Garante per la protezione dei dati personali (Italy) - 9538748: Difference between revisions

Revision as of 08:23, 22 February 2021

Garante per la protezione dei dati personali - 9538748

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	14.01.2021
Fine:	8000 EUR
Parties:	Agenzia regionale protezione ambientale Campania
National Case Number/Name:	9538748
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Italian DPA website (in IT)
Initial Contributor:	Davide C.

The Italian DPA fined the Agenzia Regionale Protezione Ambientale Campania (ARPAC) for the lack of appropriate security measures to prevent data breach.

English Summary

Facts

Following a data breach notification from ARPAC, the Italian DPA started a proceeding aimed at checking the security measures implemented by the notifier.

Dispute

Holding

The Italian DPA found that the violation of personal data was due to the lack of an adequate security framework in line with art. 5(1)(f) and 32 GDPR. More specifically: (i) no backup or disaster recovery plan to restore the availability and access to personal data in a timely manner; (ii) no measures to ensure the ongoing confidentiality of data subjects' identity, and (iii) no process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Therefore, the Italian DPA fined ARPAC for not complying with art. 5(1)(f) and 32 GDPR. However, given the initiatives adopted by ARPAC to mitigate the risk of new breaches, the fine was of EUR 8,000 only.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9538748].

Injunction order against Agenzia regionale protezione ambientale Campania (ARPAC) - 14 January 2021

Register of measures
No 5 of 14 January 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

At today's meeting, attended by Prof. Pasquale Stanzione, chairman, Prof. Ginevra Cerrina Feroni, vice-chairman, Dr. Agostino Ghiglia and Dr. Guido Scorza, members, and cons. Fabio Mattei, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter the "Regulation");

HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter the "Code");

HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by Resolution No. 98 of 4 April 2019, published in G.U. No. 106 of 8 May 2019 and available on the website www.garanteprivacy.it, doc. web No. 9107633 (hereinafter 'Garante Regulation No. 1/2019')

HAVING REGARD to the documentation on file;

HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the Office of the Garante for the protection of personal data (web doc. no. 1098801);

Rapporteur Prof. Pasquale Stanzione;

WHEREAS

1. The violation of personal data.

By means of notes received on XX and XX (respectively, prot. no. XX and XX), the Campania Regional Environmental Protection Agency (hereinafter, "ARPAC" or "Agency") notified this Authority of the personal data breach referred to in Article 33 of the Regulation, consisting in the loss of a device containing personal data.

On the basis of what ARPAC stated in the aforementioned notes

- the violation concerned the theft of an external hard disk, which took place on XX, at the premises of the U.O.C. Contaminated Sites and Remediation of the Agency;

- This device contained personal data such as copies of identification documents, tax documents (CUD, F24 and 730 forms), pay slips, reimbursement files and a list containing analytical data relating to judicial proceedings;

- it is not ruled out 'that the data breach was malicious', and it is considered that such breach 'entailed an unlawful removal and possible unauthorised disclosure of the data contained in the external hard disk', and therefore that it, 'by virtue of the number of data subjects, the nature, number and degree of sensitivity of the personal data breached, could determine a consequent risk for the freedoms and rights of the data subjects';

- this breach, moreover, would have compromised both the confidentiality of the aforementioned data and their availability, since 'the backup save [was] not successful, as a result of which the data [were] almost all irreparably lost'. As specified in the complaint to the Carabinieri Command made on XX, 'The data in question had been backed up on XX, therefore those saved after that date have been lost';

- the hard disk which had been stolen was 'connected to the server installed in a room to which any employee can have access', as well as the employees of ARPAC Multiservizi, an in-house company of the Agency.

2.  The preliminary investigation.

By means of deed no. XX of XX (notified on the same date by certified e-mail), which is deemed to be reproduced here in its entirety, the Office initiated proceedings pursuant to article 166, paragraph 5, of the Code, with reference to the specific situations of unlawfulness referred to therein, for the adoption of the measures pursuant to article 58, paragraph 2, of the Regulation against ARPAC, for breach of articles 5, paragraph 1, letter f), and 32 of the Regulation.

In a note dated XX (our prot. no. XX of XX), ARPAC submitted its defence, pursuant to article 166, paragraph 6, of the Code, in which it stated, in particular, that:

- as part of the more general process of compliance with the principles and rules of the Regulation, it has adopted, inter alia, 'an information security management system capable of identifying any vulnerabilities in ARPAC's data architecture, by adhering to the Consip Framework Contract relating to "Digital Identity Management and Application Security Services" -Deliberation XX of XX" (describing the services contracted), as well as, with reference to the resources on the internet network, a series of multi-level security measures (Firewall protection, security measures for individual workstations, security measures for servers);

- with reference to the specific case, the server to which the stolen hard disk was connected "is normally used as a "Shared Area Server for internal use" in which the technical staff of the Analytical Area inserts, in the files of the Provisional Test Reports (Provisional Certificates of Analysis) the data resulting from the processing of analytical parameters determined in the samples under analysis. [...] From the subsequent investigation carried out [...] it was found that in the above server are also stored spreadsheets (in . xls format), methods of analysis, unsigned letters of transmission of documentation in word format, unsigned proposals for resolutions or determinations (these are mere drafts in word, of work in the study and processing phase and not "judicial data" as erroneously identified in the Data Breach Report Form), documentation accompanying the same resolutions and/or determinations, such as requests, offers and declarations of suppliers", as well as copies of the identity documents of the legal representatives of the latter;

- inside the device there were also 'personal data of the employees authorised to access the hard disk in question, which is in any event protected by a password, as well as those of their families, [which] have never been requested by ARPAC. In fact, it should be noted that such data have been improperly stored directly by the abovementioned staff and on their own initiative on that shared medium in their personal files';

- all the interested parties identified above (legal representatives of suppliers, employees, their families and external collaborators) would have been contacted in order to be informed 'of the theft/loss, for their own protection', through communications made by email, 'urging them to activate every possible precaution aimed at protecting themselves from potential negative consequences due to the violation suffered';

- moreover, "in order to mitigate, from an organisational point of view, further and potential similar episodes", as well as "pending the implementation of Resolution no. XX of XX adhering to the previously mentioned Consip Framework Contract", special physical security measures were also adopted. "At the same time, all staff were urged not to use all the agency IT tools and not for personal purposes, as per the ICT Regulations";

- Finally, 'further investigations carried out have not revealed any negative consequences, which seem highly unlikely, with regard to the possible improper use of personal data of both employees and outsiders'.
With regard to some aspects not yet clarified, in response to the request for information sent by the Office, pursuant to art. 157 of the Code, on XX (prot. no. XX), ARPAC provided the requested feedback, with notes of XX and XX (respectively, prot. no. XX and XX):

- enclosing a copy of the notices of infringement sent to the persons concerned pursuant to Articles 33 and 34 of the Regulation (dated XX);

- producing the "self-declaration of the employees concerning the voluntary storage of their personal data on the hard disk" (dated XX), in which they acknowledge "the improper use of the data and the damage that could be caused by it";

- confirming that the aforementioned physical security measures had been put in place;

- describing the 'implementation of the security measures that the SINF Service has intended to adopt, with particular reference to the aspects concerning the analysis of the risks and the measures envisaged to eliminate or at least mitigate them', which is currently in progress;

- transmitting, by courier, a CD containing "a copy of the Test Reports relating to the year XX in .pdf format and a copy of the respective spreadsheets in excel format (work sheets), contained in the Hard Disk object of subtraction, as clear evidence that the same do not contain personal data relating to criminal convictions and offences or to related security measures, referred to in Article 10 of the Regulation";

- finally, communicating the request made to the Command of the Carabinieri, aimed at acquiring information about the possible developments of the investigations started on the matter.

3. Outcome of the investigation.

Article 5(1)(f) of the Regulation lays down the principle of integrity and confidentiality, according to which personal data shall be 'processed in a way that ensures appropriate security of personal data, including protection, by appropriate technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage'.

In implementation of this principle, the subsequent art. 32 states that "Having regard to the state of the art and the cost of its implementation, and having regard to the nature, subject-matter, context and purposes of the processing, as well as to the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, inter alia, where appropriate: (a) pseudonymisation and encryption of personal data; (b) the ability to ensure, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore in a timely manner the availability of and access to personal data in the event of a physical or technical incident; (d) a procedure to regularly test, verify and evaluate the effectiveness of technical and organisational measures to ensure the security of processing" (para. d) a procedure to regularly test, verify and evaluate the effectiveness of the technical and organisational measures to ensure security of processing' (para. 1) and that 'In assessing the appropriate level of security, special consideration shall be given to the risks presented by the processing, resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed' (para. 2).

The case in question concerns, therefore, a personal data breach, meaning a "breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or access to the personal data transmitted, stored or in any case processed" (art. 4, no. 12), of the Regulation), since there has been "an unlawful removal and possible unauthorised disclosure of the data contained on the external hard disk", as notified by ARPAC to this Authority pursuant to art. 33 of the Regulation.

With regard to the aforementioned legal framework, it emerged that the reported personal data breach was made possible by the absence of the necessary measures to ensure a level of security appropriate to the risk, as required by Article 32 of the Regulation. Indeed, the documentation in the file shows that they had not been adopted:

- measures necessary to allow the continuity, on a permanent basis, and the restoration of the availability of personal data stolen, since it was recognized, by ARPAC, as the backup operations were not successful and therefore, even if only considering those recorded until the XX, "the data [have] almost all been irreparably lost";

- techniques capable of ensuring the non-identifiability of the data subjects to whom the personal data contained in the device referred, in order to limit the risk of their consultation by persons not duly authorised (such as pseudonymisation or encryption of data), also taking into account that any employee could have access to the premises where the stolen device was kept;

- procedures for regularly testing, verifying and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

The arguments put forward by the data controller in its defence refer to the measures adopted after the episode that caused the loss of the hard disk, or in any case in the course of preparation at that time. The initiatives described, although worthy of consideration in the terms that will be set out below, do not eliminate the fact that, at the time when the loss of the device containing the personal data occurred, adequate technical and organisational measures had not been adopted to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk.

For these reasons, on the basis of the elements acquired and the facts that emerged during the preliminary investigation, it is established that ARPAC, in relation to the facts under examination at the time of the loss of the hard disk, was responsible for the violation of Articles 5(1)(f) and 32 of the Regulation.

4. Conclusions.

In the light of the aforementioned assessments, taking into account the statements made by the data controller during the preliminary investigation - the truthfulness of which may be questioned pursuant to art. In the light of the above mentioned assessments, taking into account the statements made by the data controller in the course of the preliminary investigation - the truthfulness of which may be called to account pursuant to Article 168 of the Code - it should be noted that the elements provided by the data controller in the defence briefs, as well as in the elements provided following the subsequent request for information, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the closure of the proceedings, since none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by ARPAC is noted, for not having adopted adequate technical and organisational measures to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk, in breach of Articles 5(1)(f) and 32 of the Regulation.

Violation of the aforementioned provisions makes the administrative sanction provided for by Article 83, paragraph 5, of the Regulation applicable, pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58(2)(i) and 83 of the Regulation; Article 166(7) of the Code).

Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166(7) of the Code, the Guarantor has the power to impose administrative fines and accessory sanctions. Article 58(2)(i) and 83 of the Regulation, as well as Article 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] shall adopt the injunction, whereby it shall also order the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Guarantor pursuant to Article 166(7) of the Code" (Article 16(1) of the Regulation of the EDPS). 16(1) of the Garante's Regulation No. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case at hand, the violation of the cited provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.
The amount of the fine imposed must be determined on the basis of the circumstances of each individual case, taking due account of the factors referred to in Article 83(2) of the Regulation.

In relation to the aforementioned elements, it was also considered that the violation concerned personal data which, in terms of quality and quantity, were not particularly important - moreover, according to what was stated, in part improperly stored by the data subjects themselves - and from which special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded. In addition, the Agency has taken favourable account of the fact that some of the data were improperly stored by the data subjects themselves - and that special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded, and only emerged as a result of an allegedly criminal act carried out by persons to be identified (in relation to which the Agency immediately lodged a complaint with the authorities competent to ascertain any criminal liability).

Furthermore, the technical and organizational measures that the Agency has declared to have already predisposed in a transitory way and those in course of predisposition have been favourably considered, as well as the full cooperation shown towards the Authority in furnishing elements for the reconstruction of the event and for the mitigation of the possible negative effects of the violation (including the communication of the violation to the interested parties according to Art. 34 of the Regulation).

