Garante per la protezione dei dati personali (Italy) - 9682619

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9682619
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(1) GDPR
Article 5(1)(a) GDPR
Article 58(2)(i) GDPR
Article 83 GDPR
[ Art. 5,7,8 DPCM 178/2015]
[ Art. 75 Privacy Code]
Type: Investigation
Outcome: Violation Found
Decided: 27.05.2021
Published:
Fine: 120000 EUR
Parties: n/a
National Case Number/Name: 9682619
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Il Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Paolo Cucchi

The Italian DPA (Garante) fined the Romagna health authority €120,000 for sharing data about a patient's abortion with their general practitioner, against the will of the patient. Investigation revealed that the sharing of such patient data without a legal basis affected 48 other data subjects.

English Summary[edit | edit source]

Facts[edit | edit source]

The Italian data protection rules in the field of health allows the creation of an "Electronic Health Record" related to the patient and including all the relevant information (e.g. visit details, medical interventions, clinical tests, etc). The health record is available online to the data subject and can be shared with medical professionals only upon explicit consent. Furthermore, the patient can ask for data masking, which guarantees that selected information can be seen only by the patient and the data controller.

In this case, a patient in Romagna asked for data masking regarding a medical intervention to have an abortion, but, due to a technical error, the software shared the information with the patient's general practitioner. This resulted in the disclosure of special categories of personal data without any suitable legal basis and in violation of an explicit request for obfuscation made by the data subject. The Local Health Authority of Romagna subsequently notified the DPA of a data breach, and the DPA started an investigation and found out that the same data sharing affected other 48 data subjects.

Holding[edit | edit source]

The DPA held that the Local Health Authority of Romagna violated art. 5(2)(a), 5(2)(f), and 9 of the GDPR because the data processing (the transfer of the personal data related to the abortion from the hospital to the general practitioner) did not have an appropriate lawful basis.

In calculating the €120,000 EUR fine, the DPA took into account the categories of personal data involved and the context of the violation. In particular, they considered that the Authority became aware of the event following notification of a personal data breach by the data controller; the number of data subjects involved in the breach (48 persons); the violations, even if due to a software error, led to a non-episodic communication of special categories of personal data under art. 9 of GDPR; the absence of wilful misconduct; the event was immediately taken into account both by the health authority and by the health authority's data processor; the health authority was immediately cooperative; and that the health authority had already been subject to a fine from the DPA in relation to a patient admitted to the gynecology ward.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
















SEE ALSO Newsletter of 20 July 2021



[doc. web n. 9682619]

Injunction order against Azienda Usl della Romagna - May 27, 2021

Record of measures
n. 211 of May 27, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the Cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Rapporteur the lawyer. Guido Scorza;

WHEREAS

1. The violation of personal data.

The Local Health Authority of Romagna (hereinafter the Company) has notified the Guarantor of a violation of personal data pursuant to art. 33 of the Regulation in relation to the transmission - through the regional Sole information network - to the general practitioner (GP) of a report with reference to which the interested party had exercised the right of obscuration (notification of 23.8.2019, prot. 218239). In particular, at the time of hospitalization for voluntary pharmacological interruption of pregnancy, the person concerned, by filling in a specific form, had explicitly requested that the notification relating to the aforementioned hospitalization not be sent to her general practitioner.

According to what was declared by the Company, although the ward health worker sent the aforementioned form to the admissions office and indicated the patient's choice, due to "an error in the computer system", the notification of hospitalization of the person concerned is was sent to the GP, as part of the "Sun Project" which the patient had joined in 2011.

2. The preliminary activity.

In relation to the aforementioned notification of violation, the Office requested information from the Company with a note dated 4.10.2019, prot. n. 33741, which was confirmed with a note dated 11.10.2019, prot. n. 263042, representing, in particular, that:

"At the time of hospitalization, which took place on the 20th, the patient asked, by filling in a specific form, that the data relating to the ADT (acceptance, discharge and transfer) concerning the intervention of voluntary interruption of the pharmacological pregnancy were not transmitted via the SOLE network to their GP ";

"The application provided by Engineering Ingegneria informatica Spa for data transmission to the Sole Network has a check box that is flagged by the operator when the patient requests the blackout", however, "due to a bug in the program of the software provided by Engineering Ingegneria informatica Spa, the software itself did not acknowledge the selection of the flag: consequently the notification message of the hospitalization was sent to the GP ”;

from 3 August 2019, pending resolution of the aforementioned problem, "the notifications to be sent to the Sole Network" were interrupted;

the resolution of the problem that caused the aforementioned event was carried out on 26/09/2019 and "the replicability of the violation" is excluded;

the company Engineering Ingegneria informatica S.p.a., which "manages the software for acceptance, discharge, transfer (ADT)", "has been designated external data processor";

following some checks, it emerged that "since April 2018 there have been only 48 cases (out of a population range of 1,126,000 residents, in addition to the exponential summer growth) in which transmission to the GP has been received despite the activation of the flag ";

it was "planned to put in place a procedure for periodic checks on the correct functioning of the software in similar cases where there are requests for obscuration".

The Office, with act no. 44223 of 17/12/2019, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements acquired and the facts that emerged as a result of the investigation, the Company carried out, by transmitting to the general practitioner the notification of hospitalization for surgery voluntary pharmacological interruption of the pregnancy of the interested party, a communication of data relating to health without a legal basis and in contrast with an explicit request for obscuration made by the interested party, explicitly protected by the sector regulations (articles 5, 7 and 8 of the DPCM n. 178/2015) and, therefore, in violation of art. 75 of the Code, of art. 9 of the Regulation and of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation).

With a note dated January 16, 2020 (prot. No. 12393), the Company sent its defense briefs, in which additional elements were represented and, in particular, that:

- "the violation of the patient's particular data consisted in the undue access to the particular data by a single identified third party, that is the patient's general practitioner who, consistently with the deontological obligations to which he is subject, is bound by professional secrecy in in relation to the information he has become aware of due to the performance of his health-care functions. In fact, as he is subject to the prohibition of disclosure of news and information relating to the state of health of his patients, he could not give rise to an indiscriminate dissemination of such information, nor, moreover, to a communication of the same without justification. . Furthermore, due to the functions that are entrusted to him, it is not considered likely that the patient's general practitioner can actually adopt conducts that cause effective discrimination or damage to the patient's reputation for which, conversely, he should be ethically responsible for it " ;

- "on 15/05/2018, and therefore before the effective applicability of EU Reg. 679/2016, sent Engineering Ingegneria Informatica S.p.a. (hereinafter also referred to only as "Engineering") specific PEC with object "compliance with the privacy by design of your software applications, subject to a contract with this Company" aimed at requesting the status of compliance of said applications with the Regulations ";

- “the Company immediately took action with a temporary solution, in order to exclude other cases of communication to SOLE of obscured data. In consideration of the urgency of the intervention, of the need to activate an immediate solution with a low organizational impact, following a meeting with the Engineering company it was decided to inhibit transmission to SUN when the field was flagged ".

3. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that:

1. in the health field - information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or on the indication of the interested party himself after the latter's written delegation (art. 9 Regulation and art.83 of the Code in conjunction with art.22, paragraph 11, legislative decree 10 August 2018, n.101);

2. the Code provides that "the processing of personal data carried out for the purpose of protecting the health and physical safety of the data subject (...) must be carried out (...) in compliance with the specific sector provisions" (Article 75-Specific conditions in health area of the Code). With specific reference to the case in question, it is noted that "the Sole network, through the collection of the personal health documents of each patient, generates the personal electronic health record, which can be consulted online in a secure and confidential form for those who wish and provides the formal consent "(see https://www.progetto-sole.it/pubblica). In view of this, reference is made to the provisions of the sector legislation and, in particular, by art. 12 of the d.l. n. 179/2012 which provided for the establishment of the electronic health record, the implementation of which is currently regulated by Prime Ministerial Decree no. 178/2015 (Regulation on electronic health records - ESF), on which the Authority expressed its opinion (Opinion of 22/5/2014, web doc. No. 3230826). The aforementioned implementing regulation defined "Data subject to greater protection of anonymity" the information and health and social and health documents governed by the regulatory provisions also protecting women who undergo voluntary termination of pregnancy (Article 5). These types of data can be made visible through the ESF "only with the explicit consent of the client". The aforementioned regulation provides that it is "the responsibility of the professionals or health workers who provide the service to acquire the explicit consent of the client" (art. 5, paragraph 2). The aforementioned regulation also established that "the assisted person has the right to request the obscuring of health and socio-health data and documents both before feeding the ESF and subsequently, ensuring that they can only be consulted by the assisted person and holders who generated them "(art. 8);

3. the transmission, through the regional program SOLE, to the general practitioner of the notification of hospitalization for voluntary pharmacological interruption of the pregnancy of the interested party led to a communication of data relating to the health of the interested party without a suitable legal basis and in contrast with an explicit request for blackout made by the interested party;

4. the software problem that generated the event that is the subject of the alleged violation also determined that, in the period between April 2018 and August 2019, in 48 cases, the general practitioners of interested parties, notifications of health documents with reference to which the interested parties themselves had instead requested the blackout.

