Garante per la protezione dei dati personali (Italy) - 9938463

From GDPRhub
Garante per la protezione dei dati personali - 9938463
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 9 GDPR
Article 12 GDPR
Article 15 GDPR
Article 16 GDPR
Article 17 GDPR
Article 18 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 31.08.2023
Published:
Fine: 10,000 EUR
Parties: n/a
National Case Number/Name: 9938463
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: ar

The Italian DPA fined a medical centre €10,000 after a complaint was lodged by the data subject. It was found that the PCR test results of the data subject contained incorrect personal data, breaching Article 5(1)(a) GDPR and Article 5(1)(d) GDPR. Furthermore, since the result was first mistakenly sent to the e-mail address of an unauthorised third party, the controller also breached Article 9 GDPR, as well as Article 5(1)(f) GDPR and Article 32 GDPR.

English Summary

Facts

A data subject brought a case to the Italian DPA over the non-compliance by a medical center (the data controller) with his request to exercise his rights as a data subject. The data subjct explained to have requested access to the results of his PCR test for COVID-19 to the data controller, after which it emerged that the PCR test results had been initially sent to the wrong email address. Additionally, the data subject realised that the results presented the wrong date of birth and tax ID code. Thus, he requested the data controller for the data to be rectified under Article 16 GDPR and for it to be erased under Article 17 GDPR, as well as to limit them, under Article 18 GDPR, without hearing back.

Following the claim, the DPA requested the data controller to comply with the data subject’s requests.

In response to the DPA, the controller stated that the processing of the swab was carried out by a center accredited by the Lombardy Region (the data processor), who, when signing the agreements with the controller, declared to be responsible for the processing and undertook to process sensitive data correctly on behalf of the latter. In addition, the controller claimed that it could not be ascertained if the owner of the email address, to whom the results were first sent to, accessed the data of the data subject. And, if they did, since the report presented inaccurate personal data, the controller disputed that the results could not have been attributable to the data subject. Lastly, as the medical center had been erased from the commercial register, it added that the controller was not carrying out any activity anymore nor was continuing the processing of the personal data in question.

Following this submission, the DPA adopted its decision.

Holding

Firstly, the DPA noted that the controller had processed some of the complainant's data, including his date of birth and tax ID code, in disregard of the principle of accuracy. It appeared from the evidence that the controller communicated to the processor the incorrect personal data of the data subject, thus causing the data processor to process the test results of the data subject with such inaccurate personal data. Thus, the DPA reminded that the data controller is required to process data lawfully, fairly and transparently, and the data must be accurate and, where necessary, kept up to date, and all reasonable measures must be taken to ensure that inaccurate data are erased or rectified without delay. Hence, the DPA found a breach of Article 5(1)(a) GDPR and Article 5(1)(d) GDPR.

Additionally, the DPA found that the controller sent the results of the PCR test carried out by the data subject to the e-mail address of an unauthorized third party, in breach of Article 9 GDPR, as well as of the security obligations under Article 5(1)(f) GDPR and Article 32 GDPR. The DPA noted that even if the incident occurred as a result of a human error in transcribing the e-mail address, this constituted a negligent critical issue, which led to the failure to comply with the security obligations imposed by the GDPR and disclosed health-related data without a legal basis.

Lastly, the DPA found that the controller did not reply to the requests made to exercise the rights of the complainant within one month from the receipt of the request and provided a response only following the DPA's invitation to comply, breaching Article 12 GDPR, Article 15 GDPR, Article 16 GDPR, Article 17 GDPR and Article 18 GDPR.

Thus, due to the aformentioned breaches, the DPA fined the controller €10,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9938463]

Provision of 31 August 2023

Register of measures
n. 389 of 31 August 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: Prof. Ginevra Cerrina Feroni;

PREMISE

1. The complaint and the investigative activity

With a complaint made to the Authority, Mr. XX complained of an alleged violation of the regulations on the protection of personal data by the individual company "Mednow Medical Center di Giugni Marco" - C.F. XX, resident in XX, XX - as data controller. In particular, the complainant complained of having exercised the rights referred to in the articles. from 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), dated XX and XX, and that I have not received a response.

In particular, the complainant represented that he had requested access to his personal data, the rectification and cancellation (articles 15, 16 and 17 of the Regulation) of some inaccurate data - as the report of a withdrawal carried out by the the aforementioned health facility "reported incorrect identification data of the interested party (date of birth and tax code)" - as well as the limitation of the same (art. 18 of the Regulation).

Subsequent to this complaint, the Office addressed the above-mentioned individual company with an invitation to comply with the complainant's requests and with a note dated XX, this owner provided feedback regarding which, however, the complainant himself, with a note dated XX , made observations to the owner and the Authority. In this circumstance, the complainant also highlighted that the report regarding the outcome of the molecular swab, carried out at the data controller's premises, had initially been sent to an email address that did not correspond to the one issued by the complainant at the time of booking the clinical examination.

With note dated XX (prot. n. XX), the Office, taking into account these observations, requested information from the aforementioned company, pursuant to art. 157 of Legislative Decree 30 June 2003, n. 196, containing the “Code regarding the protection of personal data” (hereinafter “Code”).

With note dated XX, the data controller, in providing the requested elements, declared, among other things, that:

- “The individual enterprise Mednow Medical Center of Giugni Marco, C.F. XX, was canceled from the Company Register on 04/05/2022 (…);

- Mr. XX, on XX, booked a molecular swab to be performed at his home, completing the attached form (...);

- the swab was processed by a center accredited by the Lombardy Region (XX), (...), which, upon signing the agreements with Mednow Medical Center of Giugni Marco, declared itself responsible for the processing and undertook to correctly process sensitive data on behalf of the latter (…);

- regarding the reported sending of the swab result to a different address, to date, it is not known whether the sending to this single different address actually led to access to the personal data contained therein by third parties;

- In any case, as highlighted by Mr. XX, the Data Controller indicated above made a mistake in the transcription of the C.F. and in the date of birth, indicating XX instead of XX: consequently, that report (the same one sent as an attachment to the incorrect email) is undisputed that it could not be traced back to Mr. XX, precisely due to the presence of inaccurate personal data;

- (...) as far as is known, there were no consequences prejudicial to the rights and freedom of the interested party, Mr. XX, as it does not appear that the content of the aforementioned email was communicated or disseminated to third parties and, even where read , could not be traced back to the interested party in question;

- furthermore, as far as is known, Mr. XX himself has not complained to the undersigned of any further complaints relating to any consequences of the dispute in question;

- regarding, however, the incorrect indication of some data on the swab, it is noted that this error is attributable to XX and that he incorrectly filled out the swab report indicating the year of birth and tax code. incorrect, reading them from the document produced (…). As soon as this error was noted, Mednow Medical Center promptly requested - by telephone - the correction of the error (...);

- it is also specified that immediately following Mr. XX's complaints, through its own defender, Mednow Medical Center offered the payment of a sum as a settlement (...), which however was not followed up;

- following the cancellation of the individual company from the Business Register, the Data Controller no longer carried out any activity and therefore no processing of personal data".

In light of what was declared, the Office, with note dated XX, requested information, pursuant to art. 157 of the Code, to XX, data controller, who, in response, declared, among other things, and documented the following:

- "on the fact that the complainant's report contained inaccurate data "in the transcription of the tax code and in the date of birth, indicating XX, instead of XX", no responsibility can be attributed to the undersigned, who limited itself to transposing, for the purposes of the reporting, the data provided by Marco Giugni's Mednow Medical Center (...). Therefore, any error in the transcription of data should be sought ab origine, at the time of acceptance of the patient by Marco Giugni's Mednow Medical Center";

- “We have not received any request for data correction from Marco Giugni's Mednow Medical Center”;

- "we acknowledge that the contractual relationship established at the time of the facts with Marco Giugni's Mednow Medical Center has now ceased".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

On the basis of the documentation produced and the declarations made, the Office, with note dated XX (prot. n. XX), taking into account the cancellation of the individual company "Mednow Medical Center di Giugni Marco", notified the latter, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation. In particular, the Office found that Marco Giugni, owner of the individual business "Mednow Medical center di Giugni Marco" and data controller:

- did not respond to the requests to exercise the rights of the interested party made on XX and XX and provided feedback - considered, in any case, unsuitable by the interested party - only following the invitation to join from the Office, on XX; this, in violation of the art. 12, in relation to the articles. 15, 16, 17 and 18 of the Regulation;

- processed some of the complainant's data (date of birth and tax code), present in the report of the examination carried out by the latter, in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

- sent the report regarding the outcome of the clinical examination carried out by the interested party to the email address of an unauthorized third party, in violation of the art. 9 of the Regulation, as well as the safety obligations referred to in art. 5, paragraph 1, letter. f) and art. 32, of the same Regulation.

This is based on the following assessments.

First of all, at the time of sending the requests to exercise the rights pursuant to the articles. from 15 to 22 of the Regulation, put forward by the interested party, the individual company mentioned above was still in business, as the cancellation from the business register took place on XX. The applications, as represented by the complainant, were sent on XX and XX. In relation to these requests, it appears that the data controller has not provided feedback. In particular, the interested party requested access to his personal data, the rectification and cancellation (articles 15, 16 and 17 of the Regulation) of some inaccurate data - as the report of the aforementioned sampling to which he had subjected the complainant "reported incorrect identification data of the interested party (date of birth and tax code)" - as well as the limitation of the same (art. 18 of the Regulation). Only following the Authority's invitation to join, was a response provided, on date XX, which was, however, deemed unsuitable by the complainant himself.

As regards the profile of the contested inaccuracy of the data, it turned out that the communication by the owner to the XX clinical analysis laboratory, responsible for the processing - which carried out the analyzes and reporting of the biological samples for the "Mednow Medical Center of Giugni Marco” - of inaccurate personal data of the interested party (date of birth and tax code), has determined, by this clinical analysis laboratory, the processing of the report (relating to the examination carried out by the interested party) reporting such data inaccurate.