On the basis of the aforementioned elements, assessed as a whole, the amount of the fine shall be set at €8,000.00 (eight thousand) for the breach of Articles 5(1)(f) and 32 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to Article 83(1) of the Regulation, to be effective, proportionate and dissuasive.

Taking into account that the violation has emerged on the occasion of a presumably criminal conduct which could have criminal aspects, given the complaint submitted by the Agency to the competent authorities, it is also considered that the accessory sanction of the publication of this measure on the website of the Garante, provided for in Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply.

Finally, it should be noted that the requirements of Article 17 of the Regulation of the Guarantor No 1/2019 are met.

ALL OF THE ABOVE THE GUARANTOR

noted the unlawfulness of the processing carried out by the Regional Environmental Protection Agency Campania (ARPAC) for violation of Articles 5(1)(f) and 32 of the Regulation, in the terms set out in the grounds,

ORDER

the Agenzia regionale protezione ambientale Campania (ARPAC), in the person of its legal representative pro tempore, with registered office in Naples, Via Vicinale S. Maria Del Pianto - Centro Polifunzionale, Torre 1, Tax Code 07407530638, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation, to pay the sum of EUR 8,000.00 (eight thousand) as a pecuniary administrative sanction for the violations indicated in the grounds. It should be noted that the offender, pursuant to article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

INITIATES

to the aforesaid Agency, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of EUR 8,000.00 (eight thousand) in the manner indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law 689/1981;

PROVISIONS

a) pursuant to Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Guarantor no. 1/2019, the publication of this measure on the website of the Guarantor, considering that the prerequisites set out in Article;

b) pursuant to Article 17 of the Regulation of the Guarantor No 1/2019, the annotation in the internal register of the Authority of the violations and measures adopted, pursuant to Article 58, paragraph 2, of the Regulation, with this measure.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the measure itself, or within sixty days if the applicant resides abroad.

Rome, 14 January 2021

THE PRESIDENT
Stanzione

THE REPORTER
Stanzione

THE SECRETARY GENERAL
Mattei

@@ Line 75: / Line 75: @@
 <pre>
-<!DOCTYPE html><html class="ltr" dir="ltr" lang="it-IT"><head><title>Injunction order against the Regional Protection Agency ... - Privacy Guarantor </title><meta http-equiv="X-UA-Compatible" content="IE=Edge; IE=11; chrome=1" /><meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport" /><!-- CSS OWLCAROUSEL --><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/owlcarousel/owl.carousel.min.css" rel="stylesheet" type="text/css" /><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/owlcarousel/owl.theme.css" rel="stylesheet" type="text/css" /><!--[if lt IE 9]>
+[doc. web no. 9538748].
-		<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
-		<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
-    <![endif]--><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/interna.css" rel="stylesheet" type="text/css" /><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/tree.css" rel="stylesheet" type="text/css"/><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/print.css" rel="stylesheet" type="text/css" media="print" /><link rel="apple-touch-icon" href="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/iphone.png" /><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/util-functions.js" type="text/javascript"></script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/clear-default-text.js" type="text/javascript"></script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/print.js" type="text/javascript"></script><script type="text/javascript">
-		function mailto(indirizzo) {
-			re = /\*/gi;
-			indirizzo=indirizzo.replace(re, "@");
-	    	self.document.location.href = 'mailto:' + indirizzo
-		}
-	</script><script src="//f1-eu.readspeaker.com/script/7205/ReadSpeaker.js?pids=embhl" type="text/javascript"></script><!-- META TAG OG --><meta content="text/html; charset=UTF-8" http-equiv="content-type" /><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1613709043209&/o/frontend-js-jquery-web/jquery/jquery.min.js&/o/frontend-js-jquery-web/jquery/bootstrap.bundle.min.js&/o/frontend-js-jquery-web/jquery/collapsible_search.js&/o/frontend-js-jquery-web/jquery/fm.js&/o/frontend-js-jquery-web/jquery/form.js&/o/frontend-js-jquery-web/jquery/popper.min.js&/o/frontend-js-jquery-web/jquery/side_navigation.js" type="text/javascript"></script><link charset="utf-8" data-senna-track="permanent" href="/o/frontend-theme-font-awesome-web/css/main.css" rel="stylesheet"></script><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/images/favicon.ico" rel="icon" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9538748" rel="canonical" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9538748" hreflang="it-IT" rel="alternate" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/en/home/docweb/-/docweb-display/docweb/9538748" hreflang="en-US" rel="alternate" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9538748" hreflang="x-default" rel="alternate" /><link class="lfr-css-file" data-senna-track="temporary" href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/clay.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1612187410000" id="liferayAUICSS" rel="stylesheet" type="text/css" /><link data-senna-track="temporary" href="/o/frontend-css-web/main.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1573511642487" id="liferayPortalCSS" rel="stylesheet" type="text/css" /><link data-senna-track="temporary" href="/combo?browserId=other&amp;minifierType=&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;languageId=it_IT&amp;b=7201&amp;GSolrFormWeb:%2Fcss%2Fmain.css&amp;GSolrFormWeb:%2Fcss%2Fjquery-ui.css&amp;GSolrFormWeb:%2Fjs%2Fthemes%2Fdefault%2Fstyle.css&amp;com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT:%2Fcss%2Fmain.css&amp;com_liferay_portal_search_web_search_bar_portlet_SearchBarPortlet_INSTANCE_templateSearch:%2Fsearch%2Fbar%2Fcss%2Fmain.css&amp;com_liferay_product_navigation_product_menu_web_portlet_ProductMenuPortlet:%2Fcss%2Fmain.css&amp;com_liferay_product_navigation_user_personal_bar_web_portlet_ProductNavigationUserPersonalBarPortlet:%2Fcss%2Fmain.css&amp;t=1612187410000" id="3e5f0fc5" rel="stylesheet" type="text/css" /><script data-senna-track="temporary" type="text/javascript">
-	// <![CDATA[
-		var Liferay = Liferay || {};
-		Liferay.Browser = {
+Injunction order against Agenzia regionale protezione ambientale Campania (ARPAC) - 14 January 2021
-			acceptsGzip: function() {
-				return true;
-			},
+Register of measures
+No 5 of 14 January 2021
-			getMajorVersion: function() {
+THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
-				return 0;
-			},
-			getRevision: function() {
+At today's meeting, attended by Prof. Pasquale Stanzione, chairman, Prof. Ginevra Cerrina Feroni, vice-chairman, Dr. Agostino Ghiglia and Dr. Guido Scorza, members, and cons. Fabio Mattei, Secretary General;
-				return '';
-			},
-			getVersion: function() {
-				return '';
-			},
+HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter the "Regulation");
-			isAir: function() {
+HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter the "Code");
-				return false;
-			},
-			isChrome: function() {
-				return false;
-			},
-			isEdge: function() {
-				return false;
-			},
-			isFirefox: function() {
-				return false;
-			},
-			isGecko: function() {
-				return false;
-			},
-			isIe: function() {
-				return false;
-			},
-			isIphone: function() {
-				return false;
-			},
-			isLinux: function() {
-				return false;
-			},
-			isMac: function() {
-				return false;
-			},
-			isMobile: function() {
-				return false;
-			},
-			isMozilla: function() {
-				return false;
-			},
-			isOpera: function() {
-				return false;
-			},
-			isRtf: function() {
-				return false;
-			},
-			isSafari: function() {
-				return false;
-			},
-			isSun: function() {
-				return false;
-			},
-			isWebKit: function() {
-				return false;
-			},
-			isWindows: function() {
-				return false;
-			}
-		};
-		Liferay.Data = Liferay.Data || {};
+HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by Resolution No. 98 of 4 April 2019, published in G.U. No. 106 of 8 May 2019 and available on the website www.garanteprivacy.it, doc. web No. 9107633 (hereinafter 'Garante Regulation No. 1/2019')
-		Liferay.Data.ICONS_INLINE_SVG = true;
+HAVING REGARD to the documentation on file;
-		Liferay.Data.NAV_SELECTOR = '#navigation';
+HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the Office of the Garante for the protection of personal data (web doc. no. 1098801);
-		Liferay.Data.NAV_SELECTOR_MOBILE = '#navigationCollapse';
+Rapporteur Prof. Pasquale Stanzione;
-		Liferay.Data.isCustomizationView = function() {
+WHEREAS
-			return false;
-		};
-		Liferay.Data.notices = [
+. The violation of personal data.
-			null
+By means of notes received on XX and XX (respectively, prot. no. XX and XX), the Campania Regional Environmental Protection Agency (hereinafter, "ARPAC" or "Agency") notified this Authority of the personal data breach referred to in Article 33 of the Regulation, consisting in the loss of a device containing personal data.
+On the basis of what ARPAC stated in the aforementioned notes
-		];
-		Liferay.PortletKeys = {
+- the violation concerned the theft of an external hard disk, which took place on XX, at the premises of the U.O.C. Contaminated Sites and Remediation of the Agency;
-			DOCUMENT_LIBRARY: 'com_liferay_document_library_web_portlet_DLPortlet',
-			DYNAMIC_DATA_MAPPING: 'com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet',
-			ITEM_SELECTOR: 'com_liferay_item_selector_web_portlet_ItemSelectorPortlet'
-		};
-		Liferay.PropsValues = {
+- This device contained personal data such as copies of identification documents, tax documents (CUD, F24 and 730 forms), pay slips, reimbursement files and a list containing analytical data relating to judicial proceedings;
-			JAVASCRIPT_SINGLE_PAGE_APPLICATION_TIMEOUT: 0,
-			NTLM_AUTH_ENABLED: false,
-			UPLOAD_SERVLET_REQUEST_IMPL_MAX_SIZE: 104857600
-		};
-		Liferay.ThemeDisplay = {
+- it is not ruled out 'that the data breach was malicious', and it is considered that such breach 'entailed an unlawful removal and possible unauthorised disclosure of the data contained in the external hard disk', and therefore that it, 'by virtue of the number of data subjects, the nature, number and degree of sensitivity of the personal data breached, could determine a consequent risk for the freedoms and rights of the data subjects';
+- this breach, moreover, would have compromised both the confidentiality of the aforementioned data and their availability, since 'the backup save [was] not successful, as a result of which the data [were] almost all irreparably lost'. As specified in the complaint to the Carabinieri Command made on XX, 'The data in question had been backed up on XX, therefore those saved after that date have been lost';
+- the hard disk which had been stolen was 'connected to the server installed in a room to which any employee can have access', as well as the employees of ARPAC Multiservizi, an in-house company of the Agency.
-				getLayoutId: function() {
-					return '9';
-				},
+.  The preliminary investigation.
-				getLayoutRelativeControlPanelURL: function() {
+By means of deed no. XX of XX (notified on the same date by certified e-mail), which is deemed to be reproduced here in its entirety, the Office initiated proceedings pursuant to article 166, paragraph 5, of the Code, with reference to the specific situations of unlawfulness referred to therein, for the adoption of the measures pursuant to article 58, paragraph 2, of the Regulation against ARPAC, for breach of articles 5, paragraph 1, letter f), and 32 of the Regulation.
-					return '/group/guest/~/control_panel/manage?p_p_id=GDocwebDisplay';
-				},
-				getLayoutRelativeURL: function() {
+In a note dated XX (our prot. no. XX of XX), ARPAC submitted its defence, pursuant to article 166, paragraph 6, of the Code, in which it stated, in particular, that:
-					return '/home/docweb';
-				},
-				getLayoutURL: function() {
-					return 'https://www.garanteprivacy.it/home/docweb';
-				},
-				getParentLayoutId: function() {
-					return '45';
-				},
-				isControlPanel: function() {
-					return false;
-				},
-				isPrivateLayout: function() {
-					return 'false';
-				},
-				isVirtualLayout: function() {
-					return false;
-				},
-			getBCP47LanguageId: function() {
+- as part of the more general process of compliance with the principles and rules of the Regulation, it has adopted, inter alia, 'an information security management system capable of identifying any vulnerabilities in ARPAC's data architecture, by adhering to the Consip Framework Contract relating to "Digital Identity Management and Application Security Services" -Deliberation XX of XX" (describing the services contracted), as well as, with reference to the resources on the internet network, a series of multi-level security measures (Firewall protection, security measures for individual workstations, security measures for servers);
-				return 'it-IT';
-			},
-			getCanonicalURL: function() {
+- with reference to the specific case, the server to which the stolen hard disk was connected "is normally used as a "Shared Area Server for internal use" in which the technical staff of the Analytical Area inserts, in the files of the Provisional Test Reports (Provisional Certificates of Analysis) the data resulting from the processing of analytical parameters determined in the samples under analysis. [...] From the subsequent investigation carried out [...] it was found that in the above server are also stored spreadsheets (in . xls format), methods of analysis, unsigned letters of transmission of documentation in word format, unsigned proposals for resolutions or determinations (these are mere drafts in word, of work in the study and processing phase and not "judicial data" as erroneously identified in the Data Breach Report Form), documentation accompanying the same resolutions and/or determinations, such as requests, offers and declarations of suppliers", as well as copies of the identity documents of the legal representatives of the latter;
-				return 'https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9538748';
+- inside the device there were also 'personal data of the employees authorised to access the hard disk in question, which is in any event protected by a password, as well as those of their families, [which] have never been requested by ARPAC. In fact, it should be noted that such data have been improperly stored directly by the abovementioned staff and on their own initiative on that shared medium in their personal files';
-			},
-			getCDNBaseURL: function() {
-				return 'https://www.garanteprivacy.it';
-			},
-			getCDNDynamicResourcesHost: function() {
-				return '';
-			},
-			getCDNHost: function() {
-				return '';
-			},
-			getCompanyGroupId: function() {
-				return '10168';
-			},
-			getCompanyId: function() {
-				return '10135';
-			},
-			getDefaultLanguageId: function() {
-				return 'it_IT';
-			},
-			getDoAsUserIdEncoded: function() {
-				return '';
-			},
-			getLanguageId: function() {
-				return 'it_IT';
-			},
-			getParentGroupId: function() {
-				return '10160';
-			},
-			getPathContext: function() {
-				return '';
-			},
-			getPathImage: function() {
-				return '/image';
-			},
-			getPathJavaScript: function() {
-				return '/o/frontend-js-web';
-			},
-			getPathMain: function() {
-				return '/c';
-			},
-			getPathThemeImages: function() {
-				return 'https://www.garanteprivacy.it/o/garante-privacy-theme/images';
-			},
-			getPathThemeRoot: function() {
-				return '/o/garante-privacy-theme';
-			},
-			getPlid: function() {
-				return '10563';
-			},
-			getPortalURL: function() {
-				return 'https://www.garanteprivacy.it';
-			},
-			getScopeGroupId: function() {
-				return '10160';
-			},
-			getScopeGroupIdOrLiveGroupId: function() {
-				return '10160';
-			},
-			getSessionId: function() {
-				return '';
-			},
-			getSiteAdminURL: function() {
-				return 'https://www.garanteprivacy.it/group/guest/~/control_panel/manage?p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view';
-			},
-			getSiteGroupId: function() {
-				return '10160';
-			},
-			getURLControlPanel: function() {
-				return '/group/control_panel?refererPlid=10563';
-			},
-			getURLHome: function() {
-				return 'https\x3a\x2f\x2fwww\x2egaranteprivacy\x2eit\x2fweb\x2fguest';
-			},
-			getUserEmailAddress: function() {
-				return '';
-			},
-			getUserId: function() {
-				return '10138';
-			},
-			getUserName: function() {
-				return '';
-			},
-			isAddSessionIdToURL: function() {
-				return false;
-			},
-			isImpersonated: function() {
-				return false;
-			},
-			isSignedIn: function() {
-				return false;
-			},
-			isStateExclusive: function() {
-				return false;
-			},
-			isStateMaximized: function() {
-				return false;
-			},
-			isStatePopUp: function() {
-				return false;
-			}
-		};
-		var themeDisplay = Liferay.ThemeDisplay;
+- all the interested parties identified above (legal representatives of suppliers, employees, their families and external collaborators) would have been contacted in order to be informed 'of the theft/loss, for their own protection', through communications made by email, 'urging them to activate every possible precaution aimed at protecting themselves from potential negative consequences due to the violation suffered';
-		Liferay.AUI = {
+- moreover, "in order to mitigate, from an organisational point of view, further and potential similar episodes", as well as "pending the implementation of Resolution no. XX of XX adhering to the previously mentioned Consip Framework Contract", special physical security measures were also adopted. "At the same time, all staff were urged not to use all the agency IT tools and not for personal purposes, as per the ICT Regulations";
+- Finally, 'further investigations carried out have not revealed any negative consequences, which seem highly unlikely, with regard to the possible improper use of personal data of both employees and outsiders'.