4. Conclusions.

In light of the aforementioned assessments, taking into account the statements made by the data controller and data processors during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed initiation of the procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by the Local Health Authority of Romagna under the terms set out in the motivation, for violation of Articles 5, par. 2, lett. a), and 9 of the Regulations, as well as art. 75 of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company has declared that the procedure for resolving the problem that generated the aforementioned event has been completed in such a way as to exclude the replicability of the the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of articles 5, par. 2, lett. f), and 9 of the Regulations and 75 of the Code, caused by the conduct put in place by the Local Health Authority of Romagna, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, paragraph 5, of the Regulation also pursuant to art. 166, paragraph 2 of the Code (see letter a) with reference to the violation of articles 5 and 9 of the Regulation).

In the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation, which therefore applies to the present case.

It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

- the Authority became aware of the event following the notification of personal data breach made by the same owner and no complaints or reports were received to the Guarantor on the incident (Article 83, paragraph 2, letter a) and h) of the Regulation);

- the processing of data carried out by the Company concerns data suitable for detecting information on the health of 48 interested parties, including the one subject to notification of violation concerning information relating to the voluntary interruption of pregnancy of an interested party (Article 4, par . 1, no. 15 of the Regulations and art.83, par. 2, letters a) and g) of the Regulations);

- the violations, even if due to a software error, have resulted in a non-episodic communication of particular data subject to particular protection, despite the interested parties having expressly expressed, in the foreseen forms, the will that their data were not visible to third parties in your electronic health record (right of blackout);

- the absence of voluntary elements on the part of the Company in the causation of the event (Article 83, paragraph 2, letter b) of the Regulations);

- the event occurred in the period of first application of the Regulation and was immediately taken over by both the Company and the person responsible for its processing, followed by the identification of corrective and resolving solutions (Article 5 , par. 2 and art.83, par. 2, letters c) and d) of the Regulation);

- the Company immediately demonstrated a high degree of cooperation (Article 83, paragraph 2, letters c), d) and f) of the Regulation);

- the Company has already been the recipient of a sanctioning measure in relation to the processing of data on the health of a patient admitted to the gynecology ward (provision of January 27, 2021, no. 36) (art.83, par. 2, lett. i), of the Regulation).

Due to the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, it is believed to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, lett. a) of the Regulations, to the extent of € 120,000.00 (one hundred and twenty thousand) for the violation of Articles 5, par. 1, lett. f) and 9 of the Regulations and Article 75 of the Code as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Local Health Authority of Romagna, for the violation of art. 5, par. 1, lett. f) and 9 of the Regulations and art. 75 of the Code in the terms set out in the motivation.

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Local Health Authority of Romagna with registered office in Ravenna, via de Gasperi, 8 - CF / VAT number 02483810392, in the person of the pro-tempore legal representative, to pay the sum of 120,000.00 (one hundred and twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision, according to the methods indicated in the annex, within 30 days from the notification of the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 120,000.00 (one hundred and twenty thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, May 27, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }






SEE ALSO Newsletter of 20 July 2021



[doc. web n. 9682619]

Injunction order against Azienda Usl della Romagna - May 27, 2021

Record of measures
n. 211 of May 27, 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the Cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC, "General Data Protection Regulation" (hereinafter the "Regulation");

GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code");

GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801;

Rapporteur the lawyer. Guido Scorza;

WHEREAS

1. The violation of personal data.

The Local Health Authority of Romagna (hereinafter the Company) has notified the Guarantor of a violation of personal data pursuant to art. 33 of the Regulation in relation to the transmission - through the regional Sole information network - to the general practitioner (GP) of a report with reference to which the interested party had exercised the right of obscuration (notification of 23.8.2019, prot. 218239). In particular, at the time of hospitalization for voluntary pharmacological interruption of pregnancy, the person concerned, by filling in a specific form, had explicitly requested that the notification relating to the aforementioned hospitalization not be sent to her general practitioner.

According to what was declared by the Company, although the ward health worker sent the aforementioned form to the admissions office and indicated the patient's choice, due to "an error in the computer system", the notification of hospitalization of the person concerned is was sent to the GP, as part of the "Sun Project" which the patient had joined in 2011.