Finally, with regard to the first sending via email - by the data controller - of the report (reporting the inaccurate data mentioned above) to another address not corresponding to that of the interested party, complained by the complainant, it appears, from the documents, to have been confirmed several times by the owner himself.

The Office, in addition to contesting the above, also invited the data controller to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

With a note dated XX (prot. n. XX), the data controller, Marco Giugni, produced a defense brief, in which he highlighted, among other things, that:

“At the time of the facts under examination, the epidemiological situation was characterized by high levels of incidence with a slowly but continuously growing mortality rate. By way of example and not exhaustively, it is enough to remember that the covid bulletin of 12.17.2021 recorded in Lombardy: 5,590 positives and 26 victims, with a positivity rate of +3.8%; 146,245 swabs carried out and 2,075 new cases were recorded in Milan and its province alone (doc. 2)”;

“With Legislative Decree no. 221 of 12.24.2021, the national state of emergency was extended and the adoption of further measures to contain the spread of the Covid epidemic was established. This, in a nutshell, is the pandemic picture at the time of the events. It was deemed necessary to remind this Department of what the emergency situation was at the time of the events, believing that the episode, the subject of this proceeding, cannot be adequately assessed if not contextualised within a period which, we all hope, remains unique for its peculiarity”;

“(…) it is believed that the evaluation of a single and not repeated material transcription error, caused by human conduct in absolute good faith must be contextualized and also traced back and evaluated in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX, which is produced as doc. 3). The lack of responses to the complainant's requests made on dates XX and XX are placed in this context;

“By the complainant's own admission, Mr XX, the error regarding the tax code and date of birth was made by XX in his capacity as data controller. XX, responsible for reporting the molecular swab, made a mistake in reporting - date of birth and tax code - from the form filled out by the complainant to the report (see doc. 2). Thus effectively making that report not attributable to the complainant himself (...)";

“The complainant's report was sent to the email address of an unauthorized third party. This circumstance is unfortunately incontrovertible. What remains controversial is the fact that that error, due to human conduct and free from malice, caused damage to the complainant. It cannot be ignored that proof has not been produced that the report sent to the email address of an unauthorized third party was actually communicated or disseminated to unauthorized third parties. It's still. It cannot be ignored that even in the denied and disbelieved hypothesis in which that report had been communicated and disseminated to unauthorized third parties, it still could not have been traced back to the complainant due to the incorrectly reported personal data";

“The individual company of which the undersigned was the owner at the time of the episode being discussed was canceled from the business register on 04.5.2022. A circumstance which completely excludes a possible and unfortunate repetition of the conduct, even if it was accidental. A circumstance which would make the application of a possible sanction particularly punitive as well as, as already reiterated, ultra-ultraneous given that the report - for the reasons set out above - is not referable to the complainant".

"In relation to the measures carried out to mitigate the effects of the violation for the interested party, it is specified that, at present, there has been neither news nor proof that the interested party has actually suffered effects/consequences/damages from the violation in question".

3. Outcome of the preliminary investigation

Having taken note of what is represented by the data controller in the documentation in the documents and in the defense briefs, the following is observed.

3.1 Data being processed

Personal data means “any information relating to an identified or identifiable natural person (“data subject”)” and “health data” means “personal data relating to the physical or mental health of a natural person, including the of health care, which reveal information relating to your state of health" (art. 4, paragraph 1, no. 1 and 15 of the Regulation). The latter data deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Recital No. 51). The data processed in the case in question, relating to healthcare services provided to the complainant, are therefore considered data relating to health.

3.2 Compliance with the principles applicable to the processing and, in particular, with the principle of accuracy (art. 5, paragraph 1, letters a) and d) of the Regulation)

The owner, based on the provisions of the Regulation, is required to process such data in a lawful, correct and transparent manner towards the interested party (principle of "lawfulness, correctness and transparency"); the data must be “accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or rectify data that is inaccurate in relation to the purposes for which they were processed (“accuracy”)” (art. 5, par. 1, letters a and d) of the Regulation). In relation to this, the owner alleged that the XX clinical analysis laboratory, responsible for the processing "made a mistake in reporting - date of birth and tax code - from the form filled out by the complainant to the report"; in reality, from the documents produced during this proceeding by the data controller (see email - dated XX - attached to the response provided by the data controller to the request for information formulated by the Guarantor pursuant to art. 157 of the Code), it appears that the individual company has communicated to this manager the inaccurate personal data of the interested party (specifically: date of birth and tax code: XX - XX, instead of XX - XX, thus determining, on the part of this clinical analysis laboratory, the processing of the report relating to the interested party reporting such personal data inaccuracies.

3.3 Sending the report to the email address of a third party in the absence of a legal basis and in failure to comply with the security obligations relating to the processing (articles 5, letter f), 32 and 9 of the Regulation)

With reference to the sending, by the data controller, of the "(...) report of the complainant (...)  to the email address of an unauthorized third party", the Regulation provides that the data controller is required to respect the principles regarding protection of data including that of "integrity and confidentiality", according to which personal data must be "processed in a way that guarantees adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized processing or illicit and from accidental loss, destruction or damage” (art. 5, par. 1, letter f) of the Regulation); furthermore, the owner himself must implement "adequate technical and organizational measures to guarantee a level of security adequate to the risk", taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 of the Regulation).

The owner, in the above-mentioned findings and memorandum provided to the Authority, claimed to have sent the "(...) report of the complainant (...)  to the email address of an unauthorized third party": although the event which occurred was determined by a human error in transcribing the email address of the interested party, this constitutes, however, a critical issue attributable to negligence, which materialized, in this circumstance, in the failure to comply with the security obligations imposed by the Regulation, as well as, as explained below, in a communication of data relating to health in the absence of a legal basis (with regard to negligence, see “Guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) No. 2016/679” adopted on 3 October 2017, paragraph III, letter b) and "Guidelines 04/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR - Version adopted on 24 May 2023", chap. IV, point 4.2.2).

Considering, then, the content of the email in question, it is noted that the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated only to the interested party and can only be communicated to third parties. on the basis of a suitable legal basis or upon written delegation of the interested party (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree 10 August 2018, n. 101) . In light of this, the described conduct consisting in sending the email to which the report referring to the complainant was attached, to the address of an unauthorized recipient, constitutes an illicit communication of data relating to health. Furthermore, no proof was produced by the data controller that the sending of this email reached a non-active address and the argument put forward by the owner, for which "It cannot be ignored that even in the denied and not believed hypothesis in which that report had been communicated and disseminated to unauthorized third parties, however, it could not have been traced back to the complainant due to the incorrectly reported personal data", cannot be accepted as an excuse for the attribution of responsibility for the illicit communication in question since, although the tax code and date of birth contained in the report had been erroneously transcribed, in this report there were, however, other data correctly referring to the complainant, such as to make him identifiable (name and surname, telephone number, etc.) (art. 4, paragraph 1, no. 1 of the Regulation).

3.4 Failure to respond to the request to exercise the rights (article 12 in relation to articles 15, 16, 17 and 18 of the Regulation).

In terms of information, communications and transparent methods for exercising the rights of the interested party, art. 12, par. 3 of the Regulation establishes that the data controller must respond to the interested party's request, made pursuant to the articles. from 15 to 22 of the Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the same. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests, it being understood that the interested party must be informed of this extension and of the reasons for the delay within one month of receipt of the request.

If the data controller does not comply with the data subject's request, the data controller must, in any case, inform the data subject without delay and, at the latest, within one month of receiving the request, of the reasons for non-compliance and the possibility of lodging a complaint. to a Supervisory Authority and to lodge a judicial appeal (cons. 59 and art. 12, par. 4, of the Regulation).

In relation to requests to exercise the rights referred to in the articles. from 15 to 22 of the Regulation submitted by the interested party on XX and XX, it is ascertained that the owner did not provide feedback, except following the Authority's invitation to join. This feedback, provided on XX, was, however, considered unsuitable by the complainant.

In relation to the above, we consider, however, what was highlighted by the data controller in the defense brief, with regard to the epidemiological emergency of the last two years, for which the conduct of the data controller must be evaluated "(...) in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX (...)".

4. Conclusions

In light of the assessments set out above, taking into account the declarations made and the documentation produced during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), the elements provided by the data controller in the defense briefs referred to above are not suitable to accept the request for dismissal, not allowing the findings notified by the Office to be overcome with the aforementioned document initiating the proceedings.

Therefore, in relation to the matter in question complained of by the complainant, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by Marco Giugni, former owner of the individual company "Mednow Medical Center di Marco Giugni", is noted. as it is ascertained that the data controller:

a) processed some of the complainant's data (date of birth and tax code) in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

b) sent the report regarding the outcome of the clinical examination carried out by the interested party to the email address of an unauthorized third party, in violation of the art. 9 of the Regulation, as well as the safety obligations referred to in art. 5, paragraph 1, letter. f) and art. 32, of the same Regulation.

c) did not respond to the requests to exercise the rights of the interested party made on XX and XX; on XX, following the Authority's invitation to join, provided feedback, which was considered, however, unsuitable by the interested party himself; this, in violation of the art. 12, in relation to the articles. 15, 16, 17 and 18 of the Regulation.

In the framework outlined above, considering that the owner's conduct has exhausted its effects as the latter has ceased his entrepreneurial activity, to the exercise of which the violations described above are attributable, deleting the individual business from the business register on XX and, also, that the state of emergency - in relation to which the complainant's request for rectification of the swab report for the detection of Covid-19 assumed relevance - established by the Council of Ministers from 31 January 2020 has ceased - with Ministerial Decree. n. 24 of 24 March 2022 - on 31 March 2022, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation (art. 166, paragraphs 1 and 2, of the Code).

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation in relation to which it is noted that:

- these were isolated incidents (the illegalities referred to in points a), b) and c) of the above paragraph 4) and, on the basis of the owner's declarations "the same (...) (complainant) did not complain against the undersigned further complaints relating to any consequences of the dispute in question" (art. 83, par. 2, letter a) of the Regulation);

- with reference to the illegalities referred to in points a) and b) of the above paragraph 4, it was a case of "(...) material transcription error, caused by human conduct in absolute good faith" (art. 83, par. 2, letter b) of the Regulation);

- the owner has demonstrated that he cooperates with the Authority (art. 83, par. 2, letter f) of the Regulation);

- there are no previous relevant violations committed by the data controller (art. 83, par. 2, letter e) of the Regulation);

- the conduct of the owner, in reference to the illegalities referred to in points a), b) and c), dates back to the period of greatest diffusion of the Covid-19 pandemic, so the error made by the owner of the data appears partially excusable treatment in consideration of the particular operational difficulty in which he found himself operating. The conduct must, in fact, be evaluated "(...) in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX (...)" (art. 83, par. 2, letter k) of the Regulation);

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 10,000.00 (ten thousand) euros for the violation of the articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the nature of the data subject to the illicit conduct.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by Marco GIUGNI – C.F. XX, resident in XX, XX, former owner of the individual business "Mednow Medical Center di Marco Giugni", canceled from the business register on 5 April 2022, for violation of articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation;

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, Marco Giugni resident in XX, XX – C.F. XX, to pay the sum of 10,000.00 (ten thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

To the aforementioned data controller, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 10,000.00 (ten thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 31 August 2023

PRESIDENT
Stanzione

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

[doc. web no. 9938463]

Provision dated 31 August 2023

Register of measures
n. 389 of 31 August 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker: Prof. Ginevra Cerrina Feroni;

PREMISE

1. The complaint and the investigative activity

With a complaint made to the Authority, Mr. XX complained of an alleged violation of the regulations on the protection of personal data by the individual company "Mednow Medical Center di Giugni Marco" - C.F. XX, resident in XX, XX - as data controller. In particular, the complainant complained of having exercised the rights referred to in the articles. from 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), dated XX and XX, and that I have not received a response.

In particular, the complainant represented that he had requested access to his personal data, the rectification and cancellation (articles 15, 16 and 17 of the Regulation) of some inaccurate data - as the report of a withdrawal carried out by the the aforementioned health facility "reported incorrect identification data of the interested party (date of birth and tax code)" - as well as the limitation of the same (art. 18 of the Regulation).

Subsequent to this complaint, the Office addressed the above-mentioned individual company with an invitation to comply with the complainant's requests and with a note dated XX, this owner provided feedback regarding which, however, the complainant himself, with a note dated XX , made observations to the owner and the Authority. In this circumstance, the complainant also highlighted that the report regarding the outcome of the molecular swab, carried out at the data controller's premises, had initially been sent to an email address that did not correspond to the one issued by the complainant at the time of booking the clinical examination.

With note dated XX (prot. n. XX), the Office, taking into account these observations, requested information from the aforementioned company, pursuant to art. 157 of Legislative Decree 30 June 2003, n. 196, containing the “Code regarding the protection of personal data” (hereinafter “Code”).

With note dated XX, the data controller, in providing the requested elements, declared, among other things, that:

- “The individual enterprise Mednow Medical Center of Giugni Marco, C.F. XX, was canceled from the Company Register on 04/05/2022 (…);

- Mr. XX, on XX, booked a molecular swab to be performed at his home, completing the attached form (...);

- the swab was processed by a center accredited by the Lombardy Region (XX), (...), which, upon signing the agreements with Mednow Medical Center of Giugni Marco, declared itself responsible for the processing and undertook to correctly process sensitive data on behalf of the latter (…);

- regarding the reported sending of the swab result to a different address, to date, it is not known whether the sending to this single different address actually led to access to the personal data contained therein by third parties;

- In any case, as highlighted by Mr. XX, the Data Controller indicated above made a mistake in the transcription of the C.F. and in the date of birth, indicating XX instead of XX: consequently, that report (the same one sent as an attachment to the incorrect email) is undisputed that it could not be traced back to Mr. XX, precisely due to the presence of inaccurate personal data;

- (...) as far as is known, there were no consequences prejudicial to the rights and freedom of the interested party, Mr. XX, as it does not appear that the content of the aforementioned email was communicated or disseminated to third parties and, even where read , could not be traced back to the interested party in question;

- furthermore, as far as is known, Mr. XX himself has not complained to the undersigned of any further complaints relating to any consequences of the dispute in question;

- regarding, however, the incorrect indication of some data on the swab, it is noted that this error is attributable to XX and that he incorrectly filled out the swab report indicating the year of birth and tax code. incorrect, reading them from the document produced (…). As soon as this error was noted, Mednow Medical Center promptly requested - by telephone - the correction of the error (...);

- it is also specified that immediately following Mr. XX's complaints, through its own defender, Mednow Medical Center offered the payment of a sum as a settlement (...), which however was not followed up;

- following the cancellation of the individual company from the Business Register, the Data Controller no longer carried out any activity and therefore no processing of personal data".

In light of what was declared, the Office, with note dated XX, requested information, pursuant to art. 157 of the Code, to XX, data controller, who, in response, declared, among other things, and documented the following:

- "on the fact that the complainant's report contained inaccurate data "in the transcription of the tax code and in the date of birth, indicating XX, instead of XX", no responsibility can be attributed to the undersigned, who limited itself to transposing, for the purposes of the reporting, the data provided by Marco Giugni's Mednow Medical Center (...). Therefore, any error in the transcription of data should be sought ab origine, at the time of acceptance of the patient by Marco Giugni's Mednow Medical Center";

- “We have not received any request for data correction from Marco Giugni's Mednow Medical Center”;

- "we acknowledge that the contractual relationship established at the time of the facts with Marco Giugni's Mednow Medical Center has now ceased".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

On the basis of the documentation produced and the declarations made, the Office, with note dated XX (prot. n. XX), taking into account the cancellation of the individual company "Mednow Medical Center di Giugni Marco", notified the latter, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation. In particular, the Office found that Marco Giugni, owner of the individual business "Mednow Medical center di Giugni Marco" and data controller:

- did not respond to the requests to exercise the rights of the interested party made on XX and XX and provided feedback - considered, in any case, unsuitable by the interested party - only following the invitation to join from the Office, on XX; this, in violation of the art. 12, in relation to the articles. 15, 16, 17 and 18 of the Regulation;

- processed some of the complainant's data (date of birth and tax code), present in the report of the examination carried out by the latter, in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

- sent the report regarding the outcome of the clinical examination carried out by the interested party to the email address of an unauthorized third party, in violation of the art. 9 of the Regulation, as well as the safety obligations referred to in art. 5, paragraph 1, letter. f) and art. 32, of the same Regulation.

This is based on the following assessments.

First of all, at the time of sending the requests to exercise the rights pursuant to the articles. from 15 to 22 of the Regulation, put forward by the interested party, the individual company mentioned above was still in business, as the cancellation from the business register took place on XX. The applications, as represented by the complainant, were sent on XX and XX. In relation to these requests, it appears that the data controller has not provided feedback. In particular, the interested party requested access to his personal data, the rectification and cancellation (articles 15, 16 and 17 of the Regulation) of some inaccurate data - as the report of the aforementioned sampling to which he had subjected the complainant "reported incorrect identification data of the interested party (date of birth and tax code)" - as well as the limitation of the same (art. 18 of the Regulation). Only following the Authority's invitation to join, was a response provided, on date XX, which was, however, deemed unsuitable by the complainant himself.

As regards the profile of the contested inaccuracy of the data, it turned out that the communication by the owner to the XX clinical analysis laboratory, responsible for the processing - which carried out the analyzes and reporting of the biological samples for the "Mednow Medical Center of Giugni Marco” - of inaccurate personal data of the interested party (date of birth and tax code), has determined, by this clinical analysis laboratory, the processing of the report (relating to the examination carried out by the interested party) reporting such data inaccurate.

Finally, with regard to the first sending via email - by the data controller - of the report (reporting the inaccurate data mentioned above) to another address not corresponding to that of the interested party, complained by the complainant, it appears, from the documents, to have been confirmed several times by the same owner.

The Office, in addition to contesting the above, also invited the data controller to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

With a note dated XX (prot. n. XX), the data controller, Marco Giugni, produced a defense brief, in which he highlighted, among other things, that:

“At the time of the facts under examination, the epidemiological situation was characterized by high levels of incidence with a slowly but continuously growing mortality rate. By way of example and not exhaustively, it is enough to remember that the covid bulletin of 12.17.2021 recorded in Lombardy: 5,590 positives and 26 victims, with a positivity rate of +3.8%; 146,245 swabs carried out and 2,075 new cases were recorded in Milan and its province alone (doc. 2)”;

“With Legislative Decree no. 221 of 12.24.2021, the national state of emergency was extended and the adoption of further measures to contain the spread of the Covid epidemic was established. This, in a nutshell, is the pandemic picture at the time of the events. It was deemed necessary to remind this Department of what the emergency situation was at the time of the events, believing that the episode, the subject of this proceeding, cannot be adequately assessed if not contextualised within a period which, we all hope, remains unique for its peculiarity”;

"(...) it is believed that the evaluation of a single and not repeated material transcription error, caused by human conduct in absolute good faith must be contextualized and also traced back and evaluated in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX, which is produced as doc. 3). The lack of responses to the complainant's requests made on dates XX and XX are placed in this context;

“By the complainant's own admission, Mr XX, the error regarding the tax code and date of birth was made by XX in his capacity as data controller. XX, responsible for reporting the molecular swab, made a mistake in reporting - date of birth and tax code - from the form filled out by the complainant to the report (see doc. 2). Thus effectively making that report not attributable to the complainant himself (...)";

“The complainant's report was sent to the email address of an unauthorized third party. This circumstance is unfortunately incontrovertible. What remains controversial is the fact that that error, due to human conduct and free from malice, caused damage to the complainant. It cannot be ignored that proof has not been produced that the report sent to the email address of an unauthorized third party was actually communicated or disseminated to unauthorized third parties. It's still. It cannot be ignored that even in the denied and disbelieved hypothesis in which that report had been communicated and disseminated to unauthorized third parties, it still could not have been traced back to the complainant due to the incorrectly reported personal data";

“The individual company of which the undersigned was the owner at the time of the episode being discussed was canceled from the business register on 04.5.2022. A circumstance which completely excludes a possible and unfortunate repetition of the conduct, even if it was accidental. A circumstance which would make the application of a possible sanction particularly punitive as well as, as already reiterated, ultra-ultraneous given that the report - for the reasons set out above - is not referable to the complainant".

"In relation to the measures carried out to mitigate the effects of the violation for the interested party, it is specified that, at present, there has been neither news nor proof that the interested party has actually suffered effects/consequences/damages from the violation in question".

3. Outcome of the preliminary investigation

Having taken note of what is represented by the data controller in the documentation in the documents and in the defense briefs, the following is observed.

3.1 Data being processed

Personal data means “any information relating to an identified or identifiable natural person (“data subject”)” and “health data” means “personal data relating to the physical or mental health of a natural person, including the of health care, which reveal information relating to your state of health" (art. 4, paragraph 1, no. 1 and 15 of the Regulation). The latter data deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Recital No. 51). The data processed in the case in question, relating to healthcare services provided to the complainant, are therefore considered data relating to health.

3.2 Compliance with the principles applicable to the processing and, in particular, with the principle of accuracy (art. 5, paragraph 1, letters a) and d) of the Regulation)

The owner, based on the provisions of the Regulation, is required to process such data in a lawful, correct and transparent manner towards the interested party (principle of "lawfulness, correctness and transparency"); the data must be “accurate and, if necessary, updated; all reasonable measures must be taken to promptly erase or rectify data that is inaccurate in relation to the purposes for which they were processed (“accuracy”)” (art. 5, par. 1, letters a and d) of the Regulation). In relation to this, the owner alleged that the XX clinical analysis laboratory, responsible for the processing "made a mistake in reporting - date of birth and tax code - from the form filled out by the complainant to the report"; in reality, from the documents produced during this proceeding by the data controller (see email - dated XX - attached to the response provided by the data controller to the request for information formulated by the Guarantor pursuant to art. 157 of the Code), it appears that the individual company has communicated to this manager the inaccurate personal data of the interested party (specifically: date of birth and tax code: XX - XX, instead of XX - XX, thus determining, on the part of this clinical analysis laboratory, the processing of the report relating to the interested party reporting such personal data inaccuracies.

3.3 Sending the report to the email address of a third party in the absence of a legal basis and in failure to comply with the security obligations relating to the processing (articles 5, letter f), 32 and 9 of the Regulation)

With reference to the sending, by the data controller, of the "(...) report of the complainant (...)  to the email address of an unauthorized third party", the Regulation provides that the data controller is required to respect the principles regarding protection of data including that of "integrity and confidentiality", according to which personal data must be "processed in a way that guarantees adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized processing or illicit and from accidental loss, destruction or damage” (art. 5, par. 1, letter f) of the Regulation); furthermore, the owner himself must implement "adequate technical and organizational measures to guarantee a level of security adequate to the risk", taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 of the Regulation).

The owner, in the above-mentioned findings and memorandum provided to the Authority, claimed to have sent the "(...) report of the complainant (...)  to the email address of an unauthorized third party": although the event which occurred was determined by a human error in transcribing the email address of the interested party, this constitutes, however, a critical issue attributable to negligence, which materialized, in this circumstance, in the failure to comply with the security obligations imposed by the Regulation, as well as, as explained below, in a communication of data relating to health in the absence of a legal basis (with regard to negligence, see “Guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) No. 2016/679” adopted on 3 October 2017, paragraph III, letter b) and "Guidelines 04/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR - Version adopted on 24 May 2023", chap. IV, point 4.2.2).

Considering, then, the content of the email in question, it is noted that the regulations on the protection of personal data provide - in the healthcare sector - that information on the state of health can be communicated only to the interested party and can only be communicated to third parties. on the basis of a suitable legal basis or upon written delegation of the interested party (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree 10 August 2018, n. 101) . In light of this, the described conduct consisting in sending the email to which the report referring to the complainant was attached, to the address of an unauthorized recipient, constitutes an illicit communication of data relating to health. Furthermore, no proof was produced by the data controller that the sending of this email reached a non-active address and the argument put forward by the owner, for which "It cannot be ignored that even in the denied and not believed hypothesis in which that report had been communicated and disseminated to unauthorized third parties, however, it could not have been traced back to the complainant due to the incorrectly reported personal data", cannot be accepted as an excuse for the attribution of responsibility for the illicit communication in question since, although the tax code and date of birth contained in the report had been erroneously transcribed, in this report there were, however, other data correctly referring to the complainant, such as to make him identifiable (name and surname, telephone number, etc.) (art. 4, paragraph 1, no. 1 of the Regulation).

3.4 Failure to respond to the request to exercise the rights (article 12 in relation to articles 15, 16, 17 and 18 of the Regulation).

