the objectives activities of a priority nature and of national importance for the year 2014.