2. The preliminary activity.

In relation to the aforementioned notification of violation, the Office requested information from the Company with a note dated 4.10.2019, prot. n. 33741, which was confirmed with a note dated 11.10.2019, prot. n. 263042, representing, in particular, that:

"At the time of hospitalization, which took place on the 20th, the patient asked, by filling in a specific form, that the data relating to the ADT (acceptance, discharge and transfer) concerning the intervention of voluntary interruption of the pharmacological pregnancy were not transmitted via the SOLE network to their GP ";

"The application provided by Engineering Ingegneria informatica Spa for data transmission to the Sole Network has a check box that is flagged by the operator when the patient requests the blackout", however, "due to a bug in the program of the software provided by Engineering Ingegneria informatica Spa, the software itself did not acknowledge the selection of the flag: consequently the notification message of the hospitalization was sent to the GP ”;

from 3 August 2019, pending resolution of the aforementioned problem, "the notifications to be sent to the Sole Network" were interrupted;

the resolution of the problem that caused the aforementioned event was carried out on 26/09/2019 and "the replicability of the violation" is excluded;

the company Engineering Ingegneria informatica S.p.a., which "manages the software for acceptance, discharge, transfer (ADT)", "has been designated external data processor";

following some checks, it emerged that "since April 2018 there have been only 48 cases (out of a population range of 1,126,000 residents, in addition to the exponential summer growth) in which transmission to the GP has been received despite the activation of the flag ";

it was "planned to put in place a procedure for periodic checks on the correct functioning of the software in similar cases where there are requests for obscuration".

The Office, with act no. 44223 of 17/12/2019, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by law n. 689 of 24/11/1981).

In particular, the Office, in the aforementioned deed, represented that, on the basis of the elements acquired and the facts that emerged as a result of the investigation, the Company carried out, by transmitting to the general practitioner the notification of hospitalization for surgery voluntary pharmacological interruption of the pregnancy of the interested party, a communication of data relating to health without a legal basis and in contrast with an explicit request for obscuration made by the interested party, explicitly protected by the sector regulations (articles 5, 7 and 8 of the DPCM n. 178/2015) and, therefore, in violation of art. 75 of the Code, of art. 9 of the Regulation and of the principle of lawfulness of processing (Article 5, paragraph 1, letter a) of the Regulation).

With a note dated January 16, 2020 (prot. No. 12393), the Company sent its defense briefs, in which additional elements were represented and, in particular, that:

- "the violation of the patient's particular data consisted in the undue access to the particular data by a single identified third party, that is the patient's general practitioner who, consistently with the deontological obligations to which he is subject, is bound by professional secrecy in in relation to the information he has become aware of due to the performance of his health-care functions. In fact, as he is subject to the prohibition of disclosure of news and information relating to the state of health of his patients, he could not give rise to an indiscriminate dissemination of such information, nor, moreover, to a communication of the same without justification. . Furthermore, due to the functions that are entrusted to him, it is not considered likely that the patient's general practitioner can actually adopt conducts that cause effective discrimination or damage to the patient's reputation for which, conversely, he should be ethically responsible for it " ;

- "on 15/05/2018, and therefore before the effective applicability of EU Reg. 679/2016, sent Engineering Ingegneria Informatica S.p.a. (hereinafter also referred to only as "Engineering") specific PEC with object "compliance with the privacy by design of your software applications, subject to a contract with this Company" aimed at requesting the status of compliance of said applications with the Regulations ";

- “the Company immediately took action with a temporary solution, in order to exclude other cases of communication to SOLE of obscured data. In consideration of the urgency of the intervention, of the need to activate an immediate solution with a low organizational impact, following a meeting with the Engineering company it was decided to inhibit transmission to SUN when the field was flagged ".

3. Outcome of the preliminary investigation.

Having taken note of what is represented by the Company in the documentation in deeds and in the defense briefs, it is noted that:

1. in the health field - information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or on the indication of the interested party himself after the latter's written delegation (art. 9 Regulation and art.83 of the Code in conjunction with art.22, paragraph 11, legislative decree 10 August 2018, n.101);

2. the Code provides that "the processing of personal data carried out for the purpose of protecting the health and physical safety of the data subject (...) must be carried out (...) in compliance with the specific sector provisions" (Article 75-Specific conditions in health area of the Code). With specific reference to the case in question, it is noted that "the Sole network, through the collection of the personal health documents of each patient, generates the personal electronic health record, which can be consulted online in a secure and confidential form for those who wish and provides the formal consent "(see https://www.progetto-sole.it/pubblica). In view of this, reference is made to the provisions of the sector legislation and, in particular, by art. 12 of the d.l. n. 179/2012 which provided for the establishment of the electronic health record, the implementation of which is currently regulated by Prime Ministerial Decree no. 178/2015 (Regulation on electronic health records - ESF), on which the Authority expressed its opinion (Opinion of 22/5/2014, web doc. No. 3230826). The aforementioned implementing regulation defined "Data subject to greater protection of anonymity" the information and health and social and health documents governed by the regulatory provisions also protecting women who undergo voluntary termination of pregnancy (Article 5). These types of data can be made visible through the ESF "only with the explicit consent of the client". The aforementioned regulation provides that it is "the responsibility of the professionals or health workers who provide the service to acquire the explicit consent of the client" (art. 5, paragraph 2). The aforementioned regulation also established that "the assisted person has the right to request the obscuring of health and socio-health data and documents both before feeding the ESF and subsequently, ensuring that they can only be consulted by the assisted person and holders who generated them "(art. 8);

