Garante per la protezione dei dati personali (Italy) - 9773950
|Garante per la protezione dei dati personali - 9773950|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(e) GDPR|
Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 37(7) GDPR
|Parties:||Comune di Orte (data controller)|
an unnamed citizen (data processor)
|National Case Number/Name:||9773950|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la Protezione dei Dati Personali (in IT)|
The municipality of Orte was fined €20,000 by the Italian DPA for operating photo-traps without adopting any compliance measures, for failing to provide information to the data subjects, and for failing to provide direct contact to their DPO.
English Summary[edit | edit source]
Facts[edit | edit source]
A citizen of Orte filed a complaint against their municipality. The municipality of Orte is the controller and the citizen is the data subject.
The controller installed photo-traps to prevent and punish illegal garbage disposal. The data subject submitted a request to the municipality under law 241/1990 for access to the surveillance system's administrative documents. The controller only gave him the supplier's (the urban cleaning company) technical offer. The data subject then filed a complaint with the DPA alleging that that (1) the municipality neglected to publish any information in the Municipal Notice Board (Albo Pretorio) and (2) he had been recorded several times.
The controller claimed that the photo-traps were installed as part of an adjudication procedure for the urban cleaning service. The controller admitted that it adopted none of the administrative acts required by Italian law in order to lawfully operate the photo-traps. A municipal regulation on camera surveillance had been drafted, but not approved, according to the controller. Furthermore, the controller admitted it had not informed the citizens of the surveillance system's installation. Moreover, no agreement relating to the processing of the data collected by the cameras was concluded with the supplier.
The controller later stated (past the deadline) that it only operated the photo-traps for a short time in order to verify their functionality. Some cameras were also installed for deterrence purposes. These cameras were not activated and did not collect data at that time. The controller eventually removed all of the cameras. The municipality claimed that they never processed any personal data aside from those collected in the testing phase, and that they never sanctioned any citizen based on the data collected through the surveillance system.
During the preliminary investigation, the DPA also found that the contact information for the municipality’s DPO were the same as the contact information for the municipality itself.
Holding[edit | edit source]
The DPA clarified that information on video surveillance systems should be provided to the data subject through a layered approach. On this point the DPA referenced the EDPB Guidelines as well as its own guidelines.
The DPA also held that the controller violated its duties of information under Article 12(1) and Article 13 by neglecting to inform the data subjects about the surveillance system, and to provide any information required under Article 13 at all.
Additionally, the DPA held that the controller violated Article 37(7), as it did not provide the DPA with direct contact information of their DPO. The DPA stated that supervisory authorities must be able to contact the DPO directly. The contact information must be specific to their DPO and distinct from the controller's. In this regard, the DPA referenced the Working Party 29 Guidelines (as well as their own guidelines on DPOs in the public sector).
The DPA fined the controller for €20,000 and ordered it to provide new and direct contact information of their DPO.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9773950] Injunction order against the Municipality of Orte - 7 April 2022 Record of measures n. 119 of 7 April 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette n. 106 of 8 May 2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019"); Having seen the documentation in the deeds; Given the observations made by the secretary general pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801; Speaker Dr. Agostino Ghiglia; WHEREAS 1. Introduction. With a complaint submitted pursuant to art. 77 of the Regulation, a citizen complained about the installation in the territory of the Municipality of Orte (hereinafter, the "Municipality") "of video / audio devices likely compatible with the camera traps that are normally used for the repression of illicit offenses waste disposal ”, although“ no document on the subject [has] appeared published in the Praetorian Register [of] the Municipality (use of camera traps, information signs, reason for data collection, management of the same, etc…) ”. The complainant, “not knowing […] the motivation for these positions, and having […] been videotaped several times […] [has, moreover,] presented a formal request for access to the documents [pursuant to l. 241/1990] ", having obtained from the Municipality only" a photocopy of the technical offer that the company supplying the camera traps delivered to the municipality [...] at the time of the contract award ". 