Garante per la protezione dei dati personali (Italy) - 10134221
From GDPRhub
| Garante per la protezione dei dati personali - 10134221 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1) GDPR Article 6 GDPR Article 25 GDPR Article 28 GDPR Article 35 GDPR Article 88 GDPR Article 4 d. lgs. 300/1970 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 29.04.2025 |
| Published: | |
| Fine: | 50,000 EUR |
| Parties: | Regione Lombardia |
| National Case Number/Name: | 10134221 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | cci |
The DPA fined the Region of Lombardia €50,000 for several violations related to the processing of employees' data, including the unlawful retention of navigation logs and email metadata.
English Summary
Facts
The DPA carried out an ex officio investigation against the Region of Lombardia (the controller) to verify the compliance of the processing of data from employees (the data subjects), including the processing of data in the context of smart work.
The investigation found that the controller logged all browsing activity from the employees’ computers as well as metadata from employees’ work emails. Navigation logs were stored for 12 months and email metadata were stored for 90 days. The stored data included employee's attempts to access blacklisted websites. The data were subject to strict access controls and were analyzed solely for cybersecurity purposes.
At the time of the investigation, navigation logs and email metadata were stored without the involvement of trade unions or the Inspectorate. However, consultations with trade unions were ongoing[1] and an agreement was eventually reached and formalized.
The DPA also investigated the controller’s use of a ticketing system provided by a processor. The DPA found that open tickets were stored indefinitely by the system. The controller later dismissed the system, stopped engaging with the processor, and prompted the processor to erase all data relative to the provision of services to the controller.
Holding
On lawfulness
The DPD held that the collection and retention of browsing logs and email metadata constituted systems for the remote surveillance of employees in the specific meaning of Italian labor law[2].
The DPA observed that the controller did not fulfill the requirements for implementing such a system under labor law. Contrary to the controller's arguments, the DPA also held that the processing of employee data did not fall under any exemption under Italian labor law[3].
For these reasons, the DPA considered that the collection and retention of browsing logs and email metadata violated labor law. The DPA concluded that such data processing operations also lacked a legal ground under the GPDR, in violations of Articles 5(1)(a), 6, and 88 GDPR.
Other findings
Additionally, the DPA held that the controller:
- Stored navigation logs for an excessive time, in violations of Articles 5(1)(c), 5(1)(e), and 25 GDPR;
- Collected irrelevant information about the personal lives of employees, in violation of Article 5(1)(c) GDPR;
- Failed to carry out a data processing impact assessment for the storage of navigation data and email metadata, in violation of Article 35 GDPR;
- Violated Articles 5(1)(c), 25, and 28 GDPR by allowing the providers of its ticketing system to store open tickets (including employees’ names) for an excessive time, and by failing to stipulate data processing agreements.
Conclusions
Overall, the DPA found that the controller violated Articles 5(1)(a), (c) and (c), 6, 25, 28, 35, and 88 GDPR as well as Articles 113 and 114 of the Italian privacy code.
The DPA fined the controller for €50,000 and ordered the controller to address its violations. Specifically, the DPA ordered the controller: •
- To anonymize data about the access to blacklisted websites;
- To limit the retention of navigation logs to 90 days. More exactly, the controller had to either anonymize or delete the logs after 90 days;
- To pseudonymize navigation logs by encrypting the name of the user of each company computer;
- To require the providers of the ticketing systems to pseudonymize the data of the filing employee;
- To limit access to the data to a small number of staff members tasked with incident response, and to provide such staff members with data protection training.
In determining the fine, the DPA considered that the controller had already remedied some of its violations. In particular, the DPA found an agreement with trade unions on the processing of navigation logs and metadata and carried out a data protection impact assessment for the processing.
Comment
In 2024 the DPA provided guidance on the processing of metadata from employees' emails. The guidance examines labor law and its overlap with data protection.
Italian labor law regulates remote surveillance of workers via a general rule with narrow exemptions:
- Article 4(1) l. 300/1970 provides that remote surveillance can only be implemented following a formal agreement with trade union representatives, or upon authorization of the National Labor Inspectorate;
- Article 4(2) provides very narrow exemptions for instruments used by employees to provide their work, and for systems that merely register workplace access and work attendance. These forms of monitoring can be implemented without consulting trade unions or the Inspectorate.
As a rule of thumb, the DPA considers the retention of email metadata to fall under the second paragraph exemption, provided that metadata are retained for no longer than 21 days and that they are only processed to ensure the integrity of information systems. The DPA also clarifies that some employers may be able to prove that longer retention of metadata is indispensable in their specific case: in such scenarios, the processing may still fall under the Article 4(2) exemption.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[web doc. no. 10134221] Provision of 29 April 2025 Register of provisions no. 243 of 29 April 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Acting Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the acting secretary general pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801; Rapporteur Prof. Pasquale Stanzione; WHEREAS 1. Introduction. As part of investigations initiated ex officio in order to verify compliance with the rules on the protection of personal data in relation to the processing carried out in the workplace, also with reference to the methods of carrying out the so-called “agile work”, the Authority conducted an inspection, pursuant to art. 58, par. 1, of the Regulation and arts. 157 and 158 of the Code, against the Lombardy Region. 2. The preliminary investigation. The inspections carried out (see minutes of XX, XX and XX, in the files) revealed, in particular, that: the use of IT equipment by staff “is regulated by the “Decree on the rules for the use of information technology tools” no. XX of XX of the Regional Council”; more specifically with regard to the agile working method, “no different rules have been established for remote processing compared to in-person processing […]”; Internet browsing by employees “is free with the exception of sites present in a constantly updated black list”; “all logs relating to browsing are kept, including failed attempts to access the aforementioned sites” (see subsequent note of XX); "in the event of motivated requests, they are made available only to the judicial authority. It is possible to trace the navigation carried out by a particular machine by reconnecting the information (stored separately) of the user and the machine's IP as indicated [... in] decree XX. This reconnection is also carried out in the event that the systems detect particular traffic anomalies [...] the aforementioned decree was adopted following a process of sharing with the unions and referred to in the same decree. In any case, an agreement has not been stipulated with the unions pursuant to article 4 paragraph 1 of Law 300/1970 given that [...] the Region believes that the processing carried out in this regard cannot be traced back to the remote controls that fall within the scope of application of that law [... and] the unions have not requested the activation of bargaining tables [...;] the logs relating to Internet navigation are stored for 12 months on the servers of ARIA, appointed as data controller, within the framework agreement for the management of the technological infrastructure which includes networking, navigation service management secure, with a specific assignment”; the email service (Microsoft 365) “is managed by ARIA through a specific assignment within the scope of the agreement”; “the email service logs (metadata) are collected by ARIA and stored for 90 days to allow for any technical assistance and […] no employee has access to the same logs”; the Region subsequently “specified that, also in light of the provision of the Guarantor against the Lazio region of XX on the processing of metadata relating to the use of email by employees, the Region has initiated, internally, a reflection at the instigation of the DPO which has involved the Council and the ARIA data controller, for the aspects of competence”; the Region declared that “Internet browsing and email logs have never been used to verify the behavior of an employee”; the Region added that, in the last five years, "two disciplinary proceedings have been initiated against employees, one for alleged use of devices not compliant with the [aforesaid] decree [XX] and one for alleged behavior not appropriate to the instructions given in data processing"; with regard to the methods of managing the technical assistance service for employees (on-site or in smart working), at the time of the inspections in question, "a telephone number dedicated to technical assistance" was foreseen, which "with the new contract [would have been] supported by a specific portal accessible from the intranet and the Internet"; in this regard, the Region also stated that "since there is an IT contact in all directions, employees can contact this figure to open technical assistance tickets. The help desk service uses the SDAS platform [...]. This service is managed by remote operators who either resolve the problem during the user's call or forward the ticket to remote or on-site support [...]. For each ticket, an opening and closing email is sent to the requesting employee"; “tickets are kept in the ticket management system for the entire duration of the contract, in particular the data of the new SDAS system will be stored for 78 months (6 years + additional 6 months necessary to carry out the residual contractual activities such as accounting, payments, verification of the regular execution of the contract) as provided for in the appointment act. A meeting is held monthly between suppliers and the information systems structure (SAL) to verify the progress of the work and take stock of the situation, monitor the SLAs, identify any critical issues such as excessive number of tickets, particular and repeated problems which, as a rule, do not involve the processing of personal identifying data”; “in addition to the supplier company's staff, some employees of the information systems structure access the ticket management system, identified on the basis of specific tasks, with visibility on all tickets opened by the Entity's employees as well as the IT referents of the directorates, the latter with visibility only on the directorate's assets”; until XX, the OTRS - Open Source Help Desk System system was in use, which, however, at the time of the inspections, was still "used by the staff of the new supplier who took over the service contract for the management of assets not yet replaced as per the new contract and tickets still open before XX" and would also have been used "until the complete decommissioning of the assets managed in the old contract, [following which] all the data [would have been] deleted". In relation to the aspects indicated above, with a subsequent note, received on XX, the Region, also in resolution of the reservations formulated during the inspection, represented, in particular, the following: - regarding the conservation of the logs generated by the Internet navigation of the employees, "Aria - manager of the proxy service - keeps the navigation logs with only the information relating to the IP address of the machine. The network manager (Fastweb) has the information relating to the association between the IP of the machine and the MAC ADDRESS of the machine itself. The manager of the PdL (Engineering) has the information relating to the association between the MAC ADDRESS of the machine and the name of the user assigned to the machine itself. Individually, no manager, therefore, is able to independently trace the complete information between the navigation carried out and the user who performed it"; - “the types of security alarms constantly analyzed automatically and anonymously consist of: DoS/DDoS attacks; infected workstations and servers; attempted attacks on systems and/or applications and/or services; exploitation of vulnerabilities; systems connected to Botnets; data exfiltration; intrusions; compromise of systems and/or applications and/or services; unauthorized modification or deletion of data; sending of phishing emails; communication with IPs, domains, URLs attributable to malicious activities. When one of these types occurs, the probability that this alarm could generate actual damage to the infrastructure (and the information contained therein) is assessed. Only the occurrence of this condition triggers the in-depth analysis procedure which, as a last resort, involves the identification of the infected workstation. In the last 12 months, no cases have occurred that have determined an alert such as to have to activate the reconnection procedure”; - with regard to the metadata generated by the use of the email service by the Region's employees, "the administrators of the email tenant have the possibility of conducting a tracking operation of the email transited by the Exchange server.The information that Microsoft allows to collect based on this search is available for 7 days directly on the server, and includes: date and time of the message; sender's address; recipient's address; subject of the email; status (information on the correct delivery of the message or, alternatively, the reason why it was not correctly delivered); size of the message (expressed in KB or MB, including the size of any attachments); message header (text file containing the unique identifier of the message and information about the transit)”; “for emails older than 7 days, Microsoft allows to collect a smaller amount of information through a report in CSV format. The information that can be acquired in this way remains available to administrators for 90 days, and includes: timestamp of the message; sender's address; recipient's address with any status (this report only acquires emails received by the server and addressed to the destination, emails that the server blocks upstream are not tracked); subject of the email; size of the message (expressed in bytes, including the size of any attachments); unique identifier of the message”; “the 90-day retention parameter is set by Microsoft (license release conditions) and administrators do not have the possibility to decrease it. The information made available by tracking is used solely for the purpose of offering assistance to users when a message is not delivered correctly”; more specifically, as regards the applicability profiles of the legislation on the use of remote monitoring of workers, the Region highlighted that “the personal computer and the email box provided by the Administration to employees are necessary for carrying out daily work activities and, therefore, must be considered as essential work tools. The Administration, precisely on the basis of the distinction between control tools referred to in paragraph 1 and work tools referred to in paragraph 2, considered that the union-related obligations referred to in paragraph 1 were not necessary. The Administration, considering what emerged during the inspection, is evaluating the ways to address the issue at the union tables, preliminarily representing to the RSU the binding aspects deriving from the Microsoft license"; - with reference to the solutions aimed at ensuring compliance with the principles of minimization and limitation of the conservation of data processed by the technical assistance service, "it should be noted preliminarily that the data generated by the ticketing system are of an operational nature and are consulted for the purposes of assistance and administrative management of the Service Level Agreements (SLA). In particular, during the technical table the Supplier was immediately asked to verify the technical possibility of storing information relating to tickets exceeding 12 months in anonymous mode, for the administrative purposes related to the management of the contract. In practice, the complete databases, including the user's identification data and the subject of the request, may be retained for 12 months to ensure an adequate assistance service. Subsequently, after 12 months, the identification data of users and operators will be made anonymous, with the possibility of retaining and using the anonymized databases for administrative purposes"; - with reference to the rotation of suppliers responsible for providing the technical assistance service to employees and access to the data contained in the OTRS system, in the process of being decommissioned, in response to the reservations expressed in the minutes, the Region declared that "it considers adopting an addendum [... to the agreements stipulated pursuant to art. 28 of the Regulation] in order to regulate the processing of previous data contained in the old ticketing system until the complete decommissioning of the assets and the formatting of the environment relating to the previous supply"; the Region therefore sent the Authority the draft of the aforementioned contractual addendum currently being formalized with the suppliers of the new SDAS system. Following the inspection activity and, in particular, the examination of the supplementary documentation subsequently sent by the Region also to resolve the reservations formulated during the inspection, the Office, in noting the need to acquire further elements and clarifications deemed essential in order to complete the investigation framework, addressed a request to the Region for further information and clarifications, to which feedback was provided, at different times and with subsequent communications, also in order to document to the Authority the measures progressively adopted by the Region to conform the processing to the data protection regulations (see notes of XX, XX, XX and XX). In particular, in acknowledging with note of XX that it has having reached the date XX of the signing of the collective agreement pursuant to art. 4, paragraph 1, of Law no. 300 of 20 May 1970, with the trade unions representing non-managerial staff only, the Region sent a copy of the aforementioned agreement to the Authority, also attaching evidence of the performance of the data protection impact assessment pursuant to art. 35 of the Regulation and of the information provided pursuant to art. 13 of the Regulation. It also stated that "the update to the Infotelematic Decree is being finalized in order to make it consistent with the signed deeds". Subsequently, with a note dated XX, the Region, with regard to managerial staff, also sent a copy of a separate agreement signed on XX pursuant to art. 4, paragraph 1, of Law no. 300 of 20 May 1970 with the trade unions representing managerial staff as well as the aforementioned Decree no. XX of XX relating to the update of the document “Rules for the use of the Regional Council’s infotelematic services”. With note of XX, the Office, on the basis of the elements acquired from the checks carried out and the facts that emerged during the investigation, notified the Lombardy Region, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation on the assumption that the processing of the personal data in question had been carried out: due to failure to comply with the sector regulations on remote controls in reference to the conservation of metadata generated by the activity of the employee staff in relation to both the use of the email service and Internet browsing, in violation of arts. 5, paragraph 1, letter a), 6 and 88, paragraph 1, of the Regulation as well as 114 of the Code (in relation to art. 4, paragraph 1, of Law 20 May 1970, n. 300); given the failure to comply with the conditions set out in the sector regulations with regard to the use of metadata collected for other purposes related to the management of the employment relationship, in violation of Articles 5, paragraph 1, letter a), 6 and 88 of the Regulation and 114 of the Code (in relation to Article 4, paragraph 3, of Law no. 300 of 1970); due to the excess of the retention times of the logs relating to Internet browsing as well as the data relating to requests for technical assistance, in violation of Articles 5, paragraph 1, letter e), and 25 of the Regulation; given the collection of data not related to work activity with reference to the retention of Internet browsing logs, in violation of Articles 5, paragraph 1, letter a), c), 6, 88, paragraph 1, of the Regulation as well as 113 of the Code (in relation to Articles 8 of Law 20 May 1970, no. 300 and 10 of Legislative Decree no. 276/2003); in the absence of a data protection impact assessment with reference to the processing of metadata relating to the use of electronic mail and logs relating to Internet browsing, in violation of art. 35 of the Regulation; given the inadequate regulation pursuant to art. 28 of the Regulation of the relationship with the suppliers of the technical assistance service in reference to the processing of personal data contained in the OTRS system, in violation of art. 28 of the Regulation. With the same note, the aforementioned owner was invited to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). With note of XX, the Lombardy Region presented a defense brief, declaring, in particular, that: “the employer […] used systems that determine the processing of personal data referring or referable to workers only and exclusively for purposes necessary to ensure the functioning of the infrastructure and of a purely technical nature, such as the detection of anomalies, suspected cyber attacks or for maintenance, in compliance with art. 4, second paragraph, of the Workers' Statute and in line with the content of art. 32, paragraph 1, letter d) of the GDPR”; “The Lombardy Region believed that the retention of metadata for 90 days for technical purposes, relating to the correct functioning and regular use of the email system [...], together with correct and transparent information for workers, with anonymous, indirect and gradual checks, could be sufficient to fall within the scope of application of the second paragraph of art. 4 of the Workers' Statute. Only with the provision against the Lazio Region of the month of XX, the Guarantor Authority has [… indicated] a specific time frame beyond which it is presumed that paragraph 1 of art. applies.4 of the Workers' Statute. Before this provision, the Guarantor Authority had never indicated a precise term that would serve as a watershed for determining the scope of application between the first and second paragraphs of art. 4 of the Workers' Statute.[…] Only after the public consultation, precisely in the month of XX, the Guarantor Authority, although in line with the previous interpretation, revised the retention period of email metadata, going from 7 to 21 days, thus making the guidance document effectively applicable to all data controllers, the effectiveness of which was suspended during the public consultation period”; “The Lombardy Region, which has always, also with the support of the privacy office and the DPO, paid particular attention to the provisions of the Guarantor, also following the inspection activity against the Lazio Region and in light of this further time specification provided by the Guarantor Authority, subsequently crystallized with the publication of the guidance document “Programs and IT services for managing email in the workplace and processing metadata” in XX, considered the preparation of an adjustment, signing, at the end of a trade union discussion process, the agreement with the trade union representatives, reached on XX for the staff of the sector and dated XX for management personnel, in relation to the storage of email metadata and Internet browsing logs, reviewing the previous approach, also in relation to the infotelematic decree, shared in a spirit of full collaboration with the Guarantor Authority"; with regard to the storage of log files relating to Internet browsing, "Regione Lombardia has never implemented massive, prolonged, constant and indiscriminate controls in relation to its employees using the information collected, without ever using personal information, even if not pertinent or suitable to reveal religious, philosophical or other beliefs, political opinions, health status or sexual life. […] Regione Lombardia through its Rules had implemented technical and organizational measures that prevented its operators from independently tracing the complete information between the browsing carried out and the user who performed it. The storage has always and only concerned anonymous data and stored in separate form at the individual suppliers. […] Furthermore, […] only the occurrence [… of the conditions already indicated in the note of XX, concerning certain “types of security alarms”] triggered the in-depth analysis procedure which, as a last resort, provided for the identification of the infected workstation, also in accordance with the provisions of the Guidelines [… of the] Authority of 2007. […] The technical security measure of the need for reconnection, aimed at ensuring effective minimization of personal data, excludes any control of workers”; always with reference to the conservation of log files relating to Internet browsing, “from a technical point of view, […] in designing an effective Incident Response strategy, the regional administration also relied on a methodical approach, starting first of all from a correct identification of the incidents. In fact, more and more attacks do not immediately generate a security alarm (such as, for example, a peak in network bandwidth usage) but are composed of many small actions that exploit the use of Internet connectivity (e.g. calls at anomalous times, repeated over multiple periods, etc.) that only analyzed overall over time allow us to trace the origin of the attack. APT (Advanced Persistent Threat) attacks are known for their extended duration over time. Unlike traditional attacks, APTs do not aim to gain rapid and immediate access, but rather to infiltrate a network discreetly and remain there for a long time to collect sensitive information or cause damage on a large scale or recover all the information necessary to trigger Ransomware attacks which, as is known, undermine in one fell swoop the integrity, availability and, in the event of theft before the attack, the confidentiality of the data processed. The analysis of browsing logs is one of the factors to take into account to evaluate anomalous behaviors that are potentially dangerous in the long term. On average, an APT attack can last several months or even years.”; As for the dispute relating to the use of metadata for disciplinary purposes in the absence of the conditions provided for by the sector regulations in this regard, the Region, in providing further elements, provided clarifications regarding the previous declarations made, specifying that “neither of the two disciplinary proceedings was initiated through the use of email or Internet browsing logs”; With regard to the definition of the retention period of data relating to requests for technical assistance from employees following the closure of tickets, “within the regional organization, anonymizing/deleting each individual ticket at the time of closing the same would not guarantee an adequate assistance service since, in the event that a single user reports recurring anomalies, it would not be possible to fully analyze and resolve the problem”; As for the failure to carry out a data protection impact assessment pursuant to art. 35 of the Regulation with reference to the processing of metadata relating to the use of email and Internet browsing logs, “according to the [… “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is "likely to result in a high risk" under Regulation 2016/679”, WP 248 of 4 April 2017], in most cases a controller may consider that a processing operation that meets two criteria should be subject to a data protection impact assessment. In the case in question, only criterion number 7 is applicable in relation to data relating to vulnerable data subjects, while, in the opinion of this Administration, criteria number 3 (systematic monitoring) and number 8 (innovative use or application of new technological or organizational solutions) are absolutely not applicable”; as regards the detected lack of some of the essential elements of the agreement referred to in art. 28 of the Regulation with the suppliers responsible for providing the technical assistance service, “the main appointment as data controller by the three suppliers of the technical assistance service […] described […] the technical assistance activity by fully identifying the subject matter regulated, the nature and purpose of the processing, the type of personal data and the categories of data subjects, although without adequately specifying the supporting tool and the reference dates. Following what emerged during the inspection by the Guarantor, it was deemed appropriate to provide for an addendum to the existing appointment to better clarify that the same activities described in the processing [… in question] were also carried out through the OTRS ticketing system”. Finally, with a subsequent note of XX, the Region communicated that it did not wish to avail itself of the right to take part in the hearing pursuant to art. 166, paragraph 6, of the Code. 3. The applicable legislation: the legislation on the protection of personal data in the workplace and the performance of work activities in agile mode. According to the legislation on the protection of personal data, the employer may process the personal data of workers, including those relating to particular categories of data (see art. 9, paragraph 1, of the Regulation), if the processing is necessary, in general, for the management of the employment relationship and to fulfil specific obligations or tasks arising from the sector legislation (art. 6, paragraph 1, letter c), 9, paragraph 2, lett. b) and 4; 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller" (Articles 6, paragraphs 1, letter e), 2 and 3 of the Regulation; 2-ter of the Code). In this context, the processing of personal data carried out in the context of the execution of the agile employment contract - regulated by a regulation aimed at encouraging the adoption of new ways of organizing work based on spatial-temporal flexibility, evaluation by objectives and the conciliation of working life with private life (Articles 18 to 23 of Law 22 May 2017, no. 81) - are subject to the same legal bases referred to above that typically occur in the workplace. The employer must also comply with national regulations, which "include appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subjects, in particular with regard to transparency of processing […] and monitoring systems in the workplace” (Articles 6, paragraph 2, and 88, paragraph 2, of the Regulation). On this point, the Code, confirming the system prior to the amendments introduced by Legislative Decree no. 101 of 10 August 2018, makes express reference to the national sector provisions that protect the dignity of people in the workplace, with particular reference to possible controls by the employer (Articles 113 “Data collection and relevance” and 114 “Guarantees regarding remote monitoring”). As a result of this reference, and taking into account Article 88, paragraph 2, of the Regulation, compliance with Articles 4 and 8 of Law no. 300 of 20 May 1970 and Article 10 of Legislative Decree no. 297/2003 (in cases where the conditions are met) constitutes a condition of lawfulness of the processing. These provisions constitute in the internal legal system those more specific and more guarantee provisions referred to in art. 88 of the Regulation - for this purpose the subject of a specific notification by the Guarantor to the Commission (available at the page: https://ec.europa.eu/info/law/law-topic/dataprotection/data-protection-eu/eu-countries-gdpr-specific-notifications_en) pursuant to art. 88, par. 3, of the Regulation - the violation of which, similarly to the specific processing situations of Chapter IX of the Regulation, also determines the application of administrative pecuniary sanctions pursuant to art. 83, par. 5, letter d), of the Regulation. The data controller is, however, required to comply with the principles of data protection (art. 5 of the Regulation) and is responsible for implementing appropriate technical and organizational measures based on the specific risks arising from the processing, having to be able to demonstrate that the same is carried out in compliance with the Regulation (art. 5, par. 2, and 24 of the Regulation). 4. The outcome of the investigation activity. 4.1. The processing of email metadata. From the elements acquired in the context of the complex investigation activity, it is established, in particular, that, by virtue of the adoption of decree no. XX of XX (containing “Rules for the use of the regional council’s information technology tools”), email metadata were retained by the Region, in the absence of prior stipulation of a collective agreement with the trade union representatives (see art. 4, paragraph 1, of law no. 300 of 20 May 1970), for a long period of time, a total of 90 days, for IT security and technical assistance purposes as well as “for the purpose of offering assistance to users when a message is not delivered correctly” (see note of XX; see also, in a similar sense, note of XX). It appears, however, that, during the investigation, the Region, also taking into account the indications of its Data Protection Officer, acknowledged that it had come to the conclusion, in relation to the processing in question, of a collective agreement with the competent trade union parties on XX with regard to non-managerial staff and on XX with regard to managerial staff. In this regard, it is generally stated that, since 2007, the Guarantor has been dealing with the processing carried out by the employer and concerning personal data relating to the use of network services by employees, with particular regard to the e-mail service and Internet browsing, also with general provisions (see "Guidelines of the Guarantor for e-mail and Internet" of 1 March 2007, no. 13, web doc. no. 1387522, which, although referring to the previous regulatory framework, contain principles and indications that are still valid). More recently, also on the basis of specific decisions on individual concrete cases (provision no. 409 of 1 December 2022, web doc. no. 9833530, and provision no. 303 of 13 July 2016, web doc. no. 5408460, the latter confirmed by the Court of Chieti with judgment no. 672 of 24 October 2019), the Guarantor has addressed the delicate issue of the preservation of email metadata, providing, lastly, indications and clarifications aimed at guiding the organizational and technical choices of employers with the “Guideline document. Computer programs and services for managing email in the workplace and processing of metadata”, adopted, following public consultation, with provision no. 364 of 6 June 2024, web doc. no. 10026277. In particular, email metadata, which technically correspond to the information recorded in the logs generated by the email management and sorting server systems and by the workstations in the interaction that occurs between the various interacting servers and, if applicable, between these and the clients, generally include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email service management system used, also the subject of the message sent or received. Email metadata are supported by guarantees of confidentiality, also protected by the Constitution (articles 2 and 15 of the Constitution), intended to ensure protection of the essential core of the dignity of the person and the full development of his or her personality in social groups. This means that, even in the work context, there is a legitimate expectation of confidentiality in relation to correspondence and, similarly, to the elements that can be derived from its external data, which define its temporal profiles (such as the date and time of sending/receiving) as well as the qualitative-quantitative aspects also in relation to the recipients and the frequency of contact, as these data are also, in turn, susceptible to aggregation, processing and control (see point 2 of the aforementioned Guidance Document; point 5.2 letter b), of the cited Guidelines; see also provision 1 December 2022, no. 409, web doc. no. 9833530 and provision 13 July 2016, no. 303, web doc. no. 5408460). The more specific national regulation pursuant to art. 88 of the Regulation exhaustively identifies the purposes (i.e. organizational, productive, work safety and protection of company assets) for which the tools, which also provide the possibility of remote control of workers' activities, can be used in the work context, establishing precise procedural guarantees (union agreement or public authorization; see art. 114 of the Code, which refers to art. 4, paragraph 1, law 20 May 1970, no. 300, as amended by Legislative Decree 14 September 2015, no. 151). Although the Region initially stated that e-mail is used by employees to perform work, however, in light of the national regulatory framework of the sector, the notion of "tools used by the worker to perform work" (pursuant to and for the purposes of art. 4, paragraph 2, of Law no. 300/1970) - which constitutes an exception to paragraph 1 and as such must be subject to strict interpretation, also given the resulting criminal responsibilities - can only include services, software or applications strictly functional to work performance. These principles have been applied in numerous provisions of the Guarantor, with reference to public and private work contexts, in which the issue of discrimination between paragraph 1 and paragraph 2 of art. 4 of Law no. 300/1970 and the different legal regime that derives from it has been addressed, evaluating, from time to time, the specificity of the treatments and systems used in practice by the employer. This, also in light of the guidelines of the jurisprudence, of the Ministry of Labour and of the National Labour Inspectorate, which apply this discipline within the scope of their institutional control functions, deeming the exception of paragraph 2 not applicable and finding paragraph 1 to apply instead, in cases where, for example, the system acts in ways that are not perceptible by the worker and in a completely independent manner with respect to the normal activity of the same or in the presence of systems that are not only functional to the performance but also allow further processing by the employer for the pursuit of its own purposes and especially in cases where such functions cannot be disabled by the employee (see, among the numerous provisions in the public sector, in particular, provision of 28 October 2021, no. 384, web doc. no. 9722661 as well as INL, circular no. 4 of 26 July 2017; provision of 13 May 2021, no. 190, web doc. no. 9669974; provision of 16 November 2017, no. 479, web doc. no. 7355533; provision of 13 July 2016, no. 303, web doc. 5408460; see also the numerous provisions cited, in the public and private context, in the Annual Reports of the Guarantor 2017-2023). These characteristics apply in the case of the processing of email metadata, if the same are collected and stored, in a preventive and generalized manner, for an extended period of time by the computer programs and services for the management of email. This is because such processing operations are carried out, for the employer's own needs, automatically and independently of the perception and will of the worker; furthermore, the aforementioned metadata remain exclusively available to the employer and, on his behalf, to the service provider, documenting the traffic even after the eventual cancellation of the message by the worker, who, instead, maintains the availability of the messages that, as sender or recipient, he exchanges within the mailbox assigned to him by the employer, with the consequence that in such cases there is the risk of indirect remote control of the workers' activity. For these reasons, in such cases the exception referred to in paragraph 2 of art. 4 cannot generally be invoked, with paragraph 1 instead generally applying (see also Documento di direzione, par. 3, cit., and provisions cited therein). In this context, in order for paragraph 2 of art. 4 of Law 20 May 1970, n. 300, the activity of collecting and storing only the metadata necessary to ensure the functioning of the electronic mail system infrastructure and the satisfaction of the most essential IT security guarantees, following technical assessments and in compliance with the principle of accountability, is considered to be able to be carried out, as a rule, for a period limited to a few days, in any case not exceeding 21 days, unless the owner, always in pursuit of the aforementioned purpose attributable to the scope of paragraph 2 of art. 4 of Law 20 May 1970, no. 300, adequately demonstrates the existence in concrete of particular conditions that make its extension necessary due to the specific nature of its technical and organizational reality. On the other hand, the widespread collection and storage of email metadata, for a longer period of time, in the presence of needs that can in any case be traced back to the security and protection of the employer's information assets, and which may lead to indirect remote control of workers' activities, requires the implementation of the guarantees provided for by art. 4, paragraph 1, of the aforementioned law of 20 May 1970, no. 300 (see provision of 1 December 2022, no. 409, web doc. no. 9833530 and provision of 13 July 2016, no. 303, web doc. no. 5408460; these principles were most recently reiterated in point 3 of the aforementioned Guideline Document). Having noted, therefore, that, in this case, the aforementioned email metadata, relating to messages exchanged by workers via individually assigned accounts, were - and still are - retained by the Region for 90 days, it must be considered, as confirmed by the Region itself, that within the margins of this broad time interval, the processing purpose actually pursued cannot be traced back only to the scope of the mere functioning of the email system infrastructures and its regular use, including the most essential guarantees of security of the service (paragraph 2 of art. 4), rather configuring itself as an activity functional to the protection of the integrity of the information assets and IT security, a purpose attributable to paragraph 1 of art. 4 (see collective agreements of XX and XX4, where the purpose of "guaranteeing the security of the tools assigned to the staff, and more generally protecting the information assets of the Institution" is also taken into account). In this context, with regard to the period prior to the signing of the aforementioned agreements, the circumstance that the Region retained the metadata relating to emails older than 7 days "through a report in CSV format" (see note of XX) cannot be considered sufficient to exclude the Region's liability and that therefore, in this case, "the operator did not directly access the metadata but necessarily had to download a CSV report from which to reconstruct the information useful for the requested assistance" (see note of XX). This is because, as stated by the Region, "the elements that differentiate the metadata retained for the shorter period compared to those retained for the longer period, concern exclusively the speed/ease with which to retrieve the information necessary for resolving the assistance problem" and that, therefore, after the first 7 days from the collection of the metadata, for the following 83 days they can still be accessed by each operator responsible for the technical assistance service, after downloading the aforementioned report (see note of XX). This measure, which is also appreciable in terms of data minimization, is not, in fact, suitable to fill, prior to the stipulation of the aforementioned collective agreements in compliance with the guarantee procedures referred to in art. 4, paragraph 1, of Law 20 May 1970, no. 300, the lack of legal basis, contrary to what was claimed by the Region in the context of the investigation and, lastly, with its own defense briefs of XX. Nor can it be invoked, for the purposes of the lawfulness of the overall processing, that the identification, by the Region, of the 90-day term for the conservation of email metadata occurred before the publication of the aforementioned Metadata Policy Document or that "only after the public consultation, specifically in the month of XX, the Guarantor Authority, […] revised the retention time of email metadata, going from 7 to 21 days". This is because, as also stated by the Region itself, the clarifications provided through the aforementioned Document, also following the public consultation to which it was submitted, are "in line with the previous interpretation" supported by the Authority, in line with a consolidated orientation, since 2016 (see provision of 13 July 2016, no. 303, web doc. no. 5408460, confirmed by the Court of Chieti with sentence no. 672 of 24 October 2019; see also, subsequently, provision of 1 December 2022, no. 409, web doc. no. 9833530). The Region itself, moreover, in the period immediately following the inspections (XX) - and therefore even before the publication of the guidance indications contained in the first version of the Policy Document on metadata, of December 2023 - had already undertaken internal activities aimed at conforming the aforementioned treatments to the data protection regulations, also by initiating specific discussions with the trade unions in view of the signing of the relevant agreements (see note of XX, "the Administration, considering what emerged during the inspection, is evaluating the ways in which to address the issue at the trade unions, preliminarily representing to the RSU the binding aspects deriving from the Microsoft license"; see also note of XX, "the issue of the collective agreement on the correct use of IT tools and in particular with regard to the use of email and possible remote checks of workers, will be the subject of discussion at the next trade unions, in agreement with the Data Protection Officer"). Nor, again, can the circumstance that, in this case, "the unions did not request the activation of bargaining tables" (see minutes of the XX) be relevant for data protection purposes, given that, pursuant to the regulatory provisions on remote controls, the obligation to take action to reach the stipulation of the collective agreement falls in any case on the employer, as the data controller, since the inertia of the union representatives in this regard cannot be invoked to exclude the liability that art. 4 of Law no. 300 of 20 May 1970 places on the employer. It must therefore be concluded that the processing in question was carried out in the absence of the procedural guarantees provided for by art. 4, paragraph 1, of Law no. 300 of 20 May 1970, in violation of arts. 5, paragraph 1, letter a), 6 and 88, paragraph 1, of the Regulation, as well as 114 of the Code, up to XX for non-managerial staff and up to XX for managerial staff, since the Region on those dates entered into the aforementioned collective agreements with the competent trade union parties. 4.2. The processing of Internet navigation logs. From the elements acquired in the context of the complex investigative activity, it is established, in particular, that, by virtue of the adoption of decree no. XX of XX (containing “Rules for the use of the regional council’s information and communication tools”), Internet browsing logs - consisting of information relating to websites visited by employees, including those relating to failed attempts to access sites already registered in a special black list, to which access is in any case blocked by the system - were collected and stored by the Region in the absence of prior stipulation of a collective agreement with the trade union representatives (see art. 4, paragraph 1, of law 20 May 1970, no. 300). During the investigation, the Region, also taking into account the indications of its Data Protection Officer, acknowledged that it had come to the conclusion, in relation to the treatments in question, of a collective agreement with the competent trade union parties on XX for non-managerial staff and on XX for managerial staff. As regards the profiles of relevance for the purposes of the aforementioned legislation on remote monitoring of workers' activities, both the collection and subsequent storage of Internet browsing logs require compliance with art. 4, paragraph 1, of Law no. 300 of 20 May 1970, given that systems that allow the tracking of Internet access cannot, in general, be included within the scope of applicability of art. 4, paragraph 2, unlike systems for automatically inhibiting online consultation (without storage of access attempts), by employees, of specific content prohibited by the organization to which they belong. The systematic collection and storage of all log files generated by the use of the Internet in the context of the employment relationship - including those relating to failed attempts to access sites already registered in a special black list, to which access is however blocked by the system - giving rise, in fact, to a generalized processing of data relating to the activity and use of network services by employees who are in any case identifiable, entail, in the presence of a unique connection with the employee and with his specific workstation, the possibility of reconstructing his activity through the use of technological systems, with the consequence that, in such cases, the employer is required to ensure compliance with the procedural guarantees provided for by art. 4, paragraph 1, of Law 20 May 1970, no. 300, which constitutes, as mentioned above, a condition of lawfulness of the same processing of the data in question. This principle has been confirmed, over time, by the Guarantor, in many cases (see, in the public sphere, provision of 13 May 2021, no. 190, web doc. no. 9669974, and provision of 13 July 2016, no. 303, web doc. no. 5408460; see also, with regard to the private work context, provision of 12 December 2024, no. 771, web doc. no. 10096474). Acknowledging, therefore, that the Region, having adopted decree no. XX of XX, collected and processed all Internet browsing logs of its employees without having previously signed a collective agreement with the competent trade unions, which the Region itself appears to have reached only on XX and XX, it must be considered that the processing in question occurred, within the limits of that time frame, in violation of Articles 5, paragraph 1, letter a), 6 and 88, paragraph 1, of the Regulation, as well as 114 of the Code (in relation to Article 4, paragraph 1, of Law No. 300 of 20 May 1870). Having said this, it is further observed that, in general, the processing must in any case be "necessary" with respect to the legitimate purpose pursued (art. 6, par. 1 of the Regulation) and have as its object only the data "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (art. 5, par. 1, letter c), of the Regulation). From another but related perspective, based on the principle of "storage limitation", personal data must be "kept in a form which permits identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed" (art. 5, par. 1, letter e), of the Regulation). In this perspective, in consideration of the risk that the rights and freedoms of the data subjects are exposed to, the data controller must also adopt - "by design" and "by default" (Article 25 of the Regulation) - appropriate technical and organizational measures to implement the principles of data protection, integrating into the processing the necessary guarantees to meet the requirements of the Regulation and protect the rights and freedoms of the data subjects (see "Guidelines 4/2019 on Article 25 - Data protection by design and by default", adopted by the European Data Protection Board on 20 October 2020, esp. points 42, 44 and 49). This obligation "also applies to […] the retention period […]" of the data (Article 25, paragraph 2, of the Regulation). It should also be noted that since 1970, public and private employers have been prohibited from collecting or otherwise processing “even through third parties” personal data relating to “the political, religious or trade union opinions of the worker, as well as [… to] facts not relevant for the purposes of assessing the professional aptitude of the worker” (see art. 8 of law 20 May 1970, no. 300, and art. 10 of legislative decree 10 September 2003, no. 276, expressly referred to in art. 113 of the Code). As highlighted on numerous occasions by the Guarantor and by jurisprudence also at supranational level, Internet navigation logs, especially if they include log files relating to failed attempts to access sites already registered in a special black list, to which access is in any case blocked by the system, may concern aspects of the personal sphere and private life of employees (articles 8 of the European Convention on Human Rights and 7 of the Charter of Fundamental Rights of the European Union). This is considering that the boundary between the work and professional sphere and the strictly private one cannot always be drawn clearly. In cases where the employee is connected to the network services made available by the employer or uses a company resource also through personal devices and, in particular, when working remotely, there is a legitimate expectation of confidentiality for the employee (see, in this regard, the judgments of the European Court of Human Rights Niemietz v. Germany, 16.12.1992, ref. no. 13710/88, spec. par. 29; Copland v. UK, 03.04.2007, ref. no. 62617/00, spec. par. 41; Bărbulescu v. Romania [GC], 5.9.2017, ref. no. 61496/08, spec. pars. 70-73 and 80; Antović and Mirković v. Montenegro, 28.11. 2017, ric. no. 70838/13, spec. par. 41-42; see also, with regard to the case law explored by the Guarantor over the years, in particular provision of 13 May 2021, no. 190, web doc. no. 9669974, and provision of 13 July 2016, no. 303, web doc. no. 5408460). The processing of such data, carried out by means of information technology in the context of the employment relationship, must therefore comply with the respect for fundamental rights and freedoms as well as the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, esp. point 3; Article 29 Working Party, Opinion no. 2/2017 on data processing at the workplace, WP 249, par. 5). : In this context, the need to reduce the risk of improper use of Internet browsing by employees, consisting of activities not related to work performance (for example, viewing irrelevant websites, uploading or downloading files, using network services for recreational purposes or purposes unrelated to work) cannot, in fact, justify any form of interference in private life, but, as traditionally stated by the Guarantor, can generally be satisfied by preparing technical and organizational measures suitable for preventing at the root that any information relating to the non-work sphere is collected, giving rise to the processing of "irrelevant" personal information that falls within the scope of application of art. 113 of the Code (see, in this regard, "Guidelines on electronic mail and the Internet", provision of 1 March 2007, no. 13, web doc. no. 1387522 in particular, point 5.2., letter a), the principles of which can still be considered valid; see also provision of 13 May 2021, no. 190, web doc. no. 9669974, provision of 13 July 2016, no. 303, web doc. no. 5408460, and provision of 21 July 2011, no. 308, web doc. no. 1829641, confirmed by the Court of Cassation, sentence no. 18302 of 19 September 2016). With regard to the specific case, the system adopted by the Region for network security purposes, in its current configuration, allows for the tracking of connections and links to Internet sites visited by employees, including failed attempts to access websites indicated in the appropriate black list, the storage of such data and their retention for 365 days, and involves the processing of information that is also unrelated to professional activity. In particular, as regards the temporal depth of the storage of the aforementioned data, the Region, in the perspective of the principle of "accountability" (art. 5, par. 2, of the Regulation), has determined the term of 365 days also taking into account the indications provided by other authorities for the profiles of relative competence as well as, more generally, in the light of studies and systematic observations of the dynamics of security incidents that can be caused by web browsing, especially in the scenarios that most recently tend to materialize in the current context. In the light of a global assessment of the characteristics of the system and the consequent permitted processing operations (preventive and generalized collection of data relating to connections to the websites of individual employees, storage for a prolonged period of time and the possibility of tracing the navigation of individual employees), it must be considered that, despite the presence of some measures on a technical and organizational level, the processing in question cannot yet be considered overall proportionate with respect to the purpose pursued by the Region, namely that of network security. In this regard, however, we take note of the internal procedures of the Region, whereby Internet navigation logs can be accessed in two specific cases, namely in the event of a request from the judicial authority or in the event of the detection of particular, motivated and predetermined traffic anomalies, subject to timely recognition and cataloging by the Region. Similarly, we also take note of the circumstance whereby the Region, not having sufficient information to independently trace the identity of the employee who browsed the Internet, can identify the interested parties by correlating the information separately stored by the three suppliers it uses in this context, one having only the IP address of the machine used by the employees, the other only the information relating to the association between the IP of the machine and the respective MAC address and the other still of the data concerning the mere association between the MAC address of the machine and the name of the employee to whom it is assigned. This organizational measure, giving rise to a form of separation of the data in question, does not in fact preclude the data controller, employer, from tracing the identity of the employee who browsed the Internet, with the cooperation of the three suppliers and by relating the information that each of them retains, on behalf of and in the interest of the Region, as data controller. For these reasons, in order to ensure full compliance with data protection legislation and with a view to preventing possible detrimental effects for the interested parties in the delicate work and professional context, the nature of the processing operations in progress and, in general, the sensitivity of the data collected and retained for a long period of time, as described above, require, in the reference context, the necessary adoption of the specific additional measures indicated in paragraph 6 of this provision. The methodology identified by the Region and, in general, the technical and organizational measures implemented, also in terms of minimization, cannot, in fact, be considered sufficient, at present, to completely overcome the critical issues highlighted above and to make the overall treatment proportionate, not ensuring the effective implementation of the principles of data protection and the integration of all the necessary guarantees in order to protect the rights and freedoms of the interested parties. In light of the above considerations, it must be concluded that, on the basis of an overall assessment of the elements that emerged during the investigation, the system currently used by the Region, which allows for the recording of detailed data regarding the Internet resource visited by employees, gives rise, as things stand, to a systematic collection of numerous personal data, even those not pertinent to the performance of the work, and to prolonged storage of the same, not being compliant with the data protection regulations and in violation of Articles 5, paragraph 1, letter a). a), c) and e), and 25 of the Regulation, and 113 of the Code, in reference to art. 8 of Law 20 May 1970, n. 300 and art. 10 of Legislative Decree 10 September 2003, n. 276. 4.3. Failure to carry out a data protection impact assessment pursuant to art. 35 of the Regulation. In this case, the processing of email and Internet browsing metadata was also carried out in the absence of a preliminary data protection impact assessment pursuant to art. 35 of the Regulation. In implementation of the accountability principle (see art. 5, par. 2, of the Regulation), it is up to the controller to assess whether the processing to be carried out is likely to present a high risk to the rights and freedoms of natural persons - by reason of the technologies used and considering the nature, the object, the context and the purposes pursued - which makes a prior data protection impact assessment necessary (see recital 90 of the Regulation). Taking into account the indications provided also at European level on this point, it is noted, however, that both the processing of metadata relating to the use of the email service - consisting in the systematic collection of external data relating to email correspondence (including information relating to the sender/recipient and the subject of each email) and in the related storage for 90 days - and the processing of logs relating to Internet browsing - consisting in the preventive and generalized collection of data concerning connections to the websites of individual employees and in the related storage for 365 days - entail specific risks for the rights and freedoms of data subjects in the workplace (art. 35 of the Regulation). Both in consideration of the particular “vulnerability” of data subjects in the workplace context (see recital 75 and art. 88 of the Regulation and criterion no. 3 indicated in the “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is “likely to result in a high risk” pursuant to Regulation 2016/679”, WP 248 of 4 April 2017, which, among the categories of vulnerable data subjects, expressly mention “employees”) and of the fact that in this context, differently from what was claimed by the Region, the use of systems involving “systematic monitoring”, understood as “processing used to observe, monitor or control data subjects, including data collected via networks” (see criterion no. 3 indicated in the Guidelines) may present risks - as in the case in question - in terms of possible monitoring of the activity of employees (see arts. 35 and 88, par. 2, of the Regulation). As already noted above, in fact, in the presence of certain specific characteristics or functions, these tools may lead to unintentional control of the employee's activity. These principles have been reiterated by the Guarantor, as well as, most recently, in the aforementioned Guideline Document (see point 2), also in the provision of 11 October 2018, no. 467, web doc. no. 9058979, annex no. 1, which expressly mentions the "processing carried out in the context of the employment relationship through technological systems [...] from which the possibility of carrying out remote control of the employees' activity derives", as well as in various decisions on individual specific cases (see, among others, also provision of 13 May 2021, no. 190, web doc. no. 9669974, par. 3.5). For these reasons, in acknowledging that, albeit belatedly and during the investigation, the Region has finally provided evidence of the performance of the impact assessments of the aforementioned treatments (see note of XX), it is noted that, prior to this fulfillment, the same were carried out in the absence of an impact assessment and therefore in violation of art. 35 of the Regulation. 4.4. Further considerations on the processing of email metadata and Internet browsing logs. As for the dispute relating to the use for disciplinary purposes, in two specific cases, of the logs relating to Internet browsing and use of the email service by employees, collected and processed in the absence of the conditions set out in art. 4, paragraph 1, of Law 20 May 1970, no. 300, we take note of the clarifications provided in note of XX. In particular, with this note, the Region, in providing new and more specific elements, clarified that "neither of the two disciplinary proceedings was initiated through the use of email or Internet browsing logs", having to conclude that, for the profiles of competence of the Authority, the conditions for asserting liability of the Region in relation to the use for purposes related to the employment relationship of data collected and processed in violation of the provisions of art. 4, paragraph 1, of Law 20 May 1970, no. 300 do not exist in this case (see arts. 5, paragraph 1, letter a), 6 and 88 of the Regulation and 114 of the Code, in relation to art. 4, paragraph 3, of Law 20 May 1970, no. 300). 4.5. The processing of data relating to requests for technical assistance. The investigation revealed that the data relating to requests for technical assistance present in the “OTRS” ticketing system, which was subsequently decommissioned, were retained by the Region for the entire duration of the contractual relationship with the service provider, due to needs related to the administrative management of the service itself. In this regard, the Region, noting that “the feasibility of technical interventions aimed at minimizing the visibility of tickets that were no longer open required implementation times that were longer than the scheduled time for decommissioning”, decided to “intervene organizationally by accelerating the decommissioning of the [“OTRS” ticketing system]” (see note of XX) and highlighted that on XX “the supplier communicated via PEC that it had proceeded with the irreversible cancellation of the database of the ITSM OTRS tool […]” (see note of XX). In light of the preliminary investigation, it also appears that, initially, the Region intended to retain the data relating to requests for technical assistance via the new “SDAS” ticketing system for a maximum total period of 78 months (72 months due to needs related to the management of the service and a further 6 months in order to “carry out residual contractual activities such as accounting, payments, verification of the regular execution of the contract”; see minutes of XX). Even taking into account that the Region had declared that it would hold a monthly meeting between the suppliers of the technical assistance service and the "information systems structure (SAL) to verify the progress of the work and take stock of the situation, monitor the SLAs, identify any critical issues such as excessive number of tickets, particular and repeated problems" (see minutes of XX) and that the regular scheduling of such meetings did not justify such a prolonged retention of the data in question, the Region, within the framework of the initiatives progressively undertaken during the investigation to ensure the compliance of such processing with the data protection regulations, has established, also in the light of specific discussions with the service provider, to reduce the aforementioned period to 12 months. Although, in general, the needs for accounting, accounting, invoicing and remuneration of services can normally be satisfied even without resorting to the processing of personal data or, if necessary, by anonymizing the existing data and therefore retaining only the information strictly necessary to allow the comparison between the service actually provided and that contractually envisaged (see, in this regard, although in reference to another type of service, provision of 24 May 2017, no. 247, web doc. no. 6495708; see also provision of 2 October 2014, web doc. no. 3534543, and provision no. 427 of 19 July 2018), the following is noted. Having taken note of the assessments carried out by the Region, in the perspective of the principle of accountability (see art. 5, par. 2, of the Regulation), with reference to the new ticketing system “SDAS” and, in particular, the declared needs to retain the aforementioned data in clear for a period of time equal to one year in light of the specificities of the complex organizational reality of the Region, it should be noted that, instead, the retention of data relating to requests for technical assistance in the decommissioned “OTRS” system appears to have continued for a particularly long period of time. In particular, from the documentation acquired during the inspection it emerged that the requests for technical assistance from the employee staff of which the Region still retained traces dated back to 2016; this information was retained until XX, the date on which the provider of this service communicated “that it had proceeded with the irreversible cancellation of the database of the ITSM OTRS tool” (see note of XX). Since there were no adequate reasons to justify such a prolonged retention of the data in question, it must therefore be concluded that the processing of data relating to requests for technical assistance in relation to the decommissioned “OTRS” system was carried out in conflict with the principles of limitation of storage and protection of personal data by design and by default, in violation of Articles 5, paragraph 1, letter e), and 25 of the Regulation. 4.5.1. The relationship with the suppliers responsible for providing the technical assistance service with reference to the “OTRS” system being decommissioned. In light of what emerged from the documents, it is also established that the agreement pursuant to Article 28 of the Regulation stipulated with the three suppliers, which the Region currently uses for the purposes of providing the technical assistance service, did not concern - up until the date of stipulation of the contractual addendum, which occurred during the investigation - the processing of personal data contained in the "OTRS" system carried out by the aforementioned suppliers during the transitional phase of decommissioning of the system in question. In this regard, it is highlighted that, in the context of the preparation of technical and organizational measures that meet the requirements established by the Regulation, also in terms of security (articles 4, no. 7), 24 and 32 of the Regulation), the data controller may avail himself of a data processor to carry out certain processing activities, to whom he gives specific instructions (see articles 4, no. 8), 28 and recital 81 of the Regulation). In this context, the relationship between the controller and the processor must be regulated by a contract or other legal act, having written form, which, in binding the processor to the controller, contains, among other things, an indication of the “subject matter” (i.e. the object of the processing, which “must be formulated with sufficient specifications so that […] it is clear” - see European Data Protection Board, “Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, v. 2.0, adopted on 7 July 2021), the “type of personal data” and the “categories of data subjects” as well as the necessary documented instructions regarding the processing (Article 28, paragraphs 3 and 9, of the Regulation). Given that, in the case in question, the effectiveness of the agreement pursuant to art. 28 of the Regulation in force between the Region and the new service providers did not appear to have been extended to the processing of data contained in the “OTRS” system, it cannot be considered that, limited to this specific objective scope of processing, the same satisfies the requirements analytically identified by art. 28, par. 3, of the Regulation (see, in particular, the subject matter regulated, the duration, the nature and purpose of this specific processing, the type of personal data and the categories of data subjects as well as the specific documented instructions given by the Region in this regard). For the reasons above, while acknowledging the signing of the contractual addendum with the three aforementioned providers during the XX, with which the parties agreed that the processing activities envisaged by the agreement pursuant to art. 28 of the Regulation already stipulated “were also carried out through the OTRS ticketing system” (see note of XX), it appears that, prior to the signing of the aforementioned addendum, the processing of personal data contained in the “OTRS” system occurred in violation of art. 28 of the Regulation. 5. Conclusions. In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow all the findings notified by the Office with the act of initiation of the proceeding to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply. The unlawfulness of the processing of personal data carried out by the Lombardy Region is confirmed on the basis that, in the terms set out in the grounds: the processing of email metadata was carried out in violation of Articles 5, par. 1, letter a), 6, 35 and 88 of the Regulation, as well as 114 of the Code; the processing of Internet navigation logs was carried out in violation of Articles 5, par. 1, letter a), c) and e), 6, 25, 35 and 88 of the Regulation, as well as 113 and 114 of the Code; the processing of personal data contained in the OTRS system was carried out in violation of Articles 5, par. 1, letter e), 25 and 28 of the Regulation. The violation of the aforementioned provisions entails, pursuant to art. 2-decies of the Code and “except as provided for by Article 160-bis”, the unusability of the personal data processed. Violation of the aforementioned provisions also makes the administrative sanction applicable pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation itself, as also referred to in Article 166, paragraph 2, of the Code. 6. Corrective measures (Article 58, paragraph 2, letter d), of the Regulation). With reference to the profiles of unlawfulness of the processing of web navigation logs associated with employees, still persisting (see, in particular, paragraph 4.2 of this provision), pursuant to Article 58, paragraph 2, letter d), of the Regulation, it is deemed necessary to order the Lombardy Region to adopt - within ninety days of notification of this provision - additional technical and organizational measures suitable to ensure that the actual possibility of tracing the identity of the individual employee who has carried out the web browsing is extremely unlikely in practice. In particular, in addition to the measures already adopted by the Region and consisting, in detail: - in the separation of the data in question, given that, of the three suppliers - responsible for the processing - that the Region uses in this context, one has only the IP address of the machine used by the employees, the other only the information relating to the association between the IP of the machine and the respective MAC address and the other still of the data concerning the mere association between the MAC address of the machine and the name of the employee who is assigned it; - in the precise identification of the conditions under which the Region proceeds with the processing that allows it to trace the identity of the individual employees who have carried out web browsing (particular, motivated and predetermined security anomalies and specific requests by the judicial authority); it is considered necessary that - also taking into account the application experience found by the Guarantor in various investigations that have involved other public administrations with similar characteristics to those of the Region in terms of territorial extension, areas of competence and number of employees employed - the Region ensures the adoption, in the specific context of reference, of the following additional measures: - the anonymization of the logs relating to failed access attempts to the websites listed in the appropriate black list, including those currently present in the systems; - the reduction to 90 days of the retention period of Internet browsing logs, with the possibility of retention for a further period after anonymization of the same, so as not to allow the identifiability of the employee (see art. 5, par. 1, letter e), of the Regulation), and without prejudice to the deletion of personal data present in the web browsing logs recorded in the systems for over 90 days; - that, in the presence of one of the aforementioned security anomalies, the verification activities are generally carried out by the Region, with a view to graduality and progression, at the level of individual organizational structures and not at the individual level, limiting the possibility of granular and specific interventions on the individual workstation to only cases of prior and unsuccessful experimentation of checks at an aggregate level (see art. 5, par. 1, letter c), and 25 of the Regulation); - the encryption of the data concerning the names of the employees assigned to the machine (see art. 32, par. 1, letter a), of the Regulation), providing in this regard specific documented instructions to the supplier who, as data controller, processes such data on behalf and in the interest of the Region itself (art. 28 of the Regulation); - that the processing of the data in question is in any case carried out by a strictly limited number of authorised natural persons and specifically selected for this purpose, who must be recipients of express designation and specific instructions in relation to the risks associated with the processing in question (see art. 2-quaterdecies of the Code and 28, 29 and 32, par. 4, of the Regulation), as may be provided for by the internal procedures of the Region and by the documented instructions that the Region itself must provide to suppliers pursuant to art. 28 of the Regulation, which for this purpose must therefore be appropriately updated and periodically reassessed in order to verify their adequacy and effectiveness (articles 5, paragraph 2, 24 and 32 of the Regulation); - the updating of the agreements already stipulated pursuant to art. 4 of Law 20 May 1970, no. 300, with the trade union representatives in light of the measures indicated above. Pursuant to art. 157 of the Code, the Region must also communicate to this Authority the initiatives it intends to undertake to ensure that the processing complies with the data protection regulations, within thirty days of notification of this provision. 7. Adoption of the injunction order for the application of the administrative pecuniary sanction and the accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the Regulation as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this case, three distinct conducts attributable to the Lombardy Region can be identified (the first in relation to the processing of email metadata; the second relating to the processing of Internet navigation logs; finally, the third relating to the processing of personal data relating to requests for technical assistance from employees of the decommissioned “OTRS” system), which must therefore be considered separately for the purposes of quantifying the administrative sanctions to be applied. 7.1. Processing of email metadata (paragraphs 4.1 and 4.3 of this provision). Considering that the violation of the provisions cited in the previous paragraphs 4.1 and 4.3 of this provision occurred as a result of a single conduct (same processing or processing linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns Articles 5, 6 and 88 of the Regulation and 114 of the Code, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to €20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation. Taking into account that: the processing of email metadata concerns forms of correspondence supported by guarantees of confidentiality also protected by the Constitution (arts. 2 and 15 of the Constitution) (art. 83, par. 2, letters a) and g), of the Regulation); despite the fact that, also on the indication of the data protection officer, the Region, following the publication of the provision of 1 December 2022, no. 409, web doc. no. 9833530, had already started an internal reflection on the need to reach a collective agreement with the trade union representatives regarding such processing, and despite the fact that it finally signed the aforementioned agreement in accordance with the provisions of art. 4 of the law. 20 May 1970, no. 300 and even before the publication of the updated version of the Guidance Documents on the matter, the processing was previously started and carried out for a long time in a manner that did not comply with the sector regulations on the use of technological tools in the workplace and with the indications provided over time by the Guarantor, for the profiles of competence (art. 83, par. 2, letters a) and b), of the Regulation). it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR” of 24 May 2023, point 60). That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration: the Region offered full cooperation with the Authority during the investigation, taking prompt action - already following the performance of inspection activities by the Authority itself - to ensure the conformity of its personal data processing policies with the legislation on personal data protection, as well as taking care to demonstrate over time the measures progressively adopted in this framework; in particular, the Region has documented that it has entered into a collective agreement with the competent trade unions for non-managerial staff already on XX and, therefore, even before and independently of the outcome of the public consultation to which the Policy Document on metadata was submitted in the month of XX, thereby demonstrating, also thanks to the virtuous contribution of its Data Protection Officer, an appreciable attention to the regulation for the protection of personal data and to the Authority's guidelines, expressed consistently since the publication, in 2007, of the "Guidelines on electronic mail and the Internet"; the Region has also documented that it has entered into a further collective agreement on XX for managerial staff and that it has carried out, in this regard, data protection impact assessments pursuant to art. 35 of the Regulation (art. 83, par. 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of EUR 20,000 (twenty thousand/00) for the violation of arts. 5, par. 1, letter a), 6, 35 and 88 of the Regulation, as well as 114 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the website of the Guarantor. This is in consideration of the fact that the email metadata, which have been processed for a long time in the absence of the procedural guarantees provided for by the sector legislation on remote controls, concern forms of correspondence supported by guarantees of confidentiality also protected by the Constitution. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. 7.2. The processing of Internet browsing logs (paragraphs 4.2 and 4.3 of this provision). Taking into account that the violation of the provisions cited in the previous paragraphs 4.2 and 4.3 of this provision took place as a result of a single conduct (same processing or processing linked to each other), art. 83, par. 3, of the Regulation, according to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious infringement. Considering that, in the case in question, the most serious infringement concerns Articles 5, 6 and 88 of the Regulation and 113 and 114 of the Code, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, paragraph 2, of the Regulation. Considering that: the processing of logs relating to Internet browsing of the Region's employees also concerns aspects of the personal sphere and private life of employees, such as legal assets also protected by the supranational regulatory framework (Articles 8 of the European Convention on Human Rights and 7 of the Charter of Fundamental Rights of the European Union; Article 83, paragraph 2, letters a) and g), of the Regulation); the Region has nevertheless acknowledged that it has adopted, in this case, specific technical and organizational measures to limit the risk to the rights and freedoms of the interested parties, even if these are not yet entirely sufficient to ensure full compliance with the legislation on the protection of personal data (Article 83, paragraph 2, letters a) and b), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into consideration: the Region offered full cooperation with the Authority during the investigation, taking prompt action - already following the performance, by the Authority itself, of the inspection activities - to ensure the compliance of its personal data processing policies with the legislation on the protection of personal data, as well as taking care to demonstrate over time the measures progressively adopted in this framework (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of EUR 25,000 (twenty-five thousand/00) for the violation of arts. 5, par. 1, letters a), c) and e), 6, 25, 35 and 88 of the Regulation, as well as 113 and 114 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this chapter containing the injunction order must be published on the website of the Guarantor. This is in consideration of the fact that the Internet browsing logs, which have been processed for a long time in the absence of the procedural guarantees provided by the sector legislation on remote controls, also concern aspects of the personal sphere and private life of employees and are still retained by the Region for a long period of time in the absence of sufficient technical and organizational measures to ensure the overall lawfulness of the processing. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. 7.3. The processing of data relating to requests for technical assistance from employees referred to in the decommissioned “OTRS” system (paragraphs 4.5 and 4.5.1). Taking into account that the violation of the provisions cited in the previous paragraphs 4.5 and 4.5.1 of this provision occurred as a result of a single conduct (same treatment or treatments linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns Article 5, paragraph 1, letter e), of the Regulation, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, paragraph 2, of the Regulation. Considering that: the Region has not demonstrated suitable reasons to support such a prolonged retention of the data contained in the “OTRS” ticketing system, which were related to requests for technical assistance dating back over time; furthermore, the Region had already entered into an agreement pursuant to art. 28 of the Regulation with the suppliers responsible for providing the technical assistance service, even though such contractual provisions, as noted above, had not been expressly extended by the parties also to the processing of personal data carried out within the “OTRS” system, which was in the process of being decommissioned at the time of the facts in question (see art. 83, par. 2, letter a), of the Regulation); the violation did not concern particular categories of data (see art. 83, par. 2, letter g), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into consideration: the Region offered full cooperation with the Authority during the investigation, also acknowledging that, during the XX, it reached the conclusion of a contractual addendum with the three aforementioned suppliers, with which the parties regulated, in terms of data protection, the processing carried out within the “OTRS” system until the date of its complete decommissioning (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €5,000.00 (five thousand/00) for the violation of arts. 5, par. 1, letter e), 25 and 28 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the Guarantor's website. This is in consideration of the fact that, in particular, the Region has not demonstrated suitable reasons to support such prolonged retention of the data contained in the "OTRS" ticketing system, which in fact concerned requests for technical assistance dating back to 2016. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 exist. GIVEN ALL THE ABOVE, THE GUARANTOR a) declares, pursuant to art. 57, par. 1, letters a) and h), of the Regulation, the unlawfulness of the processing carried out by the Lombardy Region due to violation of arts. 5, par. 1, letters a), c) and e), 6, 25, 28, 35 and 88 of the Regulation, as well as 113 and 114 of the Code, in the terms set out in the reasons; b) requires the aforementioned Region, pursuant to art. 58, par. 2, letter d) of the Regulation, to comply, within 90 days from the date of notification of this provision, with the provisions set out in paragraph 6 of this provision; c) requires the aforementioned Region, pursuant to art. 58, par. 1, letter a), of the Regulation, and art. 157 of the Code, to communicate, providing adequately documented feedback, within 30 days from notification of this provision, the initiatives it intends to undertake in relation to what is indicated in the previous letter b); failure to respond to a request formulated pursuant to art. 157 of the Code is punishable by an administrative sanction, pursuant to the combined provisions of art. 83, par. 5, of the Regulation and 166 of the Code; ORDER to the Lombardy Region, in the person of its legal representative pro-tempore, with registered office in Piazza Città Di Lombardia, 1 - 20124 Milan (MI), C.F. 80050050154, to pay the sum of Euro 50,000.00 (fifty thousand/00) as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; ORDERS to the aforementioned Region, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €50,000.00 (fifty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS - pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; - pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website; - pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 29 April 2025 THE PRESIDENT Stanzione THE REPORTER Stanzione THE ACTING SECRETARY GENERAL Filippi [web doc. no. 10134221] Provision of 29 April 2025 Register of provisions n. 243 of 29 April 2025 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi, Acting Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (hereinafter “Code”); HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”); Having seen the documentation in the files; Having seen the observations formulated by the acting secretary general pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801; Rapporteur Prof. Pasquale Stanzione; WHEREAS 1. Introduction. As part of investigations initiated ex officio in order to verify compliance with the rules on the protection of personal data in relation to the processing carried out in the workplace, also with reference to the methods of carrying out the so-called “agile work”, the Authority conducted an inspection, pursuant to art. 58, par. 1, of the Regulation and arts. 157 and 158 of the Code, against the Lombardy Region. 2. The preliminary investigation. The inspections carried out (see minutes of XX, XX and XX, in the files) revealed, in particular, that: the use of IT equipment by staff “is regulated by the “Decree on rules for the use of information technology tools” no. XX of XX of the Regional Council”; more specifically with regard to the agile working method, “no different rules have been established for remote processing compared to in-person processing […]”; Internet browsing by employees “is free with the exception of sites present in a constantly updated black list”; “all logs relating to browsing are kept, including failed attempts to access the aforementioned sites” (seenext note of the XX); "in the event of motivated requests, they are made available only to the judicial authority. It is possible to trace the navigation carried out by a particular machine by reconnecting the information (stored separately) of the user and the machine's IP as indicated [... in] decree XX. This reconnection is also carried out in the event that the systems detect particular traffic anomalies [...] the aforementioned decree was adopted following a process of sharing with the unions and referred to in the same decree. In any case, an agreement has not been stipulated with the unions pursuant to article 4 paragraph 1 of Law 300/1970 given that [...] the Region believes that the processing carried out in this regard cannot be traced back to the remote controls that fall within the scope of application of that law [... and] the unions have not requested the activation of bargaining tables [...;] the logs relating to Internet navigation are stored for 12 months on the servers of ARIA, appointed as data controller, within the framework agreement for the management of the technological infrastructure which includes networking, navigation service management secure, with a specific assignment”; the email service (Microsoft 365) “is managed by ARIA through a specific assignment within the scope of the agreement”; “the email service logs (metadata) are collected by ARIA and stored for 90 days to allow for any technical assistance and […] no employee has access to the same logs”; the Region subsequently “specified that, also in light of the provision of the Guarantor against the Lazio region of XX on the processing of metadata relating to the use of email by employees, the Region has initiated, internally, a reflection at the instigation of the DPO which has involved the Council and the ARIA data controller, for the aspects of competence”; the Region declared that “Internet browsing and email logs have never been used to verify the behavior of an employee”; the Region added that, in the last five years, "two disciplinary proceedings have been initiated against employees, one for alleged use of devices not compliant with the [aforesaid] decree [XX] and one for alleged behavior not appropriate to the instructions given in data processing"; with regard to the methods of managing the technical assistance service for employees (on-site or in smart working), at the time of the inspections in question, "a telephone number dedicated to technical assistance" was foreseen, which "with the new contract [would have been] supported by a specific portal accessible from the intranet and the Internet"; in this regard, the Region also stated that "since there is an IT contact in all directions, employees can contact this figure to open technical assistance tickets. The help desk service uses the SDAS platform [...]. This service is managed by remote operators who either resolve the problem during the user's call or forward the ticket to remote or on-site support [...]. For each ticket, an opening and closing email is sent to the requesting employee"; “tickets are kept in the ticket management system for the entire duration of the contract, in particular the data of the new SDAS system will be stored for 78 months (6 years + additional 6 months necessary to carry out the residual contractual activities such as accounting, payments, verification of the regular execution of the contract) as provided for in the appointment act. A meeting is held monthly between suppliers and the information systems structure (SAL) to verify the progress of the work and take stock of the situation, monitor the SLAs, identify any critical issues such as excessive number of tickets, particular and repeated problems which, as a rule, do not involve the processing of personal identifying data”; “in addition to the supplier company's staff, some employees of the information systems structure access the ticket management system, identified on the basis of specific tasks, with visibility on all tickets opened by the Entity's employees as well as the IT referents of the directorates, the latter with visibility only on the directorate's assets”; until XX, the OTRS - Open Source Help Desk System system was in use, which, however, at the time of the inspections, was still "used by the staff of the new supplier who took over the service contract for the management of assets not yet replaced as per the new contract and tickets still open before XX" and would also have been used "until the complete decommissioning of the assets managed in the old contract, [following which] all the data [would have been] deleted". In relation to the aspects indicated above, with a subsequent note, received on XX, the Region, also in resolution of the reservations formulated during the inspection, represented, in particular, the following: - regarding the conservation of the logs generated by the Internet navigation of the employees, "Aria - manager of the proxy service - keeps the navigation logs with only the information relating to the IP address of the machine. The network manager (Fastweb) has the information relating to the association between the IP of the machine and the MAC ADDRESS of the machine itself. The manager of the PdL (Engineering) has the information relating to the association between the MAC ADDRESS of the machine and the name of the user assigned to the machine itself. Individually, no manager, therefore, is able to independently trace the complete information between the navigation carried out and the user who performed it"; - “the types of security alarms constantly analyzed automatically and anonymously consist of: DoS/DDoS attacks; infected workstations and servers; attempted attacks on systems and/or applications and/or services; exploitation of vulnerabilities; systems connected to Botnets; data exfiltration; intrusions; compromise of systems and/or applications and/or services; unauthorized modification or deletion of data; sending of phishing emails; communication with IPs, domains, URLs attributable to malicious activities. When one of these types occurs, the probability that this alarm could generate actual damage to the infrastructure (and the information contained therein) is assessed. Only the occurrence of this condition triggers the in-depth analysis procedure which, as a last resort, involves the identification of the infected workstation. In the last 12 months, no cases have occurred that have determined an alert such as to have to activate the reconnection procedure”; - with regard to the metadata generated by the use of the email service by the Region's employees, "the administrators of the email tenant have the possibility of conducting a tracking operation of the mail transited by the Exchange server. The information that Microsoft allows to be collected on the basis of this search is available for 7 days directly on the server, and includes: date and time of the message; sender's address; recipient's address; subject of the email; status (information on the correct delivery of the message or, alternatively, on the reason why it was not correctly delivered); size of the message (expressed in KB or MB, including the size of any attachments); message header (text file containing the unique identifier of the message and information regarding the transit)"; “for emails older than 7 days, Microsoft allows you to collect a smaller amount of information through a CSV report. The information that can be acquired in this way remains available to administrators for 90 days, and includes: message timestamp; sender address; recipient address with any status (this report only acquires emails received by the server and addressed to the destination, emails that the server blocks upstream are not tracked); email subject; message size (expressed in bytes, including the size of any attachments); unique message identifier”; “the 90-day retention parameter is set by Microsoft (license release conditions) and administrators do not have the option to reduce it. The information made available by tracking is used solely for the purpose of offering assistance to users when a message is not delivered correctly”; more specifically concerning the applicability of the legislation on the use of remote monitoring of workers, the Region highlighted that "the personal computer and the email box provided by the Administration to employees are necessary for carrying out daily work activities and, therefore, must be considered as essential work tools. The Administration, precisely on the basis of the distinction between control tools referred to in paragraph 1 and work tools referred to in paragraph 2, considered that the union requirements referred to in paragraph 1 were not necessary. The Administration, considering what emerged during the inspection, is evaluating the ways in which to address the issue at the union tables, preliminarily representing to the RSU the binding aspects deriving from the Microsoft license"; - with reference to the solutions aimed at ensuring compliance with the principles of minimization and limitation of the storage of data processed by the technical assistance service, "first of all it should be noted that the data generated by the ticketing system are of an operational nature and are consulted for the purposes of assistance and administrative management of the Service Level Agreements (SLA). In particular, during the technical table the Supplier was immediately asked to verify the technical possibility of storing information relating to tickets longer than 12 months in anonymous mode, for administrative purposes related to contract management. In practice, the complete databases, including the user's identification data and the subject of the request, may be stored for 12 months to ensure an adequate assistance service. Subsequently, after 12 months, the identification data of users and operators will be made anonymous, with the possibility of storing and using the anonymized databases for administrative purposes"; - with reference to the rotation of suppliers responsible for providing technical assistance services to employees and access to data contained in the OTRS system, in the process of being decommissioned, upon resolution of the reservations expressed in the minutes, the Region declared that it "considers adopting an addendum [... to the agreements stipulated pursuant to art. 28 of the Regulation] in order to regulate the processing of previous data contained in the old ticketing system until the assets are completely decommissioned and the environment relating to the previous supply is formatted"; the Region therefore sent the Authority the draft of the aforementioned contractual addendum currently being formalized with the suppliers of the new SDAS system. Following the inspection activity and, in particular, the examination of the supplementary documentation subsequently transmitted by the Region also to resolve the reservations formulated during the inspection, the Office, in noting the need to acquire further elements and clarifications deemed indispensable in order to complete the investigative framework, addressed to the Region a request for further information and clarifications, to which feedback was provided, at different times and with subsequent communications, also in order to document to the Authority the measures progressively adopted by the Region to conform the processing to the data protection regulations (see notes of XX, XX, XX and XX). In particular, in acknowledging with note of XX that on XX it had reached the conclusion of the collective agreement pursuant to art. 4, paragraph 1, of Law 20 May 1970, n. 300, with the trade unions representing only non-managerial staff, the Region sent a copy of the aforementioned agreement to the Authority, also attaching evidence of the performance of the data protection impact assessment pursuant to art. 35 of the Regulation and of the information provided pursuant to art. 13 of the Regulation. It also stated that "the update to the Infotelematics Decree is being finalized in order to make it consistent with the signed acts". Subsequently, with a note of XX, the Region, with regard to managerial staff, also sent a copy of a separate agreement stipulated on XX pursuant to art. 4, paragraph 1, of Law 20 May 1970, no. 300 with the trade unions representing managerial staff as well as the aforementioned Decree no. XX of XX relating to the update of the document "Rules for the use of the Regional Council's infotelematic services". With note of XX, the Office, on the basis of the elements acquired from the checks carried out and the facts that emerged during the investigation, notified the Lombardy Region, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation on the assumption that the processing of the personal data in question had been carried out: due to failure to comply with the sector regulations on remote controls in reference to the conservation of metadata generated by the activity of the employee staff in relation to both the use of the email service and Internet browsing, in violation of arts. 5, paragraph 1, letter a), 6 and 88, paragraph 1, of the Regulation as well as 114 of the Code (in relation to art. 4, paragraph 1, of Law 20 May 1970, no. 300); given the failure to comply with the conditions set out in the sector regulations with regard to the use of metadata collected for other purposes related to the management of the employment relationship, in violation of Articles 5, paragraph 1, letter a), 6 and 88 of the Regulation and 114 of the Code (in relation to Article 4, paragraph 3, of Law No. 300 of 1970); due to the excess of the retention times of the logs relating to Internet browsing as well as the data relating to requests for technical assistance, in violation of Articles 5, paragraph 1, letter e), and 25 of the Regulation; given the collection of data not related to work activity with reference to the retention of Internet browsing logs, in violation of Articles 5, paragraph 1, letter a), c), 6, 88, paragraph 1, of the Regulation and 113 of the Code (in relation to articles 8 of Law 20 May 1970, no. 300 and 10 of Legislative Decree no. 276/2003); in the absence of carrying out a data protection impact assessment with reference to the processing of metadata relating to the use of electronic mail and logs relating to Internet browsing, in violation of art. 35 of the Regulation; given the inadequate regulation pursuant to art. 28 of the Regulation of the relationship with the suppliers of the technical assistance service in reference to the processing of personal data contained in the OTRS system, in violation of art. 28 of the Regulation. With the same note, the aforementioned owner was invited to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the law of 24 November 1981, no. 689). With note of XX, the Lombardy Region presented a defense brief, declaring, in particular, that: “the employer […] has used systems that determine the processing of personal data referred or referable to workers only and exclusively for purposes necessary to ensure the functioning of the infrastructures and of a purely technical nature, such as the detection of anomalies, suspected cyber attacks or for maintenance, in compliance with art. 4, second paragraph, of the Workers' Statute and in line with the contents of art. 32 paragraph 1 letter d) of the GDPR”; “The Lombardy Region believed that the retention of metadata for 90 days for technical purposes, relating to the correct functioning and regular use of the email system [...], together with correct and transparent information for workers, with anonymous, indirect and gradual checks, could be sufficient to fall within the scope of application of the second paragraph of Article 4 of the Workers' Statute. Only with the provision against the Lazio Region in the month of XX, the Guarantor Authority [… indicated] a specific time frame beyond which it is presumed that paragraph 1 of Article 4 of the Workers' Statute applies. Before this provision, the Guarantor Authority had never indicated a precise deadline that served as a watershed for determining the scope of application between the first and second paragraphs of Article 4 of the Workers' Statute.[…] Only after the public consultation, precisely in the month of XX, the Guarantor Authority, although in line with the previous interpretation, revised the retention time of the email metadata electronic, going from 7 to 21 days, thus making the guidance document effectively applicable to all data controllers, the effectiveness of which was suspended during the public consultation period”; “The Lombardy Region, which has always paid particular attention to the provisions of the Guarantor, also with the support of the privacy office and the DPO, also following the inspection activity against the Lazio Region and in light of this additional time specification provided by the Guarantor Authority, subsequently crystallized with the publication of the address document “Programs and IT services for managing electronic mail in the workplace and processing of metadata” on XX, has considered the preparation of an adjustment, signing, at the end of a trade union discussion process, the agreement with the trade union representatives, reached on XX for the sector staff and on XX for the management staff, in relation to the conservation of electronic mail metadata and Internet browsing logs, reviewing the previous approach, also in relation to the infotelematic decree, shared in a spirit of full collaboration with the Guarantor Authority”; English: with regard to the storage of log files relating to Internet browsing, “Regione Lombardia has never implemented massive, prolonged, constant and indiscriminate controls in relation to its employees using the information collected, without ever using personal information, even if not pertinent or suitable to reveal religious, philosophical or other beliefs, political opinions, the state of health or sexual life. […] Regione Lombardia through its Rules had implemented technical and organizational measures that prevented its operators from independently tracing the complete information between the browsing carried out and the user who performed it. Storage has always and only concerned anonymous data and stored separately at the individual suppliers. […] Furthermore, […] only the occurrence [… of the conditions already indicated in the note of XX, concerning certain “types of security alarms”] triggered the in-depth analysis procedure which, as a last resort, provided for the identification of the infected workstation, also in accordance with the provisions of the Guidelines [… of the] Authority of 2007. […] The measure of technical security of the need for reunification, aimed at ensuring an effective minimization of personal data, excludes a control of workers”; always with reference to the storage of log files relating to Internet browsing, "from a technical point of view, [...] in designing an effective Incident Response strategy, the regional administration has also relied on a methodical approach, starting first of all from a correct identification of incidents. In fact, more and more attacks do not immediately generate a security alarm (such as, for example, a peak in the use of the network bandwidth) but are composed of many small actions that exploit the use of Internet connectivity (e.g. calls at unusual times, repeated in multiple periods, etc.) that only analyzed overall over time allow us to trace the origin of the attack. APT (Advanced Persistent Threat) attacks are known for their extended duration over time. Unlike traditional attacks, APTs do not aim to gain rapid and immediate access, but rather to infiltrate a network discreetly and remain there for a long time to collect sensitive information or cause damage on a large scale or recover all the information necessary to trigger Ransomware attacks which, as is known, undermine in a single hit, integrity, availability and, in case of theft before the attack, the confidentiality of the processed data.The analysis of browsing logs is one of the factors to take into account to evaluate potentially dangerous anomalous behaviors in the long term. On average, an APT attack can last several months or even years.”; As for the dispute relating to the use of metadata for disciplinary purposes in the absence of the conditions provided for by the sector regulations in this regard, the Region, in providing further elements, provided clarifications regarding the previous declarations made, specifying that “neither of the two disciplinary proceedings was initiated through the use of email or Internet browsing logs”; With regard to the definition of the retention period of data relating to requests for technical assistance from employees following the closure of tickets, “within the regional organization, anonymizing/deleting each individual ticket at the time of closing the same would not guarantee an adequate assistance service since, in the event that a single user reports recurring anomalies, it would not be possible to fully analyze and resolve the problem”; As for the failure to carry out a data protection impact assessment pursuant to art. 35 of the Regulation with reference to the processing of metadata relating to the use of email and Internet browsing logs, “according to the [… “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is "likely to result in a high risk" under Regulation 2016/679”, WP 248 of 4 April 2017], in most cases a controller may consider that a processing operation that meets two criteria should be subject to a data protection impact assessment. In the case in question, only criterion number 7 is applicable in relation to data relating to vulnerable data subjects, while, in the opinion of this Administration, criteria number 3 (systematic monitoring) and number 8 (innovative use or application of new technological or organizational solutions) are absolutely not applicable”; as regards the detected lack of some of the essential elements of the agreement referred to in art. 28 of the Regulation with the suppliers responsible for providing the technical assistance service, “the main appointment as data controller by the three suppliers of the technical assistance service […] described […] the technical assistance activity by fully identifying the subject matter regulated, the nature and purpose of the processing, the type of personal data and the categories of data subjects, although without adequately specifying the supporting tool and the reference dates. Following what emerged during the inspection by the Guarantor, it was deemed appropriate to provide for an addendum to the existing appointment to better clarify that the same activities described in the processing [… in question] were also carried out through the OTRS ticketing system”. Finally, with a subsequent note of XX, the Region communicated that it did not wish to avail itself of the right to take part in the hearing pursuant to art. 166, paragraph 6, of the Code. 3. The applicable legislation: the legislation on the protection of personal data in the workplace and the performance of work activities in agile mode. According to the legislation on the protection of personal data, the employer may process the personal data of workers, including those relating to particular categories of data (see art. 9, paragraph 1, of the Regulation), if the processing is necessary, in general, for the management of the employment relationship and to fulfil specific obligations or tasks arising from the sector legislation (art. 6, paragraph 1, letter c), 9, paragraph 2, lett. b) and 4; 88 of the Regulation). The processing is also lawful when it is "necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller" (Articles 6, paragraphs 1, letter e), 2 and 3 of the Regulation; 2-ter of the Code). In this context, the processing of personal data carried out in the context of the execution of the agile employment contract - regulated by a regulation aimed at encouraging the adoption of new ways of organizing work based on spatial-temporal flexibility, evaluation by objectives and the conciliation of working life with private life (Articles 18 to 23 of Law 22 May 2017, no. 81) - are subject to the same legal bases referred to above that typically occur in the workplace. The employer must also comply with national regulations, which "include appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subjects, in particular with regard to transparency of processing […] and monitoring systems in the workplace” (Articles 6, paragraph 2, and 88, paragraph 2, of the Regulation). On this point, the Code, confirming the system prior to the amendments introduced by Legislative Decree no. 101 of 10 August 2018, makes express reference to the national sector provisions that protect the dignity of people in the workplace, with particular reference to possible controls by the employer (Articles 113 “Data collection and relevance” and 114 “Guarantees regarding remote monitoring”). As a result of this reference, and taking into account Article 88, paragraph 2, of the Regulation, compliance with Articles 4 and 8 of Law no. 300 of 20 May 1970 and Article 10 of Legislative Decree no. 297/2003 (in cases where the conditions are met) constitutes a condition of lawfulness of the processing. These provisions constitute in the internal legal system those more specific and more guarantee provisions referred to in art. 88 of the Regulation - for this purpose the subject of a specific notification by the Guarantor to the Commission (available at: https://ec.europa.eu/info/law/law-topic/dataprotection/data-protection-eu/eu-countries-gdpr-specific-notifications_en) pursuant to art. 88, par. 3, of the Regulation - the violation of which, similarly to the specific processing situations of Chapter IX of the Regulation, also determines the application of administrative pecuniary sanctions pursuant to art. 83, par. 5, letter d), of the Regulation. The data controller is, in any case, required to comply with the principles of data protection (art. 5 of the Regulation) and is responsible for implementing appropriate technical and organizational measures in light of the specific risks arising from the processing, having to be able to demonstrate that the same is carried out in accordance with the Regulation (articles 5, paragraph 2, and 24 of the Regulation). 4. The outcome of the investigation. 4.1. The processing of email metadata. From the elements acquired in the context of the complex investigation, it is established, in particular, that, by virtue of the adoption of decree no. XX of XX (containing “Rules for the use of the regional council’s information and telematic tools”), email metadata were retained by the Region, in the absence of prior stipulation of a collective agreement with the trade union representatives (see art. 4, paragraph 1, of law no. 300 of 20 May 1970), for a long period of time, overall equal to 90 days, for IT security and technical assistance purposes as well as “for the purpose of offering assistance to users when a message is not delivered correctly” (see note of XX; see also, in a similar sense, note of XX). It appears, however, that, during the investigation, the Region, also taking into account the indications of its Data Protection Officer, acknowledged that it had reached the conclusion, in relation to the treatments in question, of a collective agreement with the competent trade union parties on XX for non-managerial staff and on XX for managerial staff. In this regard, it is generally stated that, since 2007, the Guarantor has over time dealt with the treatments implemented by the employer and concerning personal data relating to the use of network services by employees, with particular regard to the e-mail service and Internet browsing, also with general provisions (see "Guidelines of the Guarantor for e-mail and Internet" of 1 March 2007, no. 13, web doc. no. 1387522, which, although referring to the previous regulatory framework, contain principles and indications that are still valid). More recently, also on the basis of specific decisions on individual concrete cases (provision of 1 December 2022, no. 409, web doc. no. 9833530, and provision of 13 July 2016, no. 303, web doc. no. 5408460, the latter confirmed by the Court of Chieti with sentence no. 672 of 24 October 2019), the Guarantor has addressed the delicate issue of the conservation of email metadata, providing, lastly, indications and clarifications aimed at guiding the organizational and technical choices of employers with the “Guideline document. Computer programs and services for managing electronic mail in the workplace and processing of metadata”, adopted, following public consultation, with provision of 6 June 2024, no. 364, web doc. no. 10026277. In particular, electronic mail metadata, which technically correspond to the information recorded in the logs generated by the server systems for managing and sorting electronic mail and by the workstations in the interaction that occurs between the various interacting servers and, if applicable, between these and the clients, generally include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in routing the message, the times of sending, retransmission or receipt, the size of the message, the presence and size of any attachments and, in certain cases, depending on the management system of the electronic mail service used, also the subject of the message sent or received. Email metadata are protected by guarantees of confidentiality, also constitutionally protected (articles 2 and 15 of the Constitution), intended to ensure protection of the essential core of the dignity of the person and the full development of his or her personality in social groups. This means that, even in the work context, there is a legitimate expectation of confidentiality in relation to correspondence and, similarly, to the elements that can be derived from its external data, which define its temporal profiles (such as the date and time of sending/receiving) as well as the qualitative and quantitative aspects also in relation to the recipients and the frequency of contact, as these data are also, in turn, susceptible to aggregation, processing and control (see point 2 of the aforementioned Guidance Document; point 5.2 letter b), of the cited Guidelines; see also provision 1 December 2022, no. 409, web doc. no. 9833530 and provision 13 July 2016, no. 303, web doc. no. 5408460). The most specific national legislation pursuant to art. 88 of the Regulation strictly identifies the purposes (i.e. organizational, productive, workplace safety and protection of company assets) for which the tools, which also provide the possibility of remote monitoring of workers' activities, can be used in the work context, establishing specific procedural guarantees (union agreement or public authorization; see art. 114 of the Code, which refers to art. 4, paragraph 1, law 20 May 1970, no. 300, as amended by Legislative Decree 14 September 2015, no. 151). Although the Region initially stated that e-mail is used by employees to perform work, however, in light of the national regulatory framework of the sector, the notion of "tools used by the worker to perform work" (pursuant to and for the purposes of art. 4, paragraph 2, of Law no. 300/1970) - which constitutes an exception to paragraph 1 and as such must be subject to strict interpretation, also given the resulting criminal responsibilities - can only include services, software or applications strictly functional to work performance. These principles have been applied in numerous provisions of the Guarantor, with reference to public and private work contexts, in which the issue of discrimination between paragraph 1 and paragraph 2 of art. 4 of Law no. 300/1970 and the different legal regime that derives from it has been addressed, evaluating, from time to time, the specificity of the treatments and systems used in practice by the employer. This, also in light of the guidelines of the jurisprudence, of the Ministry of Labour and of the National Labour Inspectorate, which apply this discipline within the scope of their institutional control functions, deeming the exception of paragraph 2 not applicable and finding paragraph 1 to apply instead, in cases where, for example, the system acts in ways that are not perceptible by the worker and in a completely independent manner with respect to the normal activity of the same or in the presence of systems that are not only functional to the performance but also allow further processing by the employer for the pursuit of its own purposes and especially in cases where such functions cannot be disabled by the employee (see, among the numerous provisions in the public sector, in particular, provision of 28 October 2021, no. 384, web doc. no. 9722661 as well as INL, circular no. 4 of 26 July 2017; provision of 13 May 2021, no. 190, web doc. no. 9669974; provision of 16 November 2017, no. 479, web doc. no. 7355533; provision of 13 July 2016, no. 303, web doc. 5408460; see also the numerous provisions cited, in the public and private context, in the Annual Reports of the Guarantor 2017-2023). These characteristics apply in the case of the processing of email metadata, if the same are collected and stored, in a preventive and generalized manner, for an extended period of time by the computer programs and services for the management of email. This is because such processing operations are carried out, for the employer's own needs, automatically and independently of the perception and will of the worker; furthermore, the aforementioned metadata remain exclusively available to the employer and, on his behalf, to the service provider, documenting the traffic even after the eventual cancellation of the message by the worker, who, instead, maintains the availability of the messages that, as sender or recipient, he exchanges within the mailbox assigned to him by the employer, with the consequence that in such cases there is the risk of indirect remote control of the workers' activity. For these reasons, in such cases the exception referred to in paragraph 2 of art. 4 cannot generally be invoked, with paragraph 1 instead generally applying (see also Documento di direzione, par. 3, cit., and provisions cited therein). In this context, in order for paragraph 2 of art. 4 of Law 20 May 1970, n. 300, the activity of collecting and storing only the metadata necessary to ensure the functioning of the infrastructure of the electronic mail system and the satisfaction of the most essential guarantees of IT security, following technical assessments and in compliance with the principle of accountability, is considered that it can be carried out, as a rule, for a period limited to a few days, in any case not exceeding 21 days, unless the owner, always in pursuit of the aforementioned purpose attributable to the scope of paragraph 2 of art. 4 of law 20 May 1970, no. 300, adequately demonstrates the occurrence in concrete of particular conditions that make its extension necessary due to the specificities of its technical and organizational reality. Differently, the widespread collection and storage of email metadata, for a longer period of time, in the presence of needs that can in any case be traced back to the security and protection of the employer's information assets, which may lead to indirect remote control of workers' activities, requires the implementation of the guarantees provided for by art. 4, paragraph 1, of the aforementioned law of 20 May 1970, no. 300 (see provision of 1 December 2022, no. 409, web doc. no. 9833530 and provision of 13 July 2016, no. 303, web doc. no. 5408460; these principles were lastly reiterated in point 3 of the aforementioned Guideline Document). Having noted, therefore, that, in this case, the aforementioned email metadata, relating to messages exchanged by workers via individually assigned accounts, were - and still are - retained by the Region for 90 days, it must be considered, as confirmed by the Region itself, that within the margins of this broad time interval, the processing purpose actually pursued cannot be traced back only to the scope of the mere functioning of the email system infrastructures and its regular use, including the most essential guarantees of security of the service (paragraph 2 of art. 4), rather configuring itself as an activity functional to the protection of the integrity of the information assets and IT security, a purpose attributable to paragraph 1 of art. 4 (see collective agreements of XX and XX4, where the purpose of "guaranteeing the security of the tools assigned to the staff, and more generally protecting the information assets of the Institution" is also taken into account). In this context, with regard to the period prior to the signing of the aforementioned agreements, the circumstance that the Region retained the metadata relating to emails older than 7 days "through a report in CSV format" (see note of XX) cannot be considered sufficient to exclude the Region's liability and that therefore, in this case, "the operator did not directly access the metadata but necessarily had to download a CSV report from which to reconstruct the information useful for the requested assistance" (see note of XX). This is because, as stated by the Region, "the elements that differentiate the metadata retained for the shorter period compared to those retained for the longer period, concern exclusively the speed/ease with which to retrieve the information necessary for resolving the assistance problem" and that, therefore, after the first 7 days from the collection of the metadata, for the following 83 days they can still be accessed by each operator responsible for the technical assistance service, after downloading the aforementioned report (see note of XX). This measure, which is also appreciable in terms of data minimization, is not, in fact, suitable to fill, prior to the stipulation of the aforementioned collective agreements in compliance with the guarantee procedures referred to in art. 4, paragraph 1, of Law 20 May 1970, no. 300, the lack of legal basis, contrary to what was claimed by the Region in the context of the investigation and, lastly, with its own defense briefs of XX. Nor can it be invoked, for the purposes of the lawfulness of the overall processing, that the identification, by the Region, of the 90-day term for the conservation of email metadata occurred before the publication of the aforementioned Metadata Policy Document or that "only after the public consultation, specifically in the month of XX, the Guarantor Authority, […] revised the retention time of email metadata, going from 7 to 21 days". This is because, as also stated by the Region itself, the clarifications provided through the aforementioned Document, also following the public consultation to which it was submitted, are "in line with the previous interpretation" supported by the Authority, in line with a consolidated orientation, since 2016 (see provision of 13 July 2016, no. 303, web doc. no. 5408460, confirmed by the Court of Chieti with sentence no. 672 of 24 October 2019; see also, subsequently, provision of 1 December 2022, no. 409, web doc. no. 9833530). The Region itself, moreover, in the period immediately following the inspections (XX) - and therefore even before the publication of the guidance notes contained in the first version of the Policy Document on metadata, of December 2023 - had already undertaken internal activities aimed at conforming the aforementioned treatments to the data protection regulations, also by initiating specific discussions with the trade unions with a view to signing the relevant agreements (see note of XX, "the Administration, considering what emerged during the inspection, is evaluating the ways in which to address the issue at the trade unions, preliminarily representing to the RSU the binding aspects deriving from the Microsoft license"; see also note of XX, "the issue of the collective agreement on the correct use of IT tools and in particular with regard to the use of email and possible remote checks of workers, will be the subject of discussion at the next trade unions, in agreement with the Data Protection Officer"). Nor, again, can the circumstance that, in this case, "the unions did not request the activation of bargaining tables" (see minutes of the XX) be relevant for data protection purposes, given that, pursuant to the regulatory provisions on remote controls, the obligation to take action to reach the stipulation of the collective agreement falls in any case on the employer, as the data controller, since the inertia of the union representatives in this regard cannot be invoked to exclude the liability that art. 4 of Law no. 300 of 20 May 1970 places on the employer. It must therefore be concluded that the processing in question was carried out in the absence of the procedural guarantees provided for by art. 4, paragraph 1, of Law no. 300 of 20 May 1970, in violation of art. 5, paragraph 1, letter c) of the Italian Civil Code. a), 6 and 88, par. 1, of the Regulation, as well as 114 of the Code, up to XX for non-managerial staff and up to XX for managerial staff, since the Region on those dates entered into the aforementioned collective agreements with the competent trade union parties. 4.2. The processing of Internet navigation logs. From the elements acquired in the context of the complex investigative activity, it is established, in particular, that, by virtue of the adoption of decree no. XX of XX (containing “Rules for the use of the regional council’s information and communication tools”), Internet browsing logs - consisting of information relating to websites visited by employees, including those relating to failed attempts to access sites already registered in a special black list, to which access is in any case blocked by the system - were collected and stored by the Region in the absence of prior stipulation of a collective agreement with the trade union representatives (see art. 4, paragraph 1, of law 20 May 1970, no. 300). During the investigation, the Region, also taking into account the indications of its Data Protection Officer, acknowledged that it had come to the conclusion, in relation to the treatments in question, of a collective agreement with the competent trade union parties on XX for non-managerial staff and on XX for managerial staff. As regards the profiles of relevance for the purposes of the aforementioned legislation on remote monitoring of workers' activities, both the collection and subsequent storage of Internet browsing logs require compliance with art. 4, paragraph 1, of Law no. 300 of 20 May 1970, given that systems that allow the tracking of Internet access cannot, in general, be included within the scope of applicability of art. 4, paragraph 2, unlike systems for automatically inhibiting online consultation (without storage of access attempts), by employees, of specific content prohibited by the organization to which they belong. The systematic collection and storage of all log files generated by the use of the Internet in the context of the employment relationship - including those relating to failed attempts to access sites already registered in a special black list, to which access is however blocked by the system - giving rise, in fact, to a generalized processing of data relating to the activity and use of network services by employees who are in any case identifiable, entail, in the presence of a unique connection with the employee and with his specific workstation, the possibility of reconstructing his activity through the use of technological systems, with the consequence that, in such cases, the employer is required to ensure compliance with the procedural guarantees provided for by art. 4, paragraph 1, of Law 20 May 1970, no. 300, which constitutes, as mentioned above, a condition of lawfulness of the same processing of the data in question. This principle has been confirmed, over time, by the Guarantor, in many cases (see, in the public sphere, provision of 13 May 2021, no. 190, web doc. no. 9669974, and provision of 13 July 2016, no. 303, web doc. no. 5408460; see also, with regard to the private work context, provision of 12 December 2024, no. 771, web doc. no. 10096474). Acknowledging, therefore, that the Region, having adopted decree no. XX of XX, collected and processed all Internet browsing logs of its employees without having previously entered into a collective agreement with the competent trade unions, which the Region itself appears to have reached only on XX and XX, it must be considered that the processing in question occurred, within the limits of that time frame, in violation of Articles 5, paragraph 1, letter a), 6 and 88, paragraph 1, of the Regulation, as well as 114 of the Code (in relation to Article 4, paragraph 1, of Law 20 May 1870, no. 300). Having said this, it is further observed that, in general, the processing must in any case be "necessary" with respect to the legitimate purpose pursued (Article 6, paragraph 1 of the Regulation) and have as its object only data that are "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter c), of the Regulation). : From another but related perspective, based on the principle of “storage limitation”, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed” (Article 5, paragraph 1, letter e), of the Regulation). From this perspective, in consideration of the risk to the rights and freedoms of data subjects, the data controller must also adopt - “by design” and “by default” (Article 25 of the Regulation) - appropriate technical and organizational measures to implement the data protection principles, integrating into the processing the necessary guarantees to meet the requirements of the Regulation and protect the rights and freedoms of data subjects (see “Guidelines 4/2019 on Article 25 - Data protection by design and by default”, adopted by the European Data Protection Board on 20 October 2020, esp. points 42, 44 and 49). This obligation “also applies to […] the period of retention […]” of the data (art. 25, par. 2, of the Regulation). It should also be noted that since 1970, public and private employers have been prohibited from collecting or otherwise processing “even through third parties” personal data relating to “the political, religious or trade union opinions of the worker, as well as [… to] facts not relevant for the purposes of assessing the professional aptitude of the worker” (see art. 8 of law 20 May 1970, no. 300, and art. 10 of legislative decree 10 September 2003, no. 276, expressly referred to in art. 113 of the Code). As highlighted on numerous occasions by the Guarantor and by jurisprudence also at supranational level, Internet navigation logs, especially if they include log files relating to failed attempts to access sites already registered in a special black list, to which access is in any case blocked by the system, may concern aspects of the personal sphere and private life of employees (articles 8 of the European Convention on Human Rights and 7 of the Charter of Fundamental Rights of the European Union). This is considering that the boundary between the work and professional sphere and the strictly private one cannot always be drawn clearly. In cases where the employee is connected to the network services made available by the employer or uses a company resource also through personal devices and, in particular, when working remotely, there is a legitimate expectation of confidentiality for the employee (see, in this regard, the judgments of the European Court of Human Rights Niemietz v. Germany, 16.12.1992, ref. no. 13710/88, spec. par. 29; Copland v. UK, 03.04.2007, ref. no. 62617/00, spec. par. 41; Bărbulescu v. Romania [GC], 5.9.2017, ref. no. 61496/08, spec. pars. 70-73 and 80; Antović and Mirković v. Montenegro, 28.11. 2017, ric. no. 70838/13, spec. par. 41-42; see also, with regard to the case law explored by the Guarantor over the years, in particular provision of 13 May 2021, no. 190, web doc. no. 9669974, and provision of 13 July 2016, no. 303, web doc. no. 5408460). The processing of such data, carried out by means of information technology in the context of the employment relationship, must therefore comply with the respect for fundamental rights and freedoms as well as the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, esp. point 3; Article 29 Working Party, Opinion no. 2/2017 on data processing at the workplace, WP 249, par. 5). : In this context, the need to reduce the risk of improper use of Internet browsing by employees, consisting of activities not related to work performance (for example, viewing irrelevant websites, uploading or downloading files, using network services for recreational purposes or purposes unrelated to work) cannot, in fact, justify any form of interference in private life, but, as traditionally stated by the Guarantor, can generally be satisfied by preparing technical and organizational measures suitable for preventing at the root that any information relating to the non-work sphere is collected, giving rise to the processing of "irrelevant" personal information that falls within the scope of application of art. 113 of the Code (see, in this regard, "Guidelines on electronic mail and the Internet", provision of 1 March 2007, no. 13, web doc. no. 1387522 in particular, point 5.2., letter a), the principles of which can still be considered valid; see also provision of 13 May 2021, no. 190, web doc. no. 9669974, provision of 13 July 2016, no. 303, web doc. no. 5408460, and provision of 21 July 2011, no. 308, web doc. no. 1829641, confirmed by the Court of Cassation, sentence no. 18302 of 19 September 2016). With regard to the specific case, the system adopted by the Region for network security purposes, in its current configuration, allows for the tracking of connections and links to Internet sites visited by employees, including failed attempts to access websites indicated in the appropriate black list, the storage of such data and their conservation for 365 days, and involves the processing of information that is also unrelated to professional activity. In particular, with regard to the temporal depth of the conservation of the aforementioned data, the Region, in the perspective of the principle of "accountability" (art. 5, par. 2, of the Regulation), has determined the term of 365 days also taking into account the indications provided by other authorities for the profiles of relative competence as well as, more generally, in the light of studies and systematic observations of the dynamics of security incidents that can be caused by web browsing, especially in the scenarios that most recently tend to materialize in the current context. In light of an overall assessment of the characteristics of the system and the resulting permitted processing operations (preventive and generalized collection of data relating to connections to individual employees' websites, storage for a prolonged period of time and the possibility of tracing individual employees' browsing), it must be considered that, despite the presence of some technical and organizational measures, the processing in question cannot yet be considered overall proportionate to the purpose pursued by the Region, namely network security. In this regard, however, the internal procedures of the Region are favorably noted, whereby Internet browsing logs can be accessed in the event of two specific types of cases, namely in the event of a request from the judicial authority or in the event of the detection of particular, motivated and predetermined traffic anomalies, subject to specific recognition and cataloguing by the Region. Similarly, it is also noted that the Region, not having sufficient information to independently trace the identity of the employee who browsed the Internet, can identify the interested parties by correlating the information separately stored by the three suppliers it uses in this context, one having only the IP address of the machine used by the employees, the other only the information relating to the association between the IP of the machine and the respective MAC address and the other still of the data concerning the mere association between the MAC address of the machine and the name of the employee who is assigned to it. This organizational measure, giving rise to a form of separation of the data in question, does not in fact preclude the data controller, the employer, from tracing the identity of the employee who browsed the Internet, with the cooperation of the three suppliers and correlating the information that each of them stores, on behalf and in the interest of the Region, as data controller. For these reasons, in order to ensure full compliance with data protection legislation and with a view to preventing possible detrimental effects for the data subjects in the delicate work and professional context, the nature of the processing operations in progress and, in general, the sensitivity of the data collected and stored for a long period of time, as described above, require, in the reference context, the necessary adoption of the specific additional measures indicated in paragraph 6 of this provision. The methodology identified by the Region and, in general, the technical and organizational measures implemented, also in terms of minimization, cannot, in fact, be considered sufficient, at present, to completely overcome the critical issues highlighted above and to make the overall processing proportionate, not ensuring the effective implementation of the data protection principles and the integration of all the necessary guarantees in order to protect the rights and freedoms of the data subjects. In light of the above considerations, it must be concluded that, based on an overall assessment of the elements that emerged during the investigation, the system currently used by the Region, which allows for the recording of detailed data regarding the Internet resource visited by employees, gives rise, as things stand, to a systematic collection of numerous personal data, even those not related to the performance of work, and to prolonged storage of the same, not being compliant with data protection regulations and violating Articles 5, paragraph 1, letters a), c) and e), and 25 of the Regulation, and 113 of the Code, in reference to Article 8 of Law No. 300 of 20 May 1970 and Article 10 of Legislative Decree No. 276 of 10 September 2003. 4.3. Failure to carry out a data protection impact assessment pursuant to Article 35 of the Regulation. In this case, the processing of email and Internet browsing metadata was also carried out in the absence of a preliminary data protection impact assessment pursuant to art. 35 of the Regulation. In implementation of the accountability principle (see art. 5, par. 2, of the Regulation), it is up to the controller to assess whether the processing that is intended to be carried out may present a high risk to the rights and freedoms of natural persons - due to the technologies used and considering the nature, the object, the context and the purposes pursued - which makes a preliminary assessment of the impact on the protection of personal data necessary (see recital 90 of the Regulation). Taking into account the indications provided also at European level on this point, it is noted, however, that both the processing of metadata relating to the use of the email service - consisting in the systematic collection of external data relating to email correspondence (including information relating to the sender/recipient and the subject of each email) and in the related storage for 90 days - and the processing of logs relating to Internet browsing - consisting in the preventive and generalized collection of data concerning connections to the websites of individual employees and in the related storage for 365 days - entail specific risks for the rights and freedoms of data subjects in the workplace (art. 35 of the Regulation). Both in consideration of the particular “vulnerability” of data subjects in the workplace context (see recital 75 and art. 88 of the Regulation and criterion no. 3 indicated in the “Guidelines on data protection impact assessment and the criteria for determining whether a processing operation is “likely to result in a high risk” pursuant to Regulation 2016/679”, WP 248 of 4 April 2017, which, among the categories of vulnerable data subjects, expressly mention “employees”) and of the fact that in this context, differently from what was claimed by the Region, the use of systems involving “systematic monitoring”, understood as “processing used to observe, monitor or control data subjects, including data collected via networks” (see criterion no. 3 indicated in the Guidelines) may present risks - as in the case in question - in terms of possible monitoring of the activity of employees (see arts. 35 and 88, par. 2, of the Regulation). As already noted above, in fact, in the presence of certain specific characteristics or functions, these tools may lead to unintentional control of the employee's activity. These principles have been reiterated by the Guarantor, as well as, most recently, in the aforementioned Guideline Document (see point 2), also in the provision of 11 October 2018, no. 467, web doc. no. 9058979, annex no. 1, which expressly mentions the "processing carried out in the context of the employment relationship through technological systems [...] from which the possibility of carrying out remote control of the employees' activity derives", as well as in various decisions on individual specific cases (see, among others, also provision of 13 May 2021, no. 190, web doc. no. 9669974, par. 3.5). For these reasons, in acknowledging that, albeit belatedly and during the investigation, the Region has finally provided evidence of the performance of the impact assessments of the aforementioned treatments (see note of XX), it is noted that, prior to this fulfillment, the same were carried out in the absence of an impact assessment and therefore in violation of art. 35 of the Regulation. 4.4. Further considerations on the processing of email metadata and Internet browsing logs. As for the dispute relating to the use for disciplinary purposes, in two specific cases, of the logs relating to Internet browsing and use of the email service by employees, collected and processed in the absence of the conditions set out in art. 4, paragraph 1, of Law 20 May 1970, no. 300, we acknowledge the clarifications provided in note of XX. In particular, with this note, the Region, in providing new and more specific elements, clarified that "neither of the two disciplinary proceedings was initiated through the use of e-mail logs or Internet browsing", and it must therefore be concluded that, for the aspects within the Authority's jurisdiction, the conditions for asserting liability on the part of the Region with regard to the use for purposes related to the employment relationship of data collected and processed in violation of the provisions of art. 4, paragraph 1, of Law no. 300 of 20 May 1970 do not exist in this case (see art. 5, paragraph 1, letter a), 6 and 88 of the Regulation and 114 of the Code, in relation to art. 4, paragraph 3, of Law no. 300 of 20 May 1970). 4.5. Processing of data relating to requests for technical assistance. The investigation revealed that the data relating to requests for technical assistance present in the “OTRS” ticketing system, subsequently decommissioned, were retained by the Region for the entire duration of the contractual relationship with the service provider, due to needs related to the administrative management of the service itself. In this regard, the Region, noting that “the feasibility of technical interventions aimed at minimizing the visibility of tickets no longer open required implementation times longer than the scheduled time for decommissioning”, decided to “intervene organizationally by accelerating the decommissioning of the [“OTRS” ticketing system]” (see note of XX) and highlighted that on XX “the supplier communicated via PEC that it had proceeded with the irreversible cancellation of the database of the ITSM OTRS tool […]” (see note of XX). In light of the preliminary investigation, it also appears that, initially, the Region intended to retain the data relating to requests for technical assistance via the new “SDAS” ticketing system for a maximum total period of 78 months (72 months due to needs related to the management of the service and a further 6 months in order to “carry out residual contractual activities such as accounting, payments, verification of the regular execution of the contract”; see minutes of XX). Even taking into account that the Region had declared that it would hold a monthly meeting between the suppliers of the technical assistance service and the "information systems structure (SAL) to verify the progress of the work and take stock of the situation, monitor the SLAs, identify any critical issues such as excessive number of tickets, particular and repeated problems" (see minutes of XX) and that the regular scheduling of such meetings did not justify such a prolonged retention of the data in question, the Region, within the framework of the initiatives progressively undertaken during the investigation to ensure the compliance of such processing with the data protection regulations, has established, also in the light of specific discussions with the service provider, to reduce the aforementioned period to 12 months. Although, in general, the needs for accounting, accounting, invoicing and remuneration of services can normally be satisfied even without resorting to the processing of personal data or, if necessary, by anonymizing the existing data and therefore retaining only the information strictly necessary to allow the comparison between the service actually provided and that contractually envisaged (see, in this regard, although in reference to another type of service, provision of 24 May 2017, no. 247, web doc. no. 6495708; see also provision of 2 October 2014, web doc. no. 3534543, and provision no. 427 of 19 July 2018), the following is noted. Having taken note of the assessments carried out by the Region, in the perspective of the principle of accountability (see art. 5, par. 2, of the Regulation), with reference to the new ticketing system “SDAS” and, in particular, the declared needs to retain the aforementioned data in clear for a period of time equal to one year in light of the specificities of the complex organizational reality of the Region, it should be noted that, instead, the retention of data relating to requests for technical assistance in the decommissioned “OTRS” system appears to have continued for a particularly long period of time. In particular, from the documentation acquired during the inspection it emerged that the requests for technical assistance from the employee staff of which the Region still retained traces dated back to 2016; this information was retained until XX, the date on which the provider of this service communicated “that it had proceeded with the irreversible cancellation of the database of the ITSM OTRS tool” (see note of XX). Since there were no adequate reasons to justify such a prolonged retention of the data in question, it must therefore be concluded that the processing of data relating to requests for technical assistance in relation to the decommissioned “OTRS” system was carried out in conflict with the principles of limitation of storage and protection of personal data by design and by default, in violation of Articles 5, paragraph 1, letter e), and 25 of the Regulation. 4.5.1. The relationship with the suppliers responsible for providing the technical assistance service with reference to the “OTRS” system being decommissioned. In light of what emerged from the documents, it is also established that the agreement pursuant to Article 28 of the Regulation stipulated with the three suppliers, which the Region currently uses for the purpose of providing the technical assistance service, did not concern - until the date of stipulation of the contractual addendum, which occurred during the investigation - the processing of personal data contained in the "OTRS" system carried out by the aforementioned suppliers during the transitional phase of decommissioning of the system in question. In this regard, it should be noted that, in the context of the preparation of technical and organizational measures that satisfy the requirements established by the Regulation, also in terms of security (articles 4, no. 7), 24 and 32 of the Regulation), the data controller may avail himself of a manager to carry out certain processing activities, to whom he gives specific instructions (see articles 4, no. 8), 28 and recital 81 of the Regulation). In this context, the relationship between the controller and the processor must be regulated by a contract or other legal act, having written form, which, in binding the processor to the controller, contains, among other things, an indication of the “subject matter” (i.e. the object of the processing, which “must be formulated with sufficient specifications so that […] it is clear” - see European Data Protection Board, “Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, v. 2.0, adopted on 7 July 2021), the “type of personal data” and the “categories of data subjects” as well as the necessary documented instructions regarding the processing (Article 28, paragraphs 3 and 9, of the Regulation). Given that, in the case in question, the effectiveness of the agreement pursuant to art. 28 of the Regulation in force between the Region and the new service providers did not appear to have been extended to the processing of data contained in the “OTRS” system, it cannot be considered that, limited to this specific objective scope of processing, the same satisfies the requirements analytically identified by art. 28, par. 3, of the Regulation (see, in particular, the subject matter regulated, the duration, the nature and purpose of this specific processing, the type of personal data and the categories of data subjects as well as the specific documented instructions given by the Region in this regard). For the reasons above, while acknowledging the signing of the contractual addendum with the three aforementioned providers during the XX, with which the parties agreed that the processing activities envisaged by the agreement pursuant to art. 28 of the Regulation already stipulated “were also carried out through the OTRS ticketing system” (see note of XX), it appears that, prior to the signing of the aforementioned addendum, the processing of personal data contained in the “OTRS” system occurred in violation of art. 28 of the Regulation. 5. Conclusions. In light of the assessments referred to above, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow all the findings notified by the Office with the act of initiation of the proceeding to be overcome and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 do not apply. The unlawfulness of the processing of personal data carried out by the Lombardy Region is confirmed on the basis that, in the terms set out in the grounds: the processing of email metadata was carried out in violation of Articles 5, par. 1, letter a), 6, 35 and 88 of the Regulation, as well as 114 of the Code; the processing of Internet navigation logs was carried out in violation of Articles 5, par. 1, letter a), c) and e), 6, 25, 35 and 88 of the Regulation, as well as 113 and 114 of the Code; the processing of personal data contained in the OTRS system was carried out in violation of Articles 5, par. 1, letter e), 25 and 28 of the Regulation. The violation of the aforementioned provisions entails, pursuant to art. 2-decies of the Code and “except as provided for by Article 160-bis”, the unusability of the personal data processed. Violation of the aforementioned provisions also makes the administrative sanction applicable pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation itself, as also referred to in Article 166, paragraph 2, of the Code. 6. Corrective measures (Article 58, paragraph 2, letter d), of the Regulation). With reference to the profiles of unlawfulness of the processing of web navigation logs associated with employees, still persisting (see, in particular, paragraph 4.2 of this provision), pursuant to Article 58, paragraph 2, letter d), of the Regulation, it is considered necessary to order the Lombardy Region to adopt - within ninety days of notification of this provision - further technical and organizational measures suitable for ensuring that the actual possibility of tracing the identity of the individual employee who carried out the web browsing is in practice extremely unlikely. In particular, in addition to the measures already adopted by the Region and consisting, in detail: - in the separation of the data in question, given that, of the three suppliers - responsible for the processing - that the Region uses in this area, one has only the IP address of the machine used by the employees, the other only the information relating to the association between the IP of the machine and the respective MAC address and the other still of the data concerning the mere association between the MAC address of the machine and the name of the employee who is assigned to it; - in the timely identification of the conditions under which the Region proceeds with the processing that allows it to trace the identity of the individual employees who have carried out web browsing (particular, motivated and predetermined security anomalies and specific requests by the judicial authority); it is considered necessary that - also taking into account the application experience found by the Guarantor in various investigations involving other public administrations with similar characteristics to those of the Region in terms of territorial extension, areas of competence and number of employees employed - the Region ensures the adoption, in the specific context of reference, of the following additional measures: - the anonymization of logs relating to failed access attempts to websites listed in the appropriate black list, including those currently present in the systems; - the reduction to 90 days of the retention period of Internet browsing logs, with the possibility of retention for a further period after anonymization of the same, so as not to allow the identifiability of the employee (see art. 5, par. 1, letter e), of the Regulation), and without prejudice to the deletion of personal data present in the web browsing logs recorded in the systems for over 90 days; - that, in the presence of one of the aforementioned safety anomalies, the verification activities are generally carried out by the Region, in a gradual and progressive manner, at the level of individual organizational structures and not at an individual level, limiting the possibility of granular and specific interventions on the individual workstation to only those cases of previous and unsuccessful experimentation of checks at an aggregate level (see Articles 5, paragraph 1, letter c), and 25 of the Regulation); - the encryption of the data concerning the names of the employees assigned to the machine (see Article 32, paragraph 1, letter a), of the Regulation), providing specific documented instructions in this regard to the supplier who, as data controller, processes such data on behalf and in the interest of the Region itself (Article 28 of the Regulation); - that the processing of the data in question is in any case carried out by a strictly limited number of authorised natural persons and specifically selected for this purpose, who must be the recipients of express designation and specific instructions in relation to the risks associated with the processing in question (see Articles 2-quaterdecies of the Code and 28, 29 and 32, paragraph 4, of the Regulation), as may be provided for by the internal procedures of the Region and by the documented instructions that the Region itself must provide to suppliers pursuant to Article 28 of the Regulation, which for this purpose must therefore be appropriately updated and periodically reassessed in order to verify their adequacy and effectiveness (Articles 5, paragraph 2, 24 and 32 of the Regulation); - the updating of the agreements already stipulated pursuant to Article 4 of Law No. 300 of 20 May 1970 with the trade union representatives in light of the measures indicated above. Pursuant to Article 157 of the Code, the Region shall also communicate to this Authority the initiatives it intends to undertake to ensure that the processing complies with the data protection regulations, within thirty days of notification of this provision. 7. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to arts. 58, paragraph 2, letters i) and 83 of the Regulation as well as art. 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the [Guarantor] Board adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the Guarantor’s website pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this case, three distinct conducts attributable to the Lombardy Region can be identified (the first in relation to the processing of email metadata; the second relating to the processing of Internet browsing logs; finally, the third relating to the processing of personal data relating to requests for technical assistance from employees of the decommissioned “OTRS” system), which must therefore be considered separately for the purposes of quantifying the administrative sanctions to be applied. 7.1. The processing of email metadata (paragraphs 4.1 and 4.3 of this provision). Taking into account that the violation of the provisions cited in the previous paragraphs 4.1 and 4.3 of this provision occurred as a result of a single conduct (the same processing or processing operations linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns Articles 5, 6 and 88 of the Regulation and 114 of the Code, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to €20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, paragraph 2, of the Regulation. Considering that: the processing of e-mail metadata concerns forms of correspondence supported by guarantees of confidentiality also protected by the Constitution (Articles 2 and 15 of the Constitution) (Article 83, paragraph 2, letters a) and g), of the Regulation); despite, also on the indication of the data protection officer, the Region, following the publication of the provision 1 December 2022, no. 409, web doc. no. 9833530, had already started an internal discussion on the need to reach a collective agreement with the trade union representatives regarding such treatment, and despite the fact that the same had finally signed the aforementioned agreement in accordance with the provisions of art. 4 of law 20 May 1970, no. 300 and even before the publication of the updated version of the Guideline documents on the matter, the treatment was previously started and carried out for a long time in a manner that did not comply with the sector regulations on the use of technological tools in the workplace and with the indications provided over time by the Guarantor, for the profiles of competence (art. 83, par. 2, letters a) and b), of the Regulation). it is considered that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). Given the above, it is considered that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account: the Region offered full cooperation with the Authority during the investigation, taking prompt action - already following the performance of inspection activities by the Authority itself - to ensure the compliance of its personal data processing policies with the legislation on the protection of personal data, as well as taking care to demonstrate over time the measures progressively adopted in this framework; in particular, the Region has documented that it has entered into a collective agreement with the competent trade unions for non-managerial staff already on XX and, therefore, even before and independently of the outcome of the public consultation to which the Policy Document on metadata was submitted in the month of XX, thereby demonstrating, also thanks to the virtuous contribution of its Data Protection Officer, an appreciable attention to the regulation for the protection of personal data and to the Authority's guidelines, expressed consistently since the publication, in 2007, of the "Guidelines on electronic mail and the Internet"; the Region has also documented that it has entered into a further collective agreement on XX for managerial staff and that it has carried out, in this regard, data protection impact assessments pursuant to art. 35 of the Regulation (art. 83, par. 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €20,000 (twenty thousand/00) for the violation of arts. 5, par. 1, letter a), 6, 35 and 88 of the Regulation, as well as 114 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This is in consideration of the fact that the email metadata, which have been processed for a long time in the absence of the procedural guarantees provided for by the sector legislation on remote controls, concern forms of correspondence assisted by guarantees of confidentiality also protected by the Constitution. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. 7.2. The processing of Internet browsing logs (paragraphs 4.2 and 4.3 of this provision). Considering that the violation of the provisions cited in the previous paragraphs 4.2 and 4.3 of this provision occurred as a result of a single conduct (same treatment or treatments linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns Articles 5, 6 and 88 of the Regulation and 113 and 114 of the Code, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for by Article 83, paragraph 2, of the Regulation. Considering that: the processing of logs relating to Internet browsing of the Region's employees also concerns aspects of the personal sphere and private life of employees, such as legal assets also protected by the supranational regulatory framework (Articles 8 of the European Convention on Human Rights and 7 of the Charter of Fundamental Rights of the European Union; Article 83, paragraph 2, letters a) and g), of the Regulation); the Region has nevertheless acknowledged that it has adopted, in this case, specific technical and organizational measures to limit the risk to the rights and freedoms of the interested parties, even if these are not yet entirely sufficient to ensure full compliance with the legislation on the protection of personal data (Article 83, paragraph 2, letters a) and b), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into consideration: the Region offered full cooperation with the Authority during the investigation, taking prompt action - already following the performance, by the Authority itself, of the inspection activities - to ensure the compliance of its personal data processing policies with the legislation on the protection of personal data, as well as taking care to demonstrate over time the measures progressively adopted in this framework (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of EUR 25,000 (twenty-five thousand/00) for the violation of arts. 5, par. 1, letters a), c) and e), 6, 25, 35 and 88 of the Regulation, as well as 113 and 114 of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this chapter containing the injunction order must be published on the website of the Guarantor. This is in consideration of the fact that the Internet browsing logs, which have been processed for a long time in the absence of the procedural guarantees provided by the sector legislation on remote controls, also concern aspects of the personal sphere and private life of employees and are still retained by the Region for a long period of time in the absence of sufficient technical and organizational measures to ensure the overall lawfulness of the processing. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met. 7.3. The processing of data relating to requests for technical assistance from employees referred to in the decommissioned “OTRS” system (paragraphs 4.5 and 4.5.1). Considering that the violation of the provisions cited in the previous paragraphs 4.5 and 4.5.1 of this provision occurred as a result of a single conduct (same treatment or treatments linked to each other), Article 83, paragraph 3, of the Regulation applies, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violation concerns Article 5, paragraph 1, letter e), of the Regulation, subject to the administrative sanction provided for by Article 83, paragraph 5, of the Regulation, the total amount of the sanction is to be quantified up to EUR 20,000,000. The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking due account of the elements provided for by Article 83, paragraph 2, of the Regulation. Considering that: the Region has not demonstrated suitable reasons to support such a prolonged retention of the data contained in the “OTRS” ticketing system, which were related to requests for technical assistance dating back over time; furthermore, the Region had already entered into an agreement pursuant to art. 28 of the Regulation with the suppliers responsible for providing the technical assistance service, even though such contractual provisions, as noted above, had not been expressly extended by the parties also to the processing of personal data carried out within the “OTRS” system, which was in the process of being decommissioned at the time of the facts in question (see art. 83, par. 2, letter a), of the Regulation); the violation did not concern particular categories of data (see art. 83, par. 2, letter g), of the Regulation); it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60). Given the above, it is believed that, for the purposes of quantifying the sanction, the following circumstances must be taken into consideration: the Region offered full cooperation with the Authority during the investigation, also acknowledging that, during the XX, it reached the conclusion of a contractual addendum with the three aforementioned suppliers, with which the parties regulated, in terms of data protection, the processing carried out within the “OTRS” system until the date of its complete decommissioning (Article 83, paragraph 2, letters c) and f), of the Regulation); there are no previous relevant violations committed by the data controller, having the same nature as those ascertained in relation to the conduct in question, or previous measures pursuant to art. 58 of the Regulation (art. 83, par. 2, letter e), of the Regulation). In light of the aforementioned elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of €5,000.00 (five thousand/00) for the violation of arts. 5, par. 1, letter e), 25 and 28 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. It is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor n. 1/2019, this chapter containing the injunction order should be published on the Guarantor's website. This is in consideration of the fact that, in particular, the Region has not demonstrated suitable reasons to support such prolonged retention of the data contained in the "OTRS" ticketing system, which in fact concerned requests for technical assistance dating back to 2016. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 exist. GIVEN ALL THE ABOVE, THE GUARANTOR a) declares, pursuant to art. 57, par. 1, letters a) and h), of the Regulation, the unlawfulness of the processing carried out by the Lombardy Region due to violation of arts. 5, par. 1, letters a), c) and e), 6, 25, 28, 35 and 88 of the Regulation, as well as 113 and 114 of the Code, in the terms set out in the reasons; b) requires the aforementioned Region, pursuant to art. 58, par. 2, letter d) of the Regulation, to comply, within 90 days from the date of notification of this provision, with the provisions set out in paragraph 6 of this provision; c) requires the aforementioned Region, pursuant to art. 58, par. 1, letter a), of the Regulation, and art. 157 of the Code, to communicate, providing adequately documented feedback, within 30 days from notification of this provision, the initiatives it intends to undertake in relation to what is indicated in the previous letter b); failure to respond to a request formulated pursuant to art. 157 of the Code is punishable by an administrative sanction, pursuant to the combined provisions of art. 83, par. 5, of the Regulation and 166 of the Code; ORDER to the Lombardy Region, in the person of its legal representative pro-tempore, with registered office in Piazza Città Di Lombardia, 1 - 20124 Milan (MI), C.F. 80050050154, to pay the sum of Euro 50,000.00 (fifty thousand/00) as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; ORDERS to the aforementioned Region, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €50,000.00 (fifty thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS - pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor; - pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website; - pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, par. 2 of the Regulation, in the internal register of the Authority provided for by art. 57, par. 1, letter u) of the Regulation. Pursuant to Articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 29 April 2025 THE PRESIDENT Stanzione THE REPORTER Stanzione THE ACTING SECRETARY GENERAL Filippi