3. the transmission, through the regional program SOLE, to the general practitioner of the notification of hospitalization for voluntary pharmacological interruption of the pregnancy of the interested party led to a communication of data relating to the health of the interested party without a suitable legal basis and in contrast with an explicit request for blackout made by the interested party;

4. the software problem that generated the event that is the subject of the alleged violation also determined that, in the period between April 2018 and August 2019, in 48 cases, the general practitioners of interested parties, notifications of health documents with reference to which the interested parties themselves had instead requested the blackout.

4. Conclusions.

In light of the aforementioned assessments, taking into account the statements made by the data controller and data processors during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, declares or falsely certifies news or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed initiation of the procedure, however, as none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out by the Local Health Authority of Romagna under the terms set out in the motivation, for violation of Articles 5, par. 2, lett. a), and 9 of the Regulations, as well as art. 75 of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, given that the Company has declared that the procedure for resolving the problem that generated the aforementioned event has been completed in such a way as to exclude the replicability of the the conditions for the adoption of the corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of articles 5, par. 2, lett. f), and 9 of the Regulations and 75 of the Code, caused by the conduct put in place by the Local Health Authority of Romagna, is subject to the application of a pecuniary administrative sanction pursuant to art. 83, paragraph 5, of the Regulation also pursuant to art. 166, paragraph 2 of the Code (see letter a) with reference to the violation of articles 5 and 9 of the Regulation).

In the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation, which therefore applies to the present case.

It should be considered that the Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is noted that:

- the Authority became aware of the event following the notification of personal data breach made by the same owner and no complaints or reports were received to the Guarantor on the incident (Article 83, paragraph 2, letter a) and h) of the Regulation);

- the processing of data carried out by the Company concerns data suitable for detecting information on the health of 48 interested parties, including the one subject to notification of violation concerning information relating to the voluntary interruption of pregnancy of an interested party (Article 4, par . 1, no. 15 of the Regulations and art.83, par. 2, letters a) and g) of the Regulations);

- the violations, even if due to a software error, have resulted in a non-episodic communication of particular data subject to particular protection, despite the interested parties having expressly expressed, in the foreseen forms, the will that their data were not visible to third parties in your electronic health record (right of blackout);

- the absence of voluntary elements on the part of the Company in the causation of the event (Article 83, paragraph 2, letter b) of the Regulations);

- the event occurred in the period of first application of the Regulation and was immediately taken over by both the Company and the person responsible for its processing, followed by the identification of corrective and resolving solutions (Article 5 , par. 2 and art.83, par. 2, letters c) and d) of the Regulation);

- the Company immediately demonstrated a high degree of cooperation (Article 83, paragraph 2, letters c), d) and f) of the Regulation);

- the Company has already been the recipient of a sanctioning measure in relation to the processing of data on the health of a patient admitted to the gynecology ward (provision of January 27, 2021, no. 36) (art.83, par. 2, lett. i), of the Regulation).

Due to the aforementioned elements, assessed as a whole, also taking into account the phase of first application of the sanctioning provisions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, it is believed to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, lett. a) of the Regulations, to the extent of € 120,000.00 (one hundred and twenty thousand) for the violation of Articles 5, par. 1, lett. f) and 9 of the Regulations and Article 75 of the Code as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Local Health Authority of Romagna, for the violation of art. 5, par. 1, lett. f) and 9 of the Regulations and art. 75 of the Code in the terms set out in the motivation.

ORDER

pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, to the Local Health Authority of Romagna with registered office in Ravenna, via de Gasperi, 8 - CF / VAT number 02483810392, in the person of the pro-tempore legal representative, to pay the sum of 120,000.00 (one hundred and twenty thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision, according to the methods indicated in the annex, within 30 days from the notification of the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed.

INJUNCES

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 120,000.00 (one hundred and twenty thousand), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the full publication of this provision on the website of the Guarantor and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, May 27, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Peel

THE SECRETARY GENERAL
Mattei