+With regard to some aspects not yet clarified, in response to the request for information sent by the Office, pursuant to art. 157 of the Code, on XX (prot. no. XX), ARPAC provided the requested feedback, with notes of XX and XX (respectively, prot. no. XX and XX):
-			getAvailableLangPath: function() {
+- enclosing a copy of the notices of infringement sent to the persons concerned pursuant to Articles 33 and 34 of the Regulation (dated XX);
-				return 'available_languages.jsp?browserId=other&themeId=garanteprivacy_WAR_garanteprivacytheme&colorSchemeId=01&minifierType=js&languageId=it_IT&b=7201&t=1613709035162';
-			},
-			getCombine: function() {
-				return true;
-			},
-			getComboPath: function() {
-				return '/combo/?browserId=other&minifierType=&languageId=it_IT&b=7201&t=1573511642052&';
-			},
-			getDateFormat: function() {
-				return '%d/%m/%Y';
-			},
-			getEditorCKEditorPath: function() {
-				return '/o/frontend-editor-ckeditor-web';
-			},
-			getFilter: function() {
-				var filter = 'raw';
+- producing the "self-declaration of the employees concerning the voluntary storage of their personal data on the hard disk" (dated XX), in which they acknowledge "the improper use of the data and the damage that could be caused by it";
-						filter = 'min';
-				return filter;
+- confirming that the aforementioned physical security measures had been put in place;
-			},
-			getFilterConfig: function() {
-				var instance = this;
-				var filterConfig = null;
+- describing the 'implementation of the security measures that the SINF Service has intended to adopt, with particular reference to the aspects concerning the analysis of the risks and the measures envisaged to eliminate or at least mitigate them', which is currently in progress;
-				if (!instance.getCombine()) {
+- transmitting, by courier, a CD containing "a copy of the Test Reports relating to the year XX in .pdf format and a copy of the respective spreadsheets in excel format (work sheets), contained in the Hard Disk object of subtraction, as clear evidence that the same do not contain personal data relating to criminal convictions and offences or to related security measures, referred to in Article 10 of the Regulation";
-					filterConfig = {
-						replaceStr: '.js' + instance.getStaticResourceURLParams(),
-						searchExp: '\\.js$'
-					};
-				}
-				return filterConfig;
+- finally, communicating the request made to the Command of the Carabinieri, aimed at acquiring information about the possible developments of the investigations started on the matter.
-			},
-			getJavaScriptRootPath: function() {
-				return '/o/frontend-js-web';
-			},
-			getLangPath: function() {
-				return 'aui_lang.jsp?browserId=other&themeId=garanteprivacy_WAR_garanteprivacytheme&colorSchemeId=01&minifierType=js&languageId=it_IT&b=7201&t=1573511642052';
-			},
-			getPortletRootPath: function() {
-				return '/html/portlet';
-			},
-			getStaticResourceURLParams: function() {
-				return '?browserId=other&minifierType=&languageId=it_IT&b=7201&t=1573511642052';
-			}
-		};
-		Liferay.authToken = 'qMHfRubi';
+. Outcome of the investigation.
+Article 5(1)(f) of the Regulation lays down the principle of integrity and confidentiality, according to which personal data shall be 'processed in a way that ensures appropriate security of personal data, including protection, by appropriate technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage'.
-		Liferay.currentURL = '\x2fweb\x2fguest\x2fhome\x2fdocweb\x2f-\x2fdocweb-display\x2fdocweb\x2f9538748';
+In implementation of this principle, the subsequent art. 32 states that "Having regard to the state of the art and the cost of its implementation, and having regard to the nature, subject-matter, context and purposes of the processing, as well as to the risk of varying degrees of likelihood and severity to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, inter alia, where appropriate: (a) pseudonymisation and encryption of personal data; (b) the ability to ensure, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore in a timely manner the availability of and access to personal data in the event of a physical or technical incident; (d) a procedure to regularly test, verify and evaluate the effectiveness of technical and organisational measures to ensure the security of processing" (para. d) a procedure to regularly test, verify and evaluate the effectiveness of the technical and organisational measures to ensure security of processing' (para. 1) and that 'In assessing the appropriate level of security, special consideration shall be given to the risks presented by the processing, resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed' (para. 2).
-		Liferay.currentURLEncoded = '\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748';
-	// ]]>
-</script><script src="/o/js_loader_config?t=1613709043193" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/loader/config.js&/o/frontend-js-web/loader/loader.js&/o/frontend-js-web/aui/aui/aui.js&/o/frontend-js-web/aui/aui-base-html5-shiv/aui-base-html5-shiv.js&/o/frontend-js-web/liferay/browser_selectors.js&/o/frontend-js-web/liferay/modules.js&/o/frontend-js-web/liferay/aui_sandbox.js&/o/frontend-js-web/misc/svg4everybody.js&/o/frontend-js-web/aui/arraylist-add/arraylist-add.js&/o/frontend-js-web/aui/arraylist-filter/arraylist-filter.js&/o/frontend-js-web/aui/arraylist/arraylist.js&/o/frontend-js-web/aui/array-extras/array-extras.js&/o/frontend-js-web/aui/array-invoke/array-invoke.js&/o/frontend-js-web/aui/attribute-base/attribute-base.js&/o/frontend-js-web/aui/attribute-complex/attribute-complex.js&/o/frontend-js-web/aui/attribute-core/attribute-core.js&/o/frontend-js-web/aui/attribute-observable/attribute-observable.js&/o/frontend-js-web/aui/attribute-extras/attribute-extras.js&/o/frontend-js-web/aui/base-base/base-base.js&/o/frontend-js-web/aui/base-pluginhost/base-pluginhost.js&/o/frontend-js-web/aui/classnamemanager/classnamemanager.js&/o/frontend-js-web/aui/datatype-xml-format/datatype-xml-format.js&/o/frontend-js-web/aui/datatype-xml-parse/datatype-xml-parse.js&/o/frontend-js-web/aui/dom-base/dom-base.js&/o/frontend-js-web/aui/dom-core/dom-core.js&/o/frontend-js-web/aui/dom-screen/dom-screen.js&/o/frontend-js-web/aui/dom-style/dom-style.js&/o/frontend-js-web/aui/event-base/event-base.js&/o/frontend-js-web/aui/event-custom-base/event-custom-base.js&/o/frontend-js-web/aui/event-custom-complex/event-custom-complex.js&/o/frontend-js-web/aui/event-delegate/event-delegate.js&/o/frontend-js-web/aui/event-focus/event-focus.js&/o/frontend-js-web/aui/event-hover/event-hover.js&/o/frontend-js-web/aui/event-key/event-key.js&/o/frontend-js-web/aui/event-mouseenter/event-mouseenter.js&/o/frontend-js-web/aui/event-mousewheel/event-mousewheel.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/event-outside/event-outside.js&/o/frontend-js-web/aui/event-resize/event-resize.js&/o/frontend-js-web/aui/event-simulate/event-simulate.js&/o/frontend-js-web/aui/event-synthetic/event-synthetic.js&/o/frontend-js-web/aui/intl/intl.js&/o/frontend-js-web/aui/io-base/io-base.js&/o/frontend-js-web/aui/io-form/io-form.js&/o/frontend-js-web/aui/io-queue/io-queue.js&/o/frontend-js-web/aui/io-upload-iframe/io-upload-iframe.js&/o/frontend-js-web/aui/io-xdr/io-xdr.js&/o/frontend-js-web/aui/json-parse/json-parse.js&/o/frontend-js-web/aui/json-stringify/json-stringify.js&/o/frontend-js-web/aui/node-base/node-base.js&/o/frontend-js-web/aui/node-core/node-core.js&/o/frontend-js-web/aui/node-event-delegate/node-event-delegate.js&/o/frontend-js-web/aui/node-event-simulate/node-event-simulate.js&/o/frontend-js-web/aui/node-focusmanager/node-focusmanager.js&/o/frontend-js-web/aui/node-pluginhost/node-pluginhost.js&/o/frontend-js-web/aui/node-screen/node-screen.js&/o/frontend-js-web/aui/node-style/node-style.js&/o/frontend-js-web/aui/oop/oop.js&/o/frontend-js-web/aui/plugin/plugin.js&/o/frontend-js-web/aui/pluginhost-base/pluginhost-base.js&/o/frontend-js-web/aui/pluginhost-config/pluginhost-config.js&/o/frontend-js-web/aui/querystring-stringify-simple/querystring-stringify-simple.js&/o/frontend-js-web/aui/queue-promote/queue-promote.js&/o/frontend-js-web/aui/selector-css2/selector-css2.js&/o/frontend-js-web/aui/selector-css3/selector-css3.js&/o/frontend-js-web/aui/selector-native/selector-native.js&/o/frontend-js-web/aui/selector/selector.js&/o/frontend-js-web/aui/widget-base/widget-base.js&/o/frontend-js-web/aui/widget-htmlparser/widget-htmlparser.js&/o/frontend-js-web/aui/widget-skin/widget-skin.js&/o/frontend-js-web/aui/widget-uievents/widget-uievents.js&/o/frontend-js-web/aui/yui-throttle/yui-throttle.js&/o/frontend-js-web/aui/aui-base-core/aui-base-core.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/aui-base-lang/aui-base-lang.js&/o/frontend-js-web/aui/aui-classnamemanager/aui-classnamemanager.js&/o/frontend-js-web/aui/aui-component/aui-component.js&/o/frontend-js-web/aui/aui-debounce/aui-debounce.js&/o/frontend-js-web/aui/aui-delayed-task-deprecated/aui-delayed-task-deprecated.js&/o/frontend-js-web/aui/aui-event-base/aui-event-base.js&/o/frontend-js-web/aui/aui-event-input/aui-event-input.js&/o/frontend-js-web/aui/aui-form-validator/aui-form-validator.js&/o/frontend-js-web/aui/aui-node-base/aui-node-base.js&/o/frontend-js-web/aui/aui-node-html5/aui-node-html5.js&/o/frontend-js-web/aui/aui-selector/aui-selector.js&/o/frontend-js-web/aui/aui-timer/aui-timer.js&/o/frontend-js-web/liferay/dependency.js&/o/frontend-js-web/liferay/dom_task_runner.js&/o/frontend-js-web/liferay/events.js&/o/frontend-js-web/liferay/language.js&/o/frontend-js-web/liferay/lazy_load.js&/o/frontend-js-web/liferay/liferay.js&/o/frontend-js-web/liferay/util.js&/o/frontend-js-web/liferay/global.bundle.js&/o/frontend-js-web/liferay/portal.js&/o/frontend-js-web/liferay/portlet.js&/o/frontend-js-web/liferay/workflow.js&/o/frontend-js-web/liferay/form.js&/o/frontend-js-web/liferay/form_placeholders.js&/o/frontend-js-web/liferay/icon.js&/o/frontend-js-web/liferay/menu.js&/o/frontend-js-web/liferay/notice.js&/o/frontend-js-web/liferay/poller.js&/o/frontend-js-web/aui/async-queue/async-queue.js&/o/frontend-js-web/aui/base-build/base-build.js&/o/frontend-js-web/aui/cookie/cookie.js&/o/frontend-js-web/aui/event-touch/event-touch.js&/o/frontend-js-web/aui/overlay/overlay.js&/o/frontend-js-web/aui/querystring-stringify/querystring-stringify.js&/o/frontend-js-web/aui/widget-child/widget-child.js&/o/frontend-js-web/aui/widget-position-align/widget-position-align.js&/o/frontend-js-web/aui/widget-position-constrain/widget-position-constrain.js&/o/frontend-js-web/aui/widget-position/widget-position.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/widget-stack/widget-stack.js&/o/frontend-js-web/aui/widget-stdmod/widget-stdmod.js&/o/frontend-js-web/aui/aui-aria/aui-aria.js&/o/frontend-js-web/aui/aui-io-plugin-deprecated/aui-io-plugin-deprecated.js&/o/frontend-js-web/aui/aui-io-request/aui-io-request.js&/o/frontend-js-web/aui/aui-loading-mask-deprecated/aui-loading-mask-deprecated.js&/o/frontend-js-web/aui/aui-overlay-base-deprecated/aui-overlay-base-deprecated.js&/o/frontend-js-web/aui/aui-overlay-context-deprecated/aui-overlay-context-deprecated.js&/o/frontend-js-web/aui/aui-overlay-manager-deprecated/aui-overlay-manager-deprecated.js&/o/frontend-js-web/aui/aui-overlay-mask-deprecated/aui-overlay-mask-deprecated.js&/o/frontend-js-web/aui/aui-parse-content/aui-parse-content.js&/o/frontend-js-web/liferay/layout_exporter.js&/o/frontend-js-web/liferay/session.js&/o/frontend-js-web/liferay/deprecated.js" type="text/javascript"></script><script data-senna-track="temporary" src="/o/js_bundle_config?t=1613709052687" type="text/javascript"></script><script data-senna-track="temporary" type="text/javascript">
-	// <![CDATA[
+The case in question concerns, therefore, a personal data breach, meaning a "breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or access to the personal data transmitted, stored or in any case processed" (art. 4, no. 12), of the Regulation), since there has been "an unlawful removal and possible unauthorised disclosure of the data contained on the external hard disk", as notified by ARPAC to this Authority pursuant to art. 33 of the Regulation.
+With regard to the aforementioned legal framework, it emerged that the reported personal data breach was made possible by the absence of the necessary measures to ensure a level of security appropriate to the risk, as required by Article 32 of the Regulation. Indeed, the documentation in the file shows that they had not been adopted:
-	// ]]>
-</script><script data-senna-track="temporary" src="/combo?browserId=other&amp;minifierType=&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;languageId=it_IT&amp;b=7201&amp;GSolrFormWeb:%2Fjs%2Fjquery-ui.js&amp;t=1612187410000" type="text/javascript"></script><meta property='og:title' content="Injunction order against the Campania Regional Environmental Protection Agency (ARPAC) - January 14, 2021 [9538748]"/><meta property='og:image' content='https://www.garanteprivacy.it/o/g.docweb.display/images/bn.jpg'/><meta property='og:url' content='https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9538748' /><link class="lfr-css-file" data-senna-track="temporary" href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/main.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1612187410000" id="liferayThemeCSS" rel="stylesheet" type="text/css" /><style data-senna-track="temporary" type="text/css">
-		#interna-main-dx .testo p a {
-font-weight: bold;
-color: #2173bc;
-}
-.portlet-asset-publisher ul.internal-title-list a, a:hover {
-color: #2173bc;
-}
-#elenco-main div.notizia div.notizia-testo h2 a, a:hover {
+- measures necessary to allow the continuity, on a permanent basis, and the restoration of the availability of personal data stolen, since it was recognized, by ARPAC, as the backup operations were not successful and therefore, even if only considering those recorded until the XX, "the data [have] almost all been irreparably lost";
-color: #2173bc;
-}
-.azione span span{
-	margin-left: 14px ! important;
-    margin-top: 2px ! important;
-    color: #2173bc ! important;
-}
-.helper-hidden-accessible{
+- techniques capable of ensuring the non-identifiability of the data subjects to whom the personal data contained in the device referred, in order to limit the risk of their consultation by persons not duly authorised (such as pseudonymisation or encryption of data), also taking into account that any employee could have access to the premises where the stolen device was kept;
-	color: #2173bc ! important;
-}
-.azione span{
-    color: #2173bc !important;
-}
-	#interna-menu ul li ul.nested-menu li div.selected {
+- procedures for regularly testing, verifying and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
-    background: #e8eae9;
-    border-left: 4px solid #214b5f;
-    margin: 0 -4px;
-    padding: 5px;
-}
-.journal-content-article .testo p a {
+The arguments put forward by the data controller in its defence refer to the measures adopted after the episode that caused the loss of the hard disk, or in any case in the course of preparation at that time. The initiatives described, although worthy of consideration in the terms that will be set out below, do not eliminate the fact that, at the time when the loss of the device containing the personal data occurred, adequate technical and organisational measures had not been adopted to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk.
-    font-weight: bold;
-    color: #2173bc;
-}
-	</style><style data-senna-track="temporary" type="text/css">
+For these reasons, on the basis of the elements acquired and the facts that emerged during the preliminary investigation, it is established that ARPAC, in relation to the facts under examination at the time of the loss of the hard disk, was responsible for the violation of Articles 5(1)(f) and 32 of the Regulation.
+. Conclusions.
+In the light of the aforementioned assessments, taking into account the statements made by the data controller during the preliminary investigation - the truthfulness of which may be questioned pursuant to art. In the light of the above mentioned assessments, taking into account the statements made by the data controller in the course of the preliminary investigation - the truthfulness of which may be called to account pursuant to Article 168 of the Code - it should be noted that the elements provided by the data controller in the defence briefs, as well as in the elements provided following the subsequent request for information, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the closure of the proceedings, since none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply.
+Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by ARPAC is noted, for not having adopted adequate technical and organisational measures to ensure protection against unauthorised or unlawful processing or loss, and to ensure a level of security appropriate to the risk, in breach of Articles 5(1)(f) and 32 of the Regulation.
-#p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_ .portlet-content {
+Violation of the aforementioned provisions makes the administrative sanction provided for by Article 83, paragraph 5, of the Regulation applicable, pursuant to Articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation.
-}
+. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (Articles 58(2)(i) and 83 of the Regulation; Article 166(7) of the Code).
+Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166(7) of the Code, the Guarantor has the power to impose administrative fines and accessory sanctions. Article 58(2)(i) and 83 of the Regulation, as well as Article 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the Board [of the Guarantor] shall adopt the injunction, whereby it shall also order the application of the accessory administrative sanction of its publication, in full or in extracts, on the website of the Guarantor pursuant to Article 166(7) of the Code" (Article 16(1) of the Regulation of the EDPS). 16(1) of the Garante's Regulation No. 1/2019).
+In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case at hand, the violation of the cited provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the Regulation.
+The amount of the fine imposed must be determined on the basis of the circumstances of each individual case, taking due account of the factors referred to in Article 83(2) of the Regulation.
+In relation to the aforementioned elements, it was also considered that the violation concerned personal data which, in terms of quality and quantity, were not particularly important - moreover, according to what was stated, in part improperly stored by the data subjects themselves - and from which special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded. In addition, the Agency has taken favourable account of the fact that some of the data were improperly stored by the data subjects themselves - and that special categories of personal data and personal data relating to criminal convictions and offences, as referred to in Articles 9 and 10 of the Regulation, were excluded, and only emerged as a result of an allegedly criminal act carried out by persons to be identified (in relation to which the Agency immediately lodged a complaint with the authorities competent to ascertain any criminal liability).
+Furthermore, the technical and organizational measures that the Agency has declared to have already predisposed in a transitory way and those in course of predisposition have been favourably considered, as well as the full cooperation shown towards the Authority in furnishing elements for the reconstruction of the event and for the mitigation of the possible negative effects of the violation (including the communication of the violation to the interested parties according to Art. 34 of the Regulation).
+On the basis of the aforementioned elements, assessed as a whole, the amount of the fine shall be set at €8,000.00 (eight thousand) for the breach of Articles 5(1)(f) and 32 of the Regulation, as an administrative pecuniary sanction deemed, pursuant to Article 83(1) of the Regulation, to be effective, proportionate and dissuasive.
+Taking into account that the violation has emerged on the occasion of a presumably criminal conduct which could have criminal aspects, given the complaint submitted by the Agency to the competent authorities, it is also considered that the accessory sanction of the publication of this measure on the website of the Garante, provided for in Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply.
+Finally, it should be noted that the requirements of Article 17 of the Regulation of the Guarantor No 1/2019 are met.
+ALL OF THE ABOVE THE GUARANTOR
+noted the unlawfulness of the processing carried out by the Regional Environmental Protection Agency Campania (ARPAC) for violation of Articles 5(1)(f) and 32 of the Regulation, in the terms set out in the grounds,
-#p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_ .portlet-content {
+ORDER
-}
+the Agenzia regionale protezione ambientale Campania (ARPAC), in the person of its legal representative pro tempore, with registered office in Naples, Via Vicinale S. Maria Del Pianto - Centro Polifunzionale, Torre 1, Tax Code 07407530638, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation, to pay the sum of EUR 8,000.00 (eight thousand) as a pecuniary administrative sanction for the violations indicated in the grounds. It should be noted that the offender, pursuant to article 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;
+INITIATES
+to the aforesaid Agency, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of EUR 8,000.00 (eight thousand) in the manner indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law 689/1981;
+PROVISIONS
+a) pursuant to Article 166, paragraph 7, of the Code and Article 16 of the Regulation of the Guarantor no. 1/2019, the publication of this measure on the website of the Guarantor, considering that the prerequisites set out in Article;
+b) pursuant to Article 17 of the Regulation of the Guarantor No 1/2019, the annotation in the internal register of the Authority of the violations and measures adopted, pursuant to Article 58, paragraph 2, of the Regulation, with this measure.
+Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree 150/2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the measure itself, or within sixty days if the applicant resides abroad.
+Rome, 14 January 2021
+THE PRESIDENT
+Stanzione
+THE REPORTER
+Stanzione
+THE SECRETARY GENERAL
+Mattei
-#p_p_id_GDocwebDisplay_ .portlet-content {
-}
-#portlet_GDocwebDisplay td {
-	padding-right: 15px;
-}
-blockquote {
-font-size: inherit;
-    border-left: inherit;
-}
-	</style><script type="text/javascript">
-// <![CDATA[
-Liferay.Loader.require('frontend-js-spa-web@3.0.22/liferay/init.es', function(frontendJsSpaWeb3022LiferayInitEs) {
-(function(){
-var frontendJsSpaWebLiferayInitEs = frontendJsSpaWeb3022LiferayInitEs;
-(function() {var $ = AUI.$;var _ = AUI._;
-Liferay.SPA = Liferay.SPA || {};
-Liferay.SPA.cacheExpirationTime = -1;
-Liferay.SPA.clearScreensCache = false;
-Liferay.SPA.debugEnabled = false;
-Liferay.SPA.excludedPaths = ["/documents","/image"];
-Liferay.SPA.loginRedirect = '';
-Liferay.SPA.navigationExceptionSelectors = ':not([target="_blank"]):not([data-senna-off]):not([data-resource-href]):not([data-cke-saved-href]):not([data-cke-saved-href])';
-Liferay.SPA.requestTimeout = 0;
-Liferay.SPA.userNotification = {
-	message: 'Sembra che la richiesta stia impiegando più del previsto.',
-	timeout: 30000,
-	title: 'Oops'
-};
-frontendJsSpaWebLiferayInitEs.default.init(
-	function(app) {
-		app.setPortletsBlacklist({"com_liferay_nested_portlets_web_portlet_NestedPortletsPortlet":true,"com_liferay_site_navigation_directory_web_portlet_SitesDirectoryPortlet":true,"com_liferay_login_web_portlet_LoginPortlet":true,"com_liferay_login_web_portlet_FastLoginPortlet":true});
-		app.setValidStatusCodes([221,490,494,499,491,492,493,495,220]);
-	}
-);})();})();
-});
-// ]]>
-</script><script data-senna-track="temporary" type="text/javascript">
-	if (window.Analytics) {
-		window._com_liferay_document_library_analytics_isViewFileEntry = false;
-	}
-</script><script type="text/javascript">
-// <![CDATA[
-Liferay.on(
-	'ddmFieldBlur', function(event) {
-		if (window.Analytics) {
-			Analytics.send(
-				'fieldBlurred',
-				'Form',
-				{
-					fieldName: event.fieldName,
-					focusDuration: event.focusDuration,
-					formId: event.formId,
-					page: event.page - 1
-				}
-			);
-		}
-	}
-);
-Liferay.on(
-	'ddmFieldFocus', function(event) {
-		if (window.Analytics) {
-			Analytics.send(
-				'fieldFocused',
-				'Form',
-				{
-					fieldName: event.fieldName,
-					formId: event.formId,
-					page: event.page - 1
-				}
-			);
-		}
-	}
-);
-Liferay.on(
-	'ddmFormPageShow', function(event) {
-		if (window.Analytics) {
-			Analytics.send(
-				'pageViewed',
-				'Form',
-				{
-					formId: event.formId,
-					page: event.page,
-					title: event.title
-				}
-			);
-		}
-	}
-);
-Liferay.on(
-	'ddmFormSubmit', function(event) {
-		if (window.Analytics) {
-			Analytics.send(
-				'formSubmitted',
-				'Form',
-				{
-					formId: event.formId
-				}
-			);
-		}
-	}
-);
-Liferay.on(
-	'ddmFormView', function(event) {
-		if (window.Analytics) {
-			Analytics.send(
-				'formViewed',
-				'Form',
-				{
-					formId: event.formId,
-					title: event.title
-				}
-			);
-		}
-	}
-);
-// ]]>
-</script></head><body class=" controls-visible  yui3-skin-sam guest-site signed-out public-page site"><nav class="quick-access-nav" id="lrze_quickAccessNav"><h1 class="hide-accessible"> Navigation</h1><ul><li> <a href="#main-content">Skip to content</a> </li></ul></nav><div id="wrapper" class="container"><header id="banner"><div id="heading"><h1 class="company-title"><a class="logo custom-logo" href="https://www.garanteprivacy.it" title="Privacy Guarantor"><img alt="Guarantor for the protection of personal data" src="/image/company_logo?img_id=9504180&amp;t=1613709061089" /></a> </h1></div><nav class="sort-pages modify-pages" id="navigation" role="navigation"><div class="pull-left"><ul class="nav" aria-label="Pagine Sito" role="menubar"><li aria-selected='true' class="selected" id="layout_36" role="presentation"> <a aria-labelledby="layout_36" aria-haspopup='true' accesskey="H" title="H." href="https://www.garanteprivacy.it/home"  role="menuitem"><span>Home</span></a></li><li  class="lfr-nav-item" id="layout_2" role="presentation"> <a aria-labelledby="layout_2"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/autorita"  role="menuitem"><span>The authority</span></a></li><li  class="lfr-nav-item" id="layout_4" role="presentation"> <a aria-labelledby="layout_4"  accesskey="P" title="P." href="https://www.garanteprivacy.it/home/provvedimenti-normativa"  role="menuitem"><span>Measures and legislation</span></a></li><li  class="lfr-nav-item" id="layout_3" role="presentation"> <a aria-labelledby="layout_3"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/attivita-e-documenti"  role="menuitem"><span>Activities and documents</span></a></li><li  class="lfr-nav-item" id="layout_5" role="presentation"> <a aria-labelledby="layout_5"  accesskey="S" title="S." href="https://www.garanteprivacy.it/home/stampa-comunicazione"  role="menuitem"><span>Press and communication</span></a></li><li  class="lfr-nav-item" id="layout_22" role="presentation"> <a aria-labelledby="layout_22"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/attivita-internazionali"  role="menuitem"><span>International activities</span></a></li></ul></div><div class="pull-right"> <span class="language-select">Choose your language: <span class="selected">IT</span> <a href="https://www.garanteprivacy.it/c/portal/update_language?p_l_id=2011129&redirect=%2Fhome_en&languageId=en_US" accesskey="E">EN</a></span> </div></nav></header><section id="content"><div class="g-100100-layouttpl" id="main-content" role="main"><div class="portlet-layout row"><div class="col-md-6 portlet-column portlet-column-first" id="column-1"><div class="portlet-dropzone portlet-column-content portlet-column-content-first" id="layout-column_column-1"><div class="portlet-boundary portlet-boundary_com_liferay_journal_content_web_portlet_JournalContentPortlet_  portlet-static portlet-static-end portlet-borderless portlet-journal-content " id="p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_"><span id="p_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT"></span><section class="portlet" id="portlet_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Internal rights </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"><div class="visible-interaction"></div></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div class="" data-fragments-editor-item-id="10084-145463" data-fragments-editor-item-type="fragments-editor-mapped-item" ><div class="journal-content-article " data-analytics-asset-id="145461" data-analytics-asset-title="Diritti interna" data-analytics-asset-type="web-content"><div id="diritti-header"> <a href="/home/diritti"><img alt="Rights - How to protect your data" src="/documents/10160/0/Box_diritti_text+%282%29.jpg/5fa07198-2b09-7cc0-3051-1253b90feee0?t=1527846685513" /></a> </div></div></div></div></div></div></section></div></div></div><div class="col-md-6 portlet-column portlet-column-last" id="column-2"><div class="portlet-dropzone portlet-column-content portlet-column-content-last" id="layout-column_column-2"><div class="portlet-boundary portlet-boundary_com_liferay_journal_content_web_portlet_JournalContentPortlet_  portlet-static portlet-static-end portlet-borderless portlet-journal-content " id="p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_"><span id="p_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx"></span><section class="portlet" id="portlet_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Internal duties </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"><div class="visible-interaction"></div></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div class="" data-fragments-editor-item-id="10084-145477" data-fragments-editor-item-type="fragments-editor-mapped-item" ><div class="journal-content-article " data-analytics-asset-id="145475" data-analytics-asset-title="Doveri interna" data-analytics-asset-type="web-content"><div id="doveri-header"> <a href="/home/doveri"><img alt="Duties - How to handle data correctly" src="/documents/10160/0/Box_doveri_text+%282%29.jpg/1d455dd5-a62c-371c-a997-bb8099baf11c?t=1527846710765" /></a> </div></div></div></div></div></div></section></div></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-3"><div class="portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-3"><div class="portlet-boundary portlet-boundary_GSolrFormWeb_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_GSolrFormWeb_"><span id="p_GSolrFormWeb"></span><section class="portlet" id="portlet_GSolrFormWeb"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Search Form Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><script type="text/javascript">
-Liferay.on('allPortletsReady', function() {
-	//if (typeof jQuery != 'undefined') {
-	    // jQuery is loaded => print the version
-	    //console.log("jQuery version is "+jQuery.fn.jquery);
-	//}
-	//console.log("allPortletReady ok");
-	var firstTime = 0;
-	//console.log("first time" + firstTime);
-	jQuery('#search').click(
-		function(){
-			if (firstTime == 0){
-				jQuery('#search').val('');
-				firstTime++;
-			}
-		}
-	);
-	jQuery('#search').keypress(
-			function(){
-				if (firstTime == 0){
-					jQuery('#search').val('');
-					firstTime++;
-				}
-			}
-		);
-	var advFormString = '<form action="/home/ricerca/-/search/key/0" id="advsearchform" name="searchForm" method="post" ><label for="search">Contiene queste parole:</label><input id="advkeyword" name="advkeyword" type="text" value=""  /><label for="not">Non contiene questa parola o frase:</label><input id="not" name="not" type="text" value=""  /><label for="esatta">Contiene questa parola o frase:</label><input id="esatta" name="esatta" type="text" value=""  /><label for="or1">Contiene una o piu di queste parole:</label><input id="or1" name="or1" type="text" value=""  /><label for="or2">Or</label><input id="or2" name="or2" type="text" value=""  /><label for="or3">Or</label><input id="or3" name="or3" type="text" value=""  /><input name="cmd" type="hidden" value="search" /></form>';
-	var searchLabel = 'cerca';
-	jQuery("#advancedsearch").html(advFormString);
-	var dialog = jQuery("#advancedsearch").dialog({ autoOpen: false, height:350, width:420,
-	      modal: true,
-	      buttons: [{
-	          text: searchLabel,
-	          "id": "btnOk",
-	          click: function () {
-	        	goAdvSearch();
-	          },
-	      }]
-	});
-	jQuery("#ricercaavanzata").click(function(event) {
-		event.preventDefault();
-		jQuery("#advancedsearch").dialog('open');
-	});
-	jQuery("#searchButton").click(function( event ) {
-		event.preventDefault();
-		goSearch();
-	});
-	jQuery("input").keypress(function(event) {
-		if (event.keyCode === 13) {
-			event.preventDefault();
-			goSearch();
-		}
-	});
-	var goAdvSearch = function() {
-		var actionUrl = "/home/ricerca/-/search/key/" + jQuery("#advkeyword").val().replace(".","")
-			+ "_not_" + jQuery("#not").val().replace(".","")
-			+ "_esatta_" + jQuery("#esatta").val().replace(".","")
-			+ "_or1_" + jQuery("#or1").val().replace(".","")
-			+ "_or2_" + jQuery("#or2").val().replace(".","")
-			+ "_or3_" + jQuery("#or3").val().replace(".","")
-			;
-		jQuery('#advsearchform').attr('action', actionUrl).submit();
-		dialog.dialog('close');
-	}
-	var goSearch = function() {
-		var searchKey = jQuery("#search").val();
-		if (!searchKey.trim()) searchKey = "0";
-		searchKey = encodeURI(searchKey).replace(".","");
-		//alert(searchKey);
-		var actionUrl = "/home/ricerca/-/search/key/" + searchKey;
-		if (jQuery("#radio-2").prop("checked")) {
-			console.log ("checked");
-			actionUrl = "/home/ricerca/-/search/docweb/" + searchKey;
-		}
-		jQuery('#searchform').attr('action', actionUrl).submit();
-	};
-});
-</script><form action="/home/ricerca/-/search/key/0" id="searchform" name="searchForm" method="post"><fieldset><!--  <legend><input type="submit" value="RICERCA" /></legend> --><input name="keyword" id="search" type="text" placeholder="inserisci chiave di ricerca" /><input id="searchButton" type="submit" value="search for" /><input id="radio-1" name="testoodoc" type="radio" value="testo" checked="checked"/> <label for="radio-1">text</label><input id="radio-2" name="testoodoc" type="radio" value="docweb" /> <label for="radio-2">docweb</label> <a class="ricercaavanzata" id="ricercaavanzata" href="#">advanced search</a> <input id="startdate" name="startdate" type="hidden" value="Inizio"/><input id="stopdate" name="stopdate" type="hidden" value="Fine"/><input name="cmd" type="hidden" value="search" /></fieldset></form><div id="advancedsearch" title="ADVANCED SEARCH" ></div></div></div></div></section></div><div class="portlet-boundary portlet-boundary_GDocwebDisplay_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_GDocwebDisplay_"><span id="p_GDocwebDisplay"></span><section class="portlet" id="portlet_GDocwebDisplay"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> g-docweb-display Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div id="internal-content-wrapper" xmlns:dc="//purl.org/dc/elements/1.1/" ><h1 class="interna-titolo" property="dc:title"> Injunction order against the Campania Regional Environmental Protection Agency (ARPAC) - January 14, 2021 [9538748] </h1><div id="interna-main-sx"><p class="sottotitolo" property="dc:description"></p><div class="tab-container"><div class="tab"> <span>CARD</span></div><div class="scheda"><dl><dt class="autore" style="display: none"> Author:</dt><dd> <span property="dc:creator" style="display: none">Guarantor for the protection of personal data</span></dd><dt class="docweb"> Doc-Web:</dt><dd> <span property="dc:identifier"><a href="/garante/doc.jsp?ID=9538748">9538748</a></span></dd><dt class="data" > Date:</dt><dd> <span property="dc:date">14/01/21</span></dd><dt class="argomenti" > Topics:</dt><dd class="argomenti"> <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Misure di sicurezza">Security measures</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Archivi e banche dati">Archives and</a></span> <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Conservazione di dati">databases</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Data breach">Data retention</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Data breach">Data breach</a></span></dd><dt class="tipologia"> Typology:</dt><dd class="tipologia"> <span property="dc:type"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/tipologia/Ordinanza ingiunzione o revoca">Order injunction or revocation</a></span> </dd></dl></div></div><div id="interna-allegati"><p class="orange" style="padding: 7px 0 10px 7px; font-size: 1.3em;"> DOCUMENTS MENTIONED</p><ul><li class="allegato-testo"> <a title="Resolution of 4 April 2019 - Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data [9107633]" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9107633">Resolution of 4 April 2019 - Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data [9107633]</a></li><li class="allegato-testo"> <a title="Regulation 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (current text)" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/1098801">Regulation 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (current text)</a></li></ul></div><br /></div><div id="interna-main-dx"><div class="azioni"><div class="azione"> <span><a href="javascript:_GDocwebDisplay_printPage();"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_stampa.png" alt="Print"/> <span><span class="helper-hidden-accessible">Print</span> Print</span></a></span> </div><div class="azione"><form action="https://www.garanteprivacy.it:443/pdf?p_p_id=PdfUtil&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_resource_id=%2Foffering%2FprintPDF&p_p_cacheability=cacheLevelPage&_PdfUtil_articleId=9538748" method="post" name="pdfForm" ></form> <a href="#" onclick="document.pdfForm.submit()"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_pdf.png" alt="PDF"/> <span><span class="helper-hidden-accessible">Transform content into</span> PDF</span></a></div><div class="azione"> <span><a href="mailto:?subject=Dal sito del Garante per la protezione dei dati personali&amp;body=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9538748"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_condividi.png" alt="Share" /> <span>Send by mail <span class="helper-hidden-accessible">Send by mail</span></span></a></span></div><div class="azione"><table border="0" cellspacing="1"><tr><td><!-- Facebook --> <a rel="nofollow"
-								href="https://www.facebook.com/sharer/sharer.php?u=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9538748"><img
-									src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/facebook.png" title="Facebook" alt="Facebook" /></a> </td><!-- 							<td> --><!-- 								Google+ <a rel="nofollow" --><!-- 							</td> --></tr><tr><td><!-- Twitter --> <a rel="nofollow"
-								href="https://twitter.com/home?status=Ordinanza+ingiunzione+nei+confronti+di+Agenzia+regionale+protezione+ambientale+Campania+%28ARPAC%29+-+14+gennaio+2021+%5B9538748%5D+-+https%3A%2F%2Fwww.garanteprivacy.it%2Fweb%2Fguest%2Fhome%2Fdocweb%2F-%2Fdocweb-display%2Fdocweb%2F9538748+-+%23GarantePrivacy"><img
-									src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/twitter.png" title="Twitter" alt="Twitter" /></a></td><td><!-- LinkedIn --> <a rel="nofollow"
-								href="https://www.linkedin.com/sharing/share-offsite/?mini=true&amp;url=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9538748" ><img
-									src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/linkedin.png" title="LinkedIn" alt="LinkedIn" /></a></td></tr></table> <span style="margin-left: 14px; margin-top: 2px;">Sharing <span class="helper-hidden-accessible">Sharing</span></span> </div></div><div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve" style="margin-top:40px;"> <a class="rsbtn_play" accesskey="L" title="Listen to this page with ReadSpeaker" href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=7205&amp;lang=it_it&amp;readid=content-area&amp;url=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9538748"><span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span><span class="rsbtn_right rsimg rsplay rspart"></span></a></div><div id="content-area"><div class="testo"><p style="text-align: right;"> <span style="font-size:12px;">[doc. web n. 9538748]</span></p><p><span style="font-size:12px;"></span> <strong><span style="font-size:12px;">Injunction order against the Campania Regional Environmental Protection Agency (ARPAC) - January 14, 2021</span></strong><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">Record of measures<br /> n. 5 of January 14, 2021</span></p><p style="text-align: center;"><span style="font-size:12px;"></span> <strong><span style="font-size:12px;">THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA</span></strong><span style="font-size:12px;"></span></p><p style="text-align: justify;"> <span style="font-size:12px;">IN today&#39;s meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the cons. Fabio Mattei, general secretary;</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, &quot;General Data Protection Regulation&quot; (hereinafter the &quot;Regulation&quot;);</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of national law to regulation (EU) 2016/679 (legislative decree 30 June 2003, n.196, as amended by legislative decree 10 August 2018, no. 101, hereinafter the &quot;Code&quot;);</span></p><p style="text-align: justify;"> <span style="font-size:12px;">HAVING REGARD to regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and available on the website www.garanteprivacy.it, doc. web n. <a href="/garante/doc.jsp?ID=9107633">9107633</a> (hereinafter &quot;regulation of the Guarantor no. 1/2019&quot;);</span><span style="font-size:12px;"></span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the documentation in the deeds;</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000 on the organization and functioning of the Office of the Guarantor for the protection of personal data (web doc. N. <a href="/garante/doc.jsp?ID=1098801">1098801</a> );</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Speaker prof. Pasquale Stanzione;</span><span style="font-size:12px;"></span></p><p style="text-align: center;"> <strong><span style="font-size:12px;">WHEREAS</span><span style="font-size:12px;"></span></strong></p><p> <strong><span style="font-size:12px;">1. The violation of personal data.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">With notes received on XX and XX (respectively, our prot. Nos. XX and XX), the Campania Regional Environmental Protection Agency (hereinafter, &quot;ARPAC&quot; or &quot;Agency&quot;) notified this Authority of the data breach personal pursuant to art. 33 of the Regulation, consisting in the loss of a device containing personal data.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Based on what ARPAC stated in the aforementioned notes:</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- the violation concerned the theft of an external hard disk, which occurred on XX, at the premises of the Contaminated Sites and Remediation Unit of the Agency;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- this device contained personal data such as copies of identification documents, fiscal documents (CUD, forms F24 and 730), pay slips, reimbursement practices and a list containing analytical data referring to judicial proceedings;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- it is not excluded &quot;that the data breach was malicious&quot;, and it is believed that this violation &quot;involved an illegal theft and possible unauthorized disclosure of the data contained in the external hard disk&quot;, and therefore that it, &quot;by virtue of the number of interested parties, the nature, number and degree of sensitivity of the personal data violated may determine a consequent risk for the freedoms and rights of the interested parties &quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- this violation, moreover, would have compromised both the confidentiality of the aforementioned data and their availability, since &quot;the backup [was] unsuccessful, consequently the data [had] been almost all irreparably lost&quot;. As specified in the complaint to the Carabinieri Command made on XX, &quot;The data in question had been backed up on XX, therefore those saved after the aforementioned date have been lost&quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- the stolen hard disk would have been “connected to the server installed in a room that any employee can access”, as well as the employees of ARPAC Multiservizi, the Agency&#39;s in-house company.</span><span style="font-size:12px;"></span></p><p> <strong><span style="font-size:12px;">2. The preliminary activity.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">The Office, with act no. XX of the XX (notified on the same date by certified e-mail), which here must be understood as fully reproduced, has started, pursuant to art. 166, paragraph 5, of the Code, with reference to the specific situations of illegality referred to therein, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulations against the ARPAC, for the violation of articles 5, par. 1, lett. f), and 32 of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">With a note of the XX (our prot. N. XX of the XX), the ARPAC sent its defense briefs, pursuant to art. 166, paragraph 6, of the Code, where it represented, in particular, that:</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- within the more general process of adapting to the principles and rules of the Regulation, it has, among other things, &quot;an information security management system suitable for identifying any vulnerabilities in the ARPAC data architecture , adhering to the Consip Framework Agreement relating to &quot;Digital identity management and application security services&quot; - Resolution XX del XX &quot;(describing the contracted services), as well as, with reference to the resources available on the internet, a series of security measures to multiple levels (Firewall protection, security measures for individual workstations, security measures for servers);</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- with reference to the specific event, the server to which the stolen hard disk was connected &quot;is normally used as a&quot; Shared Area Server for internal use &quot;in which the technical staff of the Analytical Area inserts, in the files of the Test Reports Provisional (Provisional Certificates of Analysis) the data deriving from the elaboration of the analytical parameters determined in the samples being analyzed. [...] From the subsequent investigation [...] it was found that the aforementioned server also stores spreadsheets (in .xls format), analysis methods, unsigned Word document transmission letters, proposals for resolutions or unsigned determination (these are mere brogliacci in word, work in the study and processing phase and not &quot;judicial data&quot; as erroneously identified in the preventive Data Breach Reporting Form) documentation accompanying the same resolutions and / or determinations, such as requests, offers and declarations of suppliers &quot;, as well as a copy of the identity documents of the legal representatives of the latter;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- inside the device there were also “personal data of employees authorized to access the hard disk in question, in any case protected by access passwords, as well as those of their family members, [who] have never been requested by ARPAC. In fact, it should be noted that such data have been improperly stored directly by the aforementioned staff and voluntarily on this support shared in their personal files &quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- all the interested parties identified above (legal representatives of suppliers, employees, their family members and external collaborators) would have been contacted in order to be informed &quot;of the theft / loss, for their protection&quot;, through communications sent via email, &quot;urging to activate any possible precaution aimed at protecting potential negative consequences due to the violation suffered &quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- moreover, &quot;in order to mitigate, from an organizational point of view, further and potential similar episodes&quot;, as well as &quot;pending the implementation of Resolution no. XX of XX of adhesion to the aforementioned Consip Framework Agreement&quot;, particular physical security measures. “At the same time, all the staff were urged not to use all the IT agency tools and not for personal purposes, as per the ICT Regulations”;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- finally, &quot;from further investigations carried out, no negative consequences have occurred, which appear to be completely unlikely, in relation to any improper use of personal data of both employees and external parties&quot;.<br /> In relation to some aspects not yet clarified, in response to the request for information sent by the Office, pursuant to art. 157 of the Code, the XX (prot. N. XX), the ARPAC provided the requested feedback, with notes of the XX and XX (respectively, our prot. Nos. XX and XX):</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- attaching a copy of the communications of the violation made to the interested parties, pursuant to art. 33 and 34 of the Regulations (dating back to the 20th);</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- producing the &quot;self-declaration of employees about the voluntary storage of their personal data on the hard disk&quot; (dated XX), in which it is acknowledged, by the same &quot;the improper use of data as well as the damage that could achieve &quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- confirming the implementation of the aforementioned physical security measures;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- describing the &quot;implementation of the security measures that the SINF Service intended to adopt, with particular reference to the aspects concerning the analysis of risks and the measures envisaged to eliminate them, or at least mitigate them&quot;, currently in progress;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- by sending, by courier, a CD containing a &quot;copy of the Test Reports relating to the year XX in .pdf format and a copy of the respective spreadsheets in Excel format (work brochures), contained in the stolen Hard Disk, as clear evidence that they do not contain personal data relating to criminal convictions and crimes or related security measures, pursuant to art. 10 of the Regulations &quot;;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- finally communicating the request made to the Carabinieri Command, aimed at acquiring information about any developments in the investigations launched on the matter.</span><span style="font-size:12px;"></span></p><p> <strong><span style="font-size:12px;">3. Outcome of the preliminary investigation.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">The art. 5, par. 1, lett. f), of the Regulation establishes the principle of integrity and confidentiality, according to which personal data are &quot;processed in such a way as to guarantee adequate security of personal data, including protection, by means of adequate technical and organizational measures, from unauthorized processing or unlawful acts and accidental loss, destruction or damage &quot;.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In implementation of this principle, the following art. 32 establishes that &quot;Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purpose of the processing, as well as the risk of varying probability and severity for the rights and freedoms of individuals physical, the data controller and the data processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which include, among others, where applicable: a) the pseudonymisation and encryption of personal data ; b) the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on a permanent basis; c) the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident; d) a procedure for testing, verifying and regularly evaluating the effectiveness of technical and organizational measures in order to guarantee the security of the processing &quot;(paragraph 1) and that&quot; In assessing the adequate level of security, special consideration is manner of the risks presented by the processing that derive in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed &quot;(par. 2).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The case in question therefore relates to a personal data breach, meaning a &quot;security breach that accidentally or illegally involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed &quot;(Article 4, No. 12), of the Regulation), having made&quot; an illegal theft and possible unauthorized disclosure of the data contained in the external hard disk &quot;, as notified by the ARPAC to this Authority pursuant to art. 33 of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">With respect to the aforementioned legal framework, it emerged that the reported breach of personal data was made possible due to the absence of the necessary measures to ensure a level of security appropriate to the risk, required by art. 32 of the Regulation. Indeed, from the documentation on file it appears that the following had not been adopted:</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- measures necessary to allow the continuity, on a permanent basis, and the restoration of the availability of the stolen personal data, having been recognized by the ARPAC as the backup operations have not been successful and therefore, even if only wanting to consider those recorded up to the twentieth century, “the data [have] been almost all irreparably lost”;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- techniques able to ensure the non-identifiability of the data subjects to whom the personal data contained in the device referred, to limit the risk of their consultation by unauthorized subjects (such as pseudonymisation or data encryption), also taking into account that any employee could access the room where the stolen device was kept;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- procedures suitable for testing, verifying and regularly evaluating the effectiveness of technical and organizational measures in order to guarantee the security of the processing.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The information alleged by the data controller in the defensive writings pertains to the measures adopted after the episode that caused the loss of the hard disk, or in any case being prepared in that period. The initiatives described, although worthy of consideration in the terms that will be explained below, do not eliminate the fact that, when the loss of the device containing the personal data occurred, adequate technical and organizational measures had not been adopted to ensure protection from unauthorized or illegal processing or loss, and to ensure a level of security appropriate to the risk.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">For these reasons, on the basis of the elements acquired and the facts that emerged as part of the investigation, it is ascertained that ARPAC, in relation to the facts in question at the time of the loss of the hard disk, was responsible for the articles 5, par. 1, lett. f), and 32 of the Regulation.</span><span style="font-size:12px;"></span></p><p> <strong><span style="font-size:12px;">4. Conclusions.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">In light of the aforementioned assessments, taking into account the statements made by the data controller during the investigation - the truthfulness of which one may be called to answer pursuant to art. 168 of the Code - it is represented that the elements provided by the data controller in the defense briefs, as well as in the elements provided following the subsequent request for information, although worthy of consideration, do not allow to overcome the findings notified by the Office with the deed of start of the proceeding and are insufficient to allow the filing of the proceeding, since none of the cases provided for by art. 11 of the regulation of the Guarantor n. 1/2019.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by ARPAC is noted, for not having adopted adequate technical and organizational measures to ensure protection from unauthorized or illegal processing or loss, and for guarantee a level of security adequate to the risk, in violation of Articles 5, par. 1, lett. f), and 32 of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the same Regulation.</span><span style="font-size:12px;"></span></p><p> <strong><span style="font-size:12px;">5. Adoption of the injunction order for the application of the pecuniary administrative sanction and of the ancillary sanctions (articles 58, par. 2, letter i), and 83 of the Regulations; art. 166, paragraph 7, of the Code).</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">The Guarantor, pursuant to art. 58, par. 2, lett. i), and 83 of the Regulations as well as art. 166 of the Code, has the power to &quot;inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case &quot;and, in this context,&quot; the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code &quot;(article 16, paragraph 1, of the regulation of the Guarantor no. 1/2019).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In this regard, taking into account art. 83, par. 3, of the Regulation, in this case, the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation.<br /> The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In relation to the aforementioned elements, it was also considered that the violation concerned personal data which, in terms of quality and quantity, do not denote particular importance - moreover, according to what was declared, partly stored improperly by the interested parties themselves - and from which they result excluding special categories of personal data and personal data relating to criminal convictions and offenses, pursuant to art. 9 and 10 of the Regulations, and emerged only following a presumably criminal action taken by persons to be identified (in relation to which the Agency immediately filed a specific complaint with the competent authorities to ascertain any responsibility of a criminal nature).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Furthermore, the technical and organizational measures that the Agency declared to have already prepared on a temporary basis and those currently being prepared, as well as the full cooperation shown towards the Authority in providing elements for the reconstruction of the &#39;happened and to mitigate the possible negative effects of the violation (including the communication of the violation to the interested parties pursuant to Article 34 of the Regulation).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of € 8,000.00 (eight thousand) for the violation of Articles 5, par. 1, lett. f), and 32 of the Regulations, as an administrative pecuniary sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Taking into account that the violation emerged on the occasion of allegedly criminal conduct that could present aspects of a criminal nature, given the complaint presented by the Agency to the competent authorities, it is also considered that the accessory sanction of publication on the website of the Guarantor of the this provision, provided for by art. 166, paragraph 7, of the Code and art. 16 of the regulation of the Guarantor n. 1/2019.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Finally, it should be noted that the conditions set out in art. 17 of the regulation of the Guarantor n. 1/2019.</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">WHEREAS, THE GUARANTOR</span></strong><span style="font-size:12px;"></span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">detected the unlawfulness of the processing carried out by the Campania Regional Environmental Protection Agency (ARPAC) for violation of Articles 5, par. 1, lett. f), and 32 of the Regulations, in the terms set out in the motivation,</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">ORDER</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">to the Campania Regional Environmental Protection Agency (ARPAC), in the person of the pro tempore legal representative, based in Naples, Via Vicinale S. Maria Del Pianto - Multifunctional Center, Tower 1, CF 07407530638, pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the Regulations, to pay the sum of € 8,000.00 (eight thousand) as a pecuniary administrative sanction for the violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">INJUNCES</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">to the aforementioned Agency, in case of failure to define the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 8,000.00 (eight thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. 689/1981;</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">HAS</span></strong><span style="font-size:12px;"></span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">a) pursuant to art. 166, paragraph 7, of the Code and art. 16 of the regulation of the Guarantor n. 1/2019, the publication of this provision on the website of the Guarantor, considering that the conditions referred to in art are met;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">b) pursuant to art. 17 of the regulation of the Guarantor n. 1/2019, the annotation in the internal register of the Authority of the violations and measures adopted, pursuant to art. 58, par. 2, of the Regulations, with this provision.</span> <span style="font-size:12px;"></span><span style="font-size:12px;"></span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.</span><span style="font-size:12px;"></span></p><p style="text-align: justify;"> <em><span style="font-size:12px;">Rome, January 14, 2021</span></em><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">PRESIDENT<br /> Stanzione</span><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">THE RAPPORTEUR<br /> Stanzione</span><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">THE SECRETARY GENERAL<br /> Mattei</span> </p><p style="text-align: justify;"></p></div></div><br /></div><hr /></div></div></div></div></section></div></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-4"><div class="empty portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-4"></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-5"><div class="portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-5"><div class="portlet-boundary portlet-boundary_MenuPortlet_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_"><span id="p_MenuPortlet_INSTANCE_gOpqEbGKfxmQ"></span><section class="portlet" id="portlet_MenuPortlet_INSTANCE_gOpqEbGKfxmQ"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> g-menu Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><c:if test="true"><div id="_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_"><div class="menu"><c:if test="false"></c:if><div class="block"><div id='pre-footer'><div class='pre-footer-column'><p class='pre-footer-header'><a href="https://www.garanteprivacy.it/home/autorita" >The authority</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/autorita/collegio" >The Guarantor</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/compiti" >Duties of the Guarantor</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/ufficio" >The office</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/regolamenti-interni" >Internal regulations</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/codice-etico" >Ethical code</a></li><li> <a href="https://www.garanteprivacy.it/home/footer/contatti#urp" >URP</a></li><li> <a href="https://www.garanteprivacy.it/home/trasparenza" >Transparent authority</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa" >Measures and legislation</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/provvedimenti" >Measures</a></li><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/normativa" >Regulations</a></li><li> <a href="https://www.garanteprivacy.it/codice" >Code</a></li><li> <a href="https://www.garanteprivacy.it/regolamentoue" >EU Regulation 2016/679</a></li><li> <a href="https://www.garanteprivacy.it/codici-di-condotta" >Codes of conduct</a></li><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/giurisprudenza" >Law</a></li><li> <a href="https://www.garanteprivacy.it/segnalazioni-al-parlamento-e-al-governo-e-note-istituzionali" >Reports to Parliament and the Government and institutional notes</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti" >Activities and documents</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/documenti/audizioni" >Hearings</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/documenti/relazioni-annuali" >Annual reports</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative" >Events and training</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative/giornate-europee-della-protezione-dei-dati-personali" >European Days</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative/giornate-europee-della-protezione-dei-dati-personali" >of data protection</a></li><li> <a href="https://www.garanteprivacy.it/temi" >Themes</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/libri" >Publications</a></li><li> <a href="https://www.garanteprivacy.it/faq" >FAQ</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/protocolli-d-intesa" >Protocols and conventions</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione" >Press and communication</a></p><ul class='pre-footer'><li> <a href="/home/ricerca/-/search/tipologia/comunicato stampa" >Press releases</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/newsletter" >Newsletter</a></li><li><a href="https://www.garanteprivacy.it/home/stampa-comunicazione/vademecum-e-campagne-informative" >Vademecum and information campaigns</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/interviste" >Interviews and speeches</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/contatti-per-la-stampa" >Press contacts</a></li><li> <a href="https://www.garanteprivacy.it/home/footer/link" >Useful links</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/attivita-internazionali" >International activities</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue" >Cooperation</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue" >within the EU</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-extra-ue" >Cooperation</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-extra-ue" >outside the EU</a></li><li> <a href="https://www.garanteprivacy.it/edpb" >EDPB</a></li><li> <a href="https://www.garanteprivacy.it/schengen" >Schengen</a></li><li> <a href="/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue/sistema-di-informazione-visti-vis" >VIS</a> </li></ul></div></div></div></div></div></c:if></div></div></div></section></div></div></div></div></div><form action="#" class="hide" id="hrefFm" method="post" name="hrefFm"><span></span><input hidden type="submit"/></form></section><footer id="footer" role="contentinfo"><div class="portlet-boundary portlet-boundary_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_  portlet-static portlet-static-end portlet-barebone portlet-navigation " id="p_p_id_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_"><span id="p_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"></span><section class="portlet" id="portlet_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Navigation menu </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div id="navbar_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"><ul aria-label="Pagine Sito" class="nav nav-justified navbar-blank navbar-nav navbar-site" role="menubar"><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412906" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412906"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/contatti#urp'  role="menuitem"><span class="text-truncate">URP</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412907" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412907"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/contatti'  role="menuitem"><span class="text-truncate">Contacts</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412909" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412909"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/mappa-del-sito'  role="menuitem"><span class="text-truncate">site map</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412910" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412910"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/regole-del-sito'  role="menuitem"><span class="text-truncate">Site rules</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412911" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412911"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/informativa-protezione-dati'  role="menuitem"><span class="text-truncate">Data protection information</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9502631" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9502631"  class="nav-link text-truncate" href='https://form.agid.gov.it/view/2a9e50ae-a7b6-4859-882a-3aa49a5c071b'  role="menuitem"><span class="text-truncate">Accessibility statement</span></a></li></ul></div><script type="text/javascript">
-// <![CDATA[
-AUI().use('liferay-navigation-interaction', function(A) {(function() {var $ = AUI.$;var _ = AUI._;		var navigation = A.one('#navbar_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer');
-		Liferay.Data.NAV_INTERACTION_LIST_SELECTOR = '.navbar-site';
-		Liferay.Data.NAV_LIST_SELECTOR = '.navbar-site';
-		if (navigation) {
-			navigation.plug(Liferay.NavigationInteraction);
-		}
-})();});
-// ]]>
-</script></div></div></div></section></div></footer></div><script type="text/javascript">
-// <![CDATA[
-	Liferay.BrowserSelectors.run();
-// ]]>
-</script><script type="text/javascript">
-	// <![CDATA[
-		Liferay.currentURL = '\x2fweb\x2fguest\x2fhome\x2fdocweb\x2f-\x2fdocweb-display\x2fdocweb\x2f9538748';
-		Liferay.currentURLEncoded = '\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748';
-	// ]]>
-</script><script type="text/javascript">
-		// <![CDATA[
-		// ]]>
-	</script><script type="text/javascript">
-// <![CDATA[
-(function() {var $ = AUI.$;var _ = AUI._;
-	var onDestroyPortlet = function() {
-		Liferay.detach('messagePosted', onMessagePosted);
-		Liferay.detach('destroyPortlet', onDestroyPortlet);
-	};
-	Liferay.on('destroyPortlet', onDestroyPortlet);
-	var onMessagePosted = function(event) {
-		if (window.Analytics) {
-			Analytics.send('posted', 'Comment', {
-				className: event.className,
-				classPK: event.classPK,
-				commentId: event.commentId,
-				text: event.text
-			});
-		}
-	};
-	Liferay.on('messagePosted', onMessagePosted);
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	var pathnameRegexp = /\/documents\/(\d+)\/(\d+)\/(.+?)\/([^&]+)/;
-	function handleDownloadClick(event) {
-		if (event.target.nodeName.toLowerCase() === 'a' && window.Analytics) {
-			var anchor = event.target;
-			var match = pathnameRegexp.exec(anchor.pathname);
-			var fileEntryId =
-				anchor.dataset.analyticsFileEntryId ||
-				(anchor.parentElement &&
-					anchor.parentElement.dataset.analyticsFileEntryId);
-			if (fileEntryId && match) {
-				var getParameterValue = function(parameterName) {
-					var result = null;
-					anchor.search
-						.substr(1)
-						.split('&')
-						.forEach(function(item) {
-							var tmp = item.split('=');
-							if (tmp[0] === parameterName) {
-								result = decodeURIComponent(tmp[1]);
-							}
-						});
-					return result;
-				};
-				Analytics.send('documentDownloaded', 'Document', {
-					groupId: match[1],
-					fileEntryId: fileEntryId,
-					preview: !!window._com_liferay_document_library_analytics_isViewFileEntry,
-					title: decodeURIComponent(match[3].replace(/\+/gi, ' ')),
-					version: getParameterValue('version')
-				});
-			}
-		}
-	}
-	document.body.addEventListener('click', handleDownloadClick);
-	var onDestroyPortlet = function() {
-		document.body.removeEventListener('click', handleDownloadClick);
-		Liferay.detach('destroyPortlet', onDestroyPortlet);
-	};
-	Liferay.on('destroyPortlet', onDestroyPortlet);
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	var onShare = function(data) {
-		if (window.Analytics) {
-			Analytics.send('shared', 'SocialBookmarks', {
-				className: data.className,
-				classPK: data.classPK,
-				type: data.type,
-				url: data.url
-			});
-		}
-	};
-	var onDestroyPortlet = function() {
-		Liferay.detach('socialBookmarks:share', onShare);
-		Liferay.detach('destroyPortlet', onDestroyPortlet);
-	};
-	Liferay.on('socialBookmarks:share', onShare);
-	Liferay.on('destroyPortlet', onDestroyPortlet);
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	var onVote = function(event) {
-		if (window.Analytics) {
-			Analytics.send('VOTE', 'Ratings', {
-				className: event.className,
-				classPK: event.classPK,
-				ratingType: event.ratingType,
-				score: event.score
-			});
-		}
-	};
-	var onDestroyPortlet = function() {
-		Liferay.detach('ratings:vote', onVote);
-		Liferay.detach('destroyPortlet', onDestroyPortlet);
-	};
-	Liferay.on('ratings:vote', onVote);
-	Liferay.on('destroyPortlet', onDestroyPortlet);
-})();
-	if (Liferay.Data.ICONS_INLINE_SVG) {
-		svg4everybody(
-			{
-				attributeName: 'data-href',
-				polyfill: true
-			}
-		);
-	}
-					function _GDocwebDisplay_printPage() {
-						window.open('https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/print/9538748', '', "directories=0,height=480,left=80,location=1,menubar=1,resizable=1,scrollbars=yes,status=0,toolbar=0,top=180,width=640");
-					}
-		Liferay.Portlet.register('GDocwebDisplay');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 1,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_GDocwebDisplay_',
-			portletId: 'GDocwebDisplay',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dGDocwebDisplay\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-3\x26p_p_col_pos\x3d1\x26p_p_col_count\x3d2\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748',
-			refreshURLData: {"_GDocwebDisplay_docweb":["9538748"]}
-		}
-	);
-		Liferay.Portlet.register('com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 0,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_',
-			portletId: 'com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dnull\x26p_p_col_pos\x3dnull\x26p_p_col_count\x3dnull\x26p_p_static\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748\x26settingsScope\x3dportletInstance',
-			refreshURLData: {}
-		}
-	);
-		Liferay.Portlet.register('com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 0,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_',
-			portletId: 'com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-2\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748',
-			refreshURLData: {}
-		}
-	);
-		Liferay.Portlet.register('MenuPortlet_INSTANCE_gOpqEbGKfxmQ');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 0,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_',
-			portletId: 'MenuPortlet_INSTANCE_gOpqEbGKfxmQ',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dMenuPortlet_INSTANCE_gOpqEbGKfxmQ\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-5\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748',
-			refreshURLData: {}
-		}
-	);
-		Liferay.Portlet.register('GSolrFormWeb');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 0,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_GSolrFormWeb_',
-			portletId: 'GSolrFormWeb',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dGSolrFormWeb\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-3\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d2\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748',
-			refreshURLData: {}
-		}
-	);
-		Liferay.Portlet.register('com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT');
-	Liferay.Portlet.onLoad(
-		{
-			canEditTitle: false,
-			columnPos: 0,
-			isStatic: 'end',
-			namespacedId: 'p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_',
-			portletId: 'com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT',
-			refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-1\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9538748',
-			refreshURLData: {}
-		}
-	);
-Liferay.Loader.require('metal-dom/src/all/dom', 'clay-tooltip/src/ClayTooltip', function(metalDomSrcAllDom, clayTooltipSrcClayTooltip) {
-(function(){
-var dom = metalDomSrcAllDom;
-var ClayTooltip = clayTooltipSrcClayTooltip;
-(function() {var $ = AUI.$;var _ = AUI._;
-	var focusInPortletHandler = dom.delegate(
-		document,
-		'focusin',
-		'.portlet',
-		function(event) {
-			dom.addClasses(dom.closest(event.delegateTarget, '.portlet'), 'open');
-		}
-	);
-	var focusOutPortletHandler = dom.delegate(
-		document,
-		'focusout',
-		'.portlet',
-		function(event) {
-			dom.removeClasses(dom.closest(event.delegateTarget, '.portlet'), 'open');
-		}
-	);
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	if (!Liferay.Data.LFR_PORTAL_CLAY_TOOLTIP) {
-		Liferay.Data.LFR_PORTAL_CLAY_TOOLTIP = ClayTooltip.default.init(
-			{
-				selectors: [
-					'.manage-collaborators-dialog .lexicon-icon[data-title]:not(.lfr-portal-tooltip)',
-					'.manage-collaborators-dialog .lexicon-icon[title]:not(.lfr-portal-tooltip)',
-					'.management-bar [data-title]:not(.lfr-portal-tooltip)',
-					'.management-bar [title]:not(.lfr-portal-tooltip)',
-					'.preview-toolbar-container [data-title]:not(.lfr-portal-tooltip)',
-					'.preview-toolbar-container [title]:not(.lfr-portal-tooltip)',
-					'.progress-container[data-title]',
-					'.source-editor__fixed-text__help[data-title]',
-					'.taglib-discussion [data-title]:not(.lfr-portal-tooltip)',
-					'.taglib-discussion [title]:not(.lfr-portal-tooltip):not([title=""])',
-					'.upper-tbar [data-title]:not(.lfr-portal-tooltip)',
-					'.upper-tbar [title]:not(.lfr-portal-tooltip)'
-				]
-			}
-		);
-	}
-})();})();
-});AUI().use('aui-tooltip', 'liferay-menu', 'liferay-notice', 'aui-base', 'liferay-session', 'liferay-poller', function(A) {(function() {var $ = AUI.$;var _ = AUI._;
-	if (A.UA.mobile) {
-		Liferay.Util.addInputCancel();
-	}
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	if (!Liferay.Data.LFR_PORTAL_TOOLTIP) {
-		var triggerShowEvent = ['mouseenter', 'MSPointerDown', 'touchstart'];
-		if (A.UA.ios) {
-			triggerShowEvent = ['touchstart'];
-		}
-		Liferay.Data.LFR_PORTAL_TOOLTIP = new A.TooltipDelegate(
-			{
-				constrain: true,
-				opacity: 1,
-				trigger: '.lfr-portal-tooltip',
-				triggerHideEvent: ['click', 'mouseleave', 'MSPointerUp', 'touchend'],
-				triggerShowEvent: triggerShowEvent,
-				visible: false,
-				zIndex: Liferay.zIndex.TOOLTIP
-			}
-		);
-		Liferay.on(
-			'beforeNavigate',
-			function(event) {
-				Liferay.Data.LFR_PORTAL_TOOLTIP.getTooltip().hide();
-			}
-		);
-	}
-})();(function() {var $ = AUI.$;var _ = AUI._;
-	new Liferay.Menu();
-	var liferayNotices = Liferay.Data.notices;
-	for (var i = 1; i < liferayNotices.length; i++) {
-		new Liferay.Notice(liferayNotices[i]);
-	}
-})();(function() {var $ = AUI.$;var _ = AUI._;
-			Liferay.Session = new Liferay.SessionBase(
-				{
-					autoExtend: true,
-					redirectOnExpire: false,
-					redirectUrl: 'https\x3a\x2f\x2fwww\x2egaranteprivacy\x2eit\x2fweb\x2fguest',
-					sessionLength: 600,
-					warningLength: 0
-				}
-			);
-		})();});
-// ]]>
-</script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/main.js?browserId=other&amp;minifierType=js&amp;languageId=it_IT&amp;b=7201&amp;t=1612187410000" type="text/javascript"></script><script type="text/javascript">
-	// <![CDATA[
-		AUI().use(
-			'aui-base',
-			function(A) {
-				var frameElement = window.frameElement;
-				if (frameElement && frameElement.getAttribute('id') === 'simulationDeviceIframe') {
-					A.getBody().addClass('lfr-has-simulation-panel');
-				}
-			}
-		);
-	// ]]>
-</script><!-- inject:js --><!-- endinject --></body></html>
 </pre>