2. The preliminary activity. With a note of the XX (prot. No. XX), the Municipality, in response to a request for information from the Guarantor (note prot. No. XX of the XX), stated, in particular, that: "The supply, activation and installation of camera traps, to be used for the repression of illegal waste disposal crimes, constituted an improved offer for the company awarded the urban hygiene service [...]"; "This instrumentation is provided and delivered to the competent office. Nevertheless, for the purpose of activating them, having consulted the competent offices, and precisely the Heads of the Environment Service and the Local Police Service, they found the absence of acts or measures prodromal to the start of preventive and repressive activities "; "In particular, for the purposes of activating the service, the following have not yet been adopted or approved: the municipal regulations on video surveillance, in the version that specifically includes the use of camera traps or similar equipment. On the matter, [...] the draft Regulation, already prepared by the Local Police Service, was sent to the competent Commission which, at the time of approval of the motion of no confidence in the Mayor [...], which took place with City Council resolution no. 1 of 07.04.2021, with consequent forfeiture of the entire City Council, had not yet examined it [...] "; initiatives relating to the effective start-up of the service and [a] the guarantees related to it (affixing information signs, drafting and affixing information on the processing of personal data to be made to the interested parties, entrusting itself of operational roles regarding the processing of data in favor of the provider of the urban hygiene service), and therefore to date the [Municipality] is unable to provide any information regarding the date and number of uses of the tools referred to in the request in question, given the failure to officially start the service; "There is no [...] element indicative of any sanctions imposed to the detriment of citizens as a result of the use of the aforementioned instrumentation". During the investigation, it also emerged that the contact details of the data protection officer ("DPO") designated by the Municipality, communicated to the Guarantor pursuant to art. 37, par. 7, of the Regulations, substantially coincide with those of the same Municipality (or “email@example.com” and “firstname.lastname@example.org”). With a note of the XX (prot. No. XX), the Office, on the basis of the elements acquired, the verifications carried out and the facts that emerged as a result of the investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, para. 1, lett. a) and e), and 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28 and 37, par. 7, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of l. November 24, 1981, n. 689). Following this note, the Municipality, although well beyond the deadline indicated by the Authority, presented a defense brief (note prot. No. XX of the XX), declaring, in particular, that "following the award of the waste service on the part of the [supplier company], the same provided camera traps as an improvement to the tender offer. The aforementioned camera traps were initially mounted to verify their effective operation, after which in the absence of a specific regulation for the activation of the monitoring service in the municipal area, they were occasionally allocated in some points without a card and battery as a form of deterrence. In the last period, the same have been definitively dismantled and are lying in the municipal premises ". 3. Outcome of the preliminary investigation. 3.1. Accountability, data protection by design and by default, and retention limitation. The processing of personal data by means of video surveillance systems by public subjects is generally allowed if it is necessary to fulfill a legal obligation to which the data controller is subject or for the execution of a task of public interest or connected to the exercise. of public powers vested in the same (art. 6, par. 1, lett. c) and e), and 3, of the Regulation, as well as 2-ter of the Code; cf. par. 41 of the "3/2019 Guidelines on the processing of personal data through video devices", adopted by the European Data Protection Committee on 29 January 2020). The data controller is required, in any case, to comply with the principles of data protection, including that of "lawfulness, correctness and transparency" and "limitation of storage", on the basis of which personal data must be "Processed in a lawful, correct and transparent manner towards the interested party" and "kept in a form that allows identification of the interested parties for a period of time not exceeding the achievement of the purposes for which they are treated" (Article 5, paragraph 1, letters a) and e), of the Regulation). The data controller, as the subject on whom the decisions regarding the purposes and methods of processing the personal data of the interested parties fall, bear a "general responsibility" for the treatments put in place (cons. 74 of the Regulation). On the basis of the principle of "accountability", it is, in fact, competent for compliance with the principles of data protection (Article 5, paragraph 1, of the Regulation) and must be able to prove it (Article 5, paragraph 2) , of the Regulation). This also by putting in place adