Garante per la protezione dei dati personali (Italy) - 9993105

From GDPRhub
Garante per la protezione dei dati personali - 9993105
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(c) GDPR
Article 12 GDPR
Article 17 GDPR
Article 17(3)(e) GDPR
Type: Complaint
Outcome: Upheld
Started: 03.08.2021
Decided: 24.01.2024
Published: 12.03.2024
Fine: 15,000 EUR
Parties: MP1 s.r.l.
National Case Number/Name: 9993105
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Maltese
Original Source: Garante per la protezione dei dati personali (in MT)
Initial Contributor: im

The DPA held that the controller violated the data minimization principle, as they did not deactivate a former employee's e-mail account, claiming the necessity of redirecting customers to another one. The controller was fined €15,000.

English Summary

Facts

Data subject is a former employee of MP1 s.r.l., the controller. After the termination of his employment contract, the data subject requested the controller to delete their e-mail account which was used for the purpose of managing orders of the controller.

The controller replied claiming that 'no use' had been made of the account, despite specifying afterwards that the account had been migrated to another company account for the management of commercial orders. Customers emailing the previous account were redirected to the new one and informed that the data subject no longer worked for the controller.

Subsequently, the data subject submitted a formal request to exercise his rights, namely the rights to object and restrict the processing and the right to erasure the e-mail address. The controller did not respond.

As a result, the data subject filed a complaint with the DPA for a failure to comply with the request and, in the event of non-compliance, to impose a ban on the unlawful processing consisting in the persistent activity of their account.

The investigation revealed, that the controller erased the data subject's account, however, the time of the erasure was not indicated.

Holding

Firstly, the DPA held that the controller failed to fulfill his obligation to follow modalities prescribed by Article 12 GDPR, in particular to provide the data subject with information on the action taken in respect of a request pursuant to Article 15 GDPR to Article 22 GDPR without undue delay and, in any event, at the latest within one month or receipt of the request. The controller violated this provision despite the fact the controller deleted the account ‘de facto’ on an unspecified date after the data subject request.

Secondly, the controller stated to the DPA that they did not respond to the data subject’s request to erase their account for reasons related to Article 17(3)(e) GDPR. According to such a provision, the right to erasure does not apply if the processing is necessary ‘for the establishment, exercise or defence of legal claims’. However, the DPA found that the controller would nevertheless had to provide an information of the reasons why the request was not granted. This is expressly established by Article 12(4) GDPR which states that the controller must provide a feedback to data subject without undue delay or within one month of receipt of the request. The controller failed to comply with this provision.

Thirdly, the DPA observed that by redirecting the e-mail to another company account - thus carrying out additional processing operations in relation to the data subject - controller breached the principle of minimisation under Article 5(1)(c) GDPR. The DPA stressed that, to be complaint with the principles of necessity and minimization, a controller should deactivate an employee's email account after the termination of the employment and inform the concerned third parties about alternative contact methods.

As a result, the DPA found violations of Article 5(1)(c) GDPR, Article 12 GDPR and Article 17 GDPR. The controller was fined €15,000.

Comment

Regarding the obligation of the employer to de-activate the former employees account after the contract was terminated, see Guidelines for electronic mail and the Internet, 1.3.2007, in G. U. No. 58 of 10.3.2007, spec. point 5.2, lett. B.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Maltese original. Please refer to the Maltese original for more details.

[doc. web no. 9993105]
Provision of 24 January 2024
Register of measures
n. 40 of 24 January 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
GIVEN the complaint presented pursuant to art. 77 of the Regulation by Mr. XX towards MP1 s.r.l.;
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER the lawyer. Guido Scorza;
PREMISE
1. The complaint against the company and the investigative activity.
With a complaint dated August 3, 2021, Mr. XX complained about alleged violations of the Regulation by MP1 s.r.l. (hereinafter, the Company), with reference to the failure to respond to the exercise of the right of opposition, limitation of processing and deletion of data processed via the XX email address, assigned as part of the professional collaboration relationship with the Company .
In particular, it was represented that the interested party used the aforementioned email address until 31 December 2020, for a period also following the termination of the collaboration relationship, which occurred on 27 July 2020, on the basis of an agreement entered into with the Society.
Following the inhibition by the Company of the availability of the aforementioned e-mail address, according to what was complained about, the complainant requested, also by submitting a warning, the cancellation of the account.
After receiving a communication, dated 9 April 2021, with which the Company represented that it had "forwarded the incoming mail to another dedicated box; this, for the sole purpose of managing the relevant orders and informing its customers [...] that the [complainant] no longer collaborates with MP1", on 7 July 2021 the complainant submitted a formal request to exercise the rights. The Company did not respond to this request.
With the complaint, the Authority was therefore asked to order the data controller to satisfy the requests to exercise the rights presented by the interested party and, in case of failure to comply, to "impose a ban on illegitimate processing consisting in the persistent activity of the account referring to the appellant". With the complaint it was also requested to "arrange a reasonable sum to be paid by the company [...] as compensation for the damages resulting from the illegitimate behavior".
The Company, in providing feedback to an invitation to comply with the interested party's requests sent by the Authority, with a note dated 9 May 2023, represented that:
to. "this matter, together with other legal proceedings, arises from the termination of the collaboration relationship between the parties and specifically with reference to the transfer by [different company], of which the [complainant] is the legal representative, of the company shares of minority at MP1” (note 9/5/2023, p. 3);
b. “After the transfer of the company shares in favor of [the Company], the latter complained against [the complainant], illegal conduct in terms of diversion of customers [...], perpetrated [...] also through the use of company account "subject of complaint" (cited note, p. 3);
c. in this context "in response to the request to dispose of the account [by the complainant, the Company] clarified that it had already taken steps to redirect the incoming mail forward to the account used by the interested party [...] and only for complete the transitional management of commercial orders handled for many years (since 2012) by one's collaborator" (note cit., p. 4);
d. "in the following month of July 2021 and after the formal request of the [complainant] the user in question was definitively deactivated" (cit. note, p. 4);
And. "it is believed that the conduct carried out [by the Company] in the management of the data relating to the account in question was correct, as there was no illicit processing of the data passing through the e-mail box, having non-personal content, being company e-mail, dedicated solely to the management of commercial orders addressed to the Company" (note cit., p. 4-5);
f. "the technical measure adopted [by the Company] pending the termination of the telematic user in use by the interested party [has] been correct and such as to avoid a significant injury pursuant to the relevant legislation, having [the Company] taken steps to inform users of the mailbox regarding the need to direct commercial orders sent there to a different email address dedicated for this purpose" (cited note, p. 5).
In response to a request for further information and clarification, the Company, with a note dated 10 May 2023, subsequently declared that:
to. with reference to the management of company e-mail "the employees and collaborators of the Company [...] authorize the same, in the person of the person responsible for the processing of personal data [...] to the relevant processing through specific information [...], while for the management of the related company accounts [...] each is assigned a temporary password by the management server which each user is free to change";
b. the legal representative of the Company had access to the account subject to redirection through the use of a "specific dedicated email [...], used by the same [legal representative] as well as by the staff responsible for the commercial management of orders".
2. The initiation of the procedure for the adoption of corrective measures and the Company's deductions.
On 1 September 2023, the Office carried out, pursuant to art. 166, paragraph 5, of the Code, the notification to the Company of the alleged violations of the Regulation found, with reference to the articles. 5, 12, and 17 of the Regulation.
With defense briefs sent on 29 September 2023, the Company declared that:
to. “it is believed that no conduct of the Company is relevant pursuant to art. 12 of the Regulation, having taken steps to inform the complainant about the temporary management of the company account and the corrective actions adopted, well before the formal exercise of the action and the formalization of the complaint" (note 29/9/2023, p. 1);
b. "this occurred, as already documented, in the correspondence between the respective lawyers and in the context of a long negotiation aimed at resolving various disputes between them, arising from the departure of the complainant from the corporate structure" (note cit., p. 1);
c. the complainant "was immediately informed of the re-forwarding (in-forward) to another mailbox of the communications passing through the reference account, according to a legitimate indirect use method pursuant to art. 12, as no sensitive and/or personal data is been treated with reference to the exclusively "commercial" content of communications relating to orders addressed directly to the Company (cited note, p. 1);
d. "with this conduct the Company has certainly respected the principle of data minimization, as mentioned in the communication initiating the procedure, with reference to the exclusively "commercial" purposes of the use, without invading the personal sphere of the complainant" (note cit. , p. 1);
And. "the Company has legitimately continued to manage the flow of orders in progress and maintained relationships with customers without invading the personal sphere of the interested party, thus achieving an adequate balance of interests at stake (need to continue the economic activity of the owner of the processing and right to confidentiality of the interested party), referred to by the Guarantor, then providing for the definitive closure of the account, effectively responding to the cancellation request formalized by the interested party; this, in full compliance with the right to erasure of data provided for by the art. 17, albeit with informal times and methods and not provided for by the regulation" (note cit., p. 1-2);
f. "on the definitive termination of the account and the related timing, we highlight the inability of the [Company] to document with a certain and precise date the date of actual disposal of the address [...], as the mailbox manager was not able [...] to provide a complete chronological report, but only limited to some periods of operation of the mailbox managed, so from this point of view no responsibility can fall on the Company" (cited note, p. 2);
g. “it is believed that the Company has acted in absolute good faith and in compliance with the reference rules and requirements, considering that any shortcomings detected by the Guarantor cannot be sanctioned according to the evaluation criteria of the conduct referred to in article 83 paragraph 2, for which it is requests the dismissal of this proceeding" (note cit., p. 2).
During the hearing requested by the Company, held on 16 November 2023, the same finally argued, among other things, that "the Company has substantially accepted the interested party's request regarding the cancellation of the account. It has already been documented that in reality the obligations relating to the interested party's request were fulfilled even if outside the rules for exercising rights, considering that there was an exchange between the Company's lawyers and those of the complainant in the context of a broader story."
Furthermore, "any conduct relating to the Company would be punished pursuant to art. 17 par. 3 lett. e) of EU Regulation 2016/679. In fact, precisely in relation to the account which was the subject of the complaint, a dispute arose between the parties regarding the management of the customer package (management which took place through the account which was the subject of the complaint) when the complainant left the company. Following the transfer of the shares, an agreement was hypothesized between the parties regarding the division of customers, an agreement which was not followed up given that the Company had to protect itself in the face of the reported diversion of customers".
Finally, the Company reiterated that it had "activated the redirection to another account [...] as it was the only tool it had to manage the transitory situation and not lose customers. No other technical solution was conceivable."
3. The outcome of the investigation and the procedure for the adoption of corrective and sanctioning measures.
3.1. Outcome of the investigation. Violation of articles 12 and 17 of the Regulation.
Following the examination of the declarations made to the Authority during the procedure as well as the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to the complainant, which are not compliant with the relevant regulations of protection of personal data.
In this regard, it is highlighted that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor".
On the merits, it therefore emerged that the complainant, after having sent, on 6 April 2021, to the Company a "Warning to close the email address" which is the subject of the complaint, on the following 9 April received, from the same, a confirmation containing, among other things, the indication that "no direct use of the indicated e-mail account is made by the Company [...], as it has forwarded the incoming mail to another dedicated mailbox; this, for the sole purpose of managing the relevant orders and informing its customers via the different email that the [complainant] no longer collaborates with [the Company]" (Annex 3, note from the Company 9/3/2023).
Subsequently, on 5 July 2021, almost three months after the previous request, the complainant sent the Company a formal request for "EXERCISE OF RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA (articles 15-22 of Regulation (EU) 2016/679 )” (Annex 6, complaint 3/8/2021), exercising in particular the right to object to the processing of your personal data via the email address and requesting the limitation of the processing and the cancellation of the aforementioned email address without receiving a response.
The Company therefore responded, on 9 April 2021, to the formal notice of 6 April 2021 ("to close the email address" referring to the complainant) claiming that "no use" of the account was carried out, despite immediately afterwards specified that the account itself had been redirected to another company account, a circumstance which instead involves the carrying out of processing activities by the Company.
In response to the subsequent formal request to exercise the rights provided for by the Regulation presented by the complainant, the Company did not then provide any feedback to the interested party.
This conduct is in contrast with the provisions of the art. 17 of the Regulation where it establishes that the interested party has the right to obtain, from the data controller, the cancellation "without unjustified delay" of personal data concerning him in the presence of specific reasons indicated by the law.
The corresponding obligation placed on the data controller must follow the methods prescribed by the art. 12, in particular where it prescribes that "the data controller provides the interested party with information relating to the action taken regarding a request pursuant to articles 15 to 22 without unjustified delay and, in any case, at the latest within one month of receipt of the request itself".
The Company should therefore have provided "at the latest within one month" a specific response to the request for deletion of the data processed following the termination of the employment relationship.
Nor can the provisions of the aforementioned provisions be satisfied, as deemed by the Company, by the fact that the cancellation would have been carried out "de facto", i.e. without observing the specific methods established by the personal data protection regulations ("with times and in informal ways not provided for in the regulation": defense briefs 29/9/2023).
This argument cannot be accepted both because the concrete methods provided for by the Regulation are an integral part of the right recognized to the interested party. Furthermore, from the documents of the proceedings, the date of cancellation of the e-mail address subject to the complaint does not emerge with certainty.
In this regard, the Company declared to the Guarantor that it had deactivated the email address during the "month of July 2021 and after the formal request of the [complainant]", attaching a declaration from the manager who, dated 22 February 2023, certifies that the email address subject to the complaint "has been deleted for more than 3 months" (Annex 4, Company note 9/3/2023).
Based on the documentation provided by the data controller, it therefore emerges that the cancellation took place on an unspecified date, before mid-December 2022.
Lastly, it is noted that, even if the Company, as declared in the hearing of 16 November 2023, had not provided feedback to the interested party's request in application of the art. 17, par. 3, letter. e) of the Regulation (according to which the right to cancellation does not apply if the processing is necessary "for the establishment, exercise or defense of a right in court"), nevertheless it should have provided feedback aimed at inform the interested party of the reasons why the request was not processed, or a partial response was provided, and the remedies provided by the law against such decision.
This in light of what is expressly established by the art. 12, paragraph 4, of the Regulation, according to which the owner "If he does not comply with the request of the interested party, [...] informs the interested party without delay, and at the latest within one month of receiving the request, of the reasons for the non-compliance and the possibility of lodging a complaint with a supervisory authority and lodging a judicial appeal" (on the obligation to provide feedback to the interested party pursuant to art. 12, par. 4 of the Regulation, although with regard to the right of access, see Cass., section I civ., 4/4/2023, n. 9313).
The Company, therefore, in the terms described above, has not complied with the obligation to provide feedback to the interested party following the exercise of the rights provided for by the Regulation - in this case the right of cancellation pursuant to art. 17 -, within the terms and in the manner prescribed by the art. 12 of the Regulation.
3.2. Violation of the art. 5, par. 1, letter. c) of the Regulation.
It also emerged that the Company, after the termination of the collaboration relationship with the complainant (which formally occurred on 27/7/2020), allowed the latter to use, until 31 December 2020, the email account already assigned to him .
Subsequently, the Company redirected the email account, previously assigned to the complainant, to another company email address, accessible to the legal representative and the staff responsible for the commercial management of orders.
This occurred for a period of time that could not be quantified with certainty, given that, as set out in the previous paragraph, the owner was not able to prove that the cancellation occurred precisely on the date indicated (the month of July 2021 ).
In any case, it is certain that the redirection continued for a period between the end of December 2020 and - at least - the month of July 2021 (see Attachment 5 to the Company's note 9/3/2023, containing a copy of a communication sent on 2/7/2021 to the email address subject to the complaint, for the particular attention of the complainant, to which a response was provided by a representative of the Company via the company address on which the account assigned to the complainant has been redirected).
According to what was declared by the Company during the proceedings, the redirection would have represented the only "technical solution" suitable for "managing the flow of orders in progress and maintaining relationships with customers".
In light of the above, the processing carried out through the account which is the subject of the complaint does not, however, appear adequate and proportionate with respect to the declared purpose ("to complete the transitional management of commercial orders carried out for many years (since 2012) by one's collaborator": note from the Company 9/3/2023).
This assessment emerges both from the observation of the long period of activation of the redirection measure (at least seven months) which, moreover, would have been interrupted, according to what was declared, not from the outcome of the assessment of the disappearance of the "transitional" order management needs but upon (repeated) request of the interested party.
However, the Company has not proven that this measure was the only one available, nor that, through the management of the account, the complainant would have carried out customer diversion activities.
Given that, in general terms, the exchange of electronic correspondence − unrelated to work activity or not − on an individualized company account constitutes an operation that allows us to know some personal information relating to the interested party (see "Guidelines of the Guarantor for electronic mail and Internet", 1.3.2007, in Official Journal no. 58 of 10.3.2007, spec. point 5.2, letter b), the Guarantor has already deemed compliant with the principles of necessity and minimization which after the termination of the relationship of work, the owner ensures the removal of the account after deactivating it and simultaneously adopting automatic systems aimed at informing third parties and providing them with alternative addresses relating to his professional activity (see, among others, most recently: Provv 27 April 2023, web doc. no. 9909235; Provision 9 March 2023, no. 68, web doc. no. 9877754).
This is also to protect the third party senders of the communications, whose expectation of confidentiality does not appear to have been protected in the concrete case given that they were made aware of the termination of the complainant's professional relationship with the Company after the content of the communications addressed to the account referring to the latter had been learned by the Company (see the aforementioned Attachment 5 to the Company's note 9/3/2023).
The Company's conduct, as ascertained, therefore violated the principle of data minimization (art. 5, par. 1, letter c) of the Regulation) according to which the data controller must process only "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
In accordance with what was established by the Guarantor in similar cases, the (legitimate) purpose of managing the flow of orders in progress and thus maintaining contact with its customers could have been pursued with less invasive treatments and, therefore, compliant with the protection regulations of the data, compared to that implemented in the present case.
Finally, it is noted that the objections raised by the Company in the defense briefs cannot be accepted, i.e. that this profile of violation of the provisions relating to data protection would constitute a "new complaint contained in the communication initiating the proceedings, as it was never contested before, and not the subject of a specific complaint by the complainant".
The Supervisory Authority, in fact, carries out the tasks and exercises the powers attributed by the articles. 57 and 58 of the Regulation also independently of the requests presented by the interested parties. The found violation of the minimization principle was contested with the notification of the initiation of the procedure dated 1 September 2023 and the Company exercised its right of defense on this point too.
Finally, it should be noted that the law does not attribute to the Authority any competence regarding the assessment of any damage suffered by the interested party as a result of the processing of personal data relating to him or her (see art. 82 of the Regulation and 152 of the Code).
4. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, Regulations.
For the above reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not make it possible to overcome the findings notified by the Office with the initiation of the procedure and are therefore unsuitable to allow the dismissal of this proceeding, as none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.
The processing of personal data carried out by the Company and in particular the inappropriate response to the cancellation request presented by the complainant and the redirection - for a significant period of time - of the individualized email address after the termination of the collaboration relationship with the complainant itself, is in fact illicit, in the terms set out above, in relation to the articles. 5, par. 1, letter. c), 12 and 17 of the Regulation.
The violation ascertained within the terms set out in the motivation cannot be considered "minor", taking into account the nature of the violation which concerned the exercise of the rights of the interested party, the gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (see Recital 148 of the Regulation).
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, a pecuniary administrative sanction is imposed pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
At the end of the proceedings it appears that MP1 s.r.l. has violated the articles. 5, par. 1, letter. c), 12 and 17 of the Regulation. For violations of the aforementioned provisions, the application of the pecuniary administrative sanction provided for by the art. 83, par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, l. 11.24.1981, n. 689).
Considered necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation", the total amount of the sanction is calculated so as not to exceed the legal maximum envisaged by the same art. 83, par. 5.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), it is stated that , in this case, the following circumstances were considered:
a) in relation to the nature, seriousness and duration of the violation, the nature of the violation which concerned the general principles of processing and the exercise of the rights of the interested party was considered relevant as well as the duration of the violation itself (not less than seven months) ;
b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same which did not comply with the regulations on data protection in relation to a plurality of provisions;
c) in favor of the Company, the cooperation with the Supervisory Authority, the fact that the confirmed violation concerned only the complainant and the deletion of the email address subject to the complaint were taken into account.
It is also believed that they assume relevance, in the specific case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness which the Authority must comply with in determining the amount of the sanction (art. 83, par. 1, of the Regulation), firstly, the economic conditions of the offender, determined on the basis of the revenues achieved by the Company with reference to the ordinary financial statements for the year 2022. Lastly, the extent of the sanctions imposed in similar cases is taken into account.
In light of the elements indicated above and the assessments carried out, it is believed, in this case, to apply towards MP1 s.r.l. the administrative sanction of payment of a sum equal to 15,000 (fifteen thousand) euros.
In this context, it is also believed, in consideration of the type of violations ascertained which concerned the exercise of the rights of the interested party, that pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, this provision must be published on the Guarantor's website.
It is also believed that the conditions set out in art. 17 of Regulation no. 1/2019.
ALL THE WHEREAS, THE GUARANTOR
notes the unlawfulness of the processing carried out by MP1 s.r.l., in the person of its legal representative, with registered office in Via Umberto Agnelli, 11, Montecelio di Guidonia (RM), C.F. 06613721007, pursuant to art. 143 of the Code, for the violation of articles. 5, par. 1, letter. c), 12 and 17 of the Regulation;
ORDER
pursuant to art. 58, par. 2, letter. i) of the Regulation to MP1 s.r.l., to pay the sum of 15,000 (fifteen thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
therefore to the same Company to pay the aforementioned sum of 15,000 (fifteen thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to the art. 27 of law no. 689/1981. Please note that the violator remains entitled to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the sanction imposed, within the deadline set out in the art. 10, paragraph 3, of the legislative decree. lgs. n. 150 of 1.9.2011 provided for the filing of the appeal as indicated below (art. 166, paragraph 8, of the Code);
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/20129, and believes that the conditions set out in the art. 17 of Regulation no. 1/2019.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 24 January 2024
PRESIDENT
Stantion
THE SPEAKER
Zest
THE GENERAL SECRETARY
Mattei