In terms of information, communications and transparent methods for exercising the rights of the interested party, art. 12, par. 3 of the Regulation establishes that the data controller must respond to the interested party's request, made pursuant to the articles. from 15 to 22 of the Regulation, without unjustified delay and, in any case, at the latest within one month of receipt of the same. This deadline may be extended by two months, if necessary, taking into account the complexity and number of requests, it being understood that the interested party must be informed of this extension and of the reasons for the delay within one month of receipt of the request.

If the data controller does not comply with the data subject's request, the data controller must, in any case, inform the data subject without delay and, at the latest, within one month of receiving the request, of the reasons for non-compliance and the possibility of lodging a complaint. to a Supervisory Authority and to lodge a judicial appeal (cons. 59 and art. 12, par. 4, of the Regulation).

In relation to requests to exercise the rights referred to in the articles. from 15 to 22 of the Regulation submitted by the interested party on XX and XX, it is ascertained that the owner did not provide feedback, except following the Authority's invitation to join. This feedback, provided on XX, was, however, considered unsuitable by the complainant.

In relation to the above, we consider, however, what was highlighted by the data controller in the defense brief, with regard to the epidemiological emergency of the last two years, for which the conduct of the data controller must be evaluated "(...) in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX (...)".

4. Conclusions

In light of the assessments set out above, taking into account the declarations made and the documentation produced during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), the elements provided by the data controller in the defense briefs referred to above are not suitable to accept the request for dismissal, not allowing the findings notified by the Office to be overcome with the aforementioned document initiating the proceedings.

Therefore, in relation to the matter in question complained of by the complainant, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by Marco Giugni, former owner of the individual company "Mednow Medical Center di Marco Giugni", is noted. as it is ascertained that the data controller:

a) processed some of the complainant's data (date of birth and tax code) in failure to comply with the principle of accuracy, in violation of the articles. 5, paragraph 1, letter. d) of the Regulation;

b) sent the report regarding the outcome of the clinical examination carried out by the interested party to the email address of an unauthorized third party, in violation of the art. 9 of the Regulation, as well as the safety obligations referred to in art. 5, paragraph 1, letter. f) and art. 32, of the same Regulation.

c) did not respond to the requests to exercise the rights of the interested party made on XX and XX; on XX, following the Authority's invitation to join, provided feedback, which was considered, however, unsuitable by the interested party himself; this, in violation of the art. 12, in relation to the articles. 15, 16, 17 and 18 of the Regulation.

In the framework outlined above, considering that the owner's conduct has exhausted its effects as the latter has ceased his entrepreneurial activity, to the exercise of which the violations described above are attributable, deleting the individual business from the business register on XX and, also, that the state of emergency - in relation to which the complainant's request for rectification of the swab report for the detection of Covid-19 assumed relevance - established by the Council of Ministers from 31 January 2020 has ceased - with Ministerial Decree. n. 24 of 24 March 2022 - on 31 March 2022, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4, letter. a) and par. 5, letter. a) and b) of the Regulation (art. 166, paragraphs 1 and 2, of the Code).

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation in relation to which it is noted that:

- these were isolated incidents (the illegalities referred to in points a), b) and c) of the above paragraph 4) and, on the basis of the owner's declarations "the same (...) (complainant) did not complain against the undersigned further complaints relating to any consequences of the dispute in question" (art. 83, par. 2, letter a) of the Regulation);

- with reference to the illegalities referred to in points a) and b) of the above paragraph 4, it was a case of "(...) material transcription error, caused by human conduct in absolute good faith" (art. 83, par. 2, letter b) of the Regulation);

- the owner has demonstrated that he cooperates with the Authority (art. 83, par. 2, letter f) of the Regulation);

- there are no previous relevant violations committed by the data controller (art. 83, par. 2, letter e) of the Regulation);

- the conduct of the owner, in reference to the illegalities referred to in points a), b) and c), dates back to the period of greatest diffusion of the Covid-19 pandemic, so the error made by the owner of the data appears partially excusable treatment in consideration of the particular operational difficulty in which he found himself operating. The conduct must, in fact, be evaluated "(...) in light of the significant amount of work that in the month of December XX characterized the activity of the then individual company of which the undersigned was the owner. In that period and in the immediately following period of January XX, MedNow was literally overwhelmed with requests and was subjected to a very intense volume of work in order to try to best satisfy the very high demand coming from the community. As also widely confirmed by the Covid bulletin referring to the month of January XX (...)" (art. 83, par. 2, letter k) of the Regulation);

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 10,000.00 (ten thousand) euros for the violation of the articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the nature of the data subject to the illicit conduct.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by Marco GIUGNI – C.F. XX, resident in XX, XX, former owner of the individual business "Mednow Medical Center di Marco Giugni", canceled from the business register on 5 April 2022, for violation of articles. 5, par. 1, letter. d) and f), 9, 12 in relation to articles. 15,16,17 and 18, as well as art. 32 of the Regulation;

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, Marco Giugni resident in XX, XX – C.F. XX, to pay the sum of 10,000.00 (ten thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

To the aforementioned data controller, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 10,000.00 (ten thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 31 August 2023

PRESIDENT
Stanzione

THE SPEAKER
Cerrina Feroni

THE GENERAL SECRETARY
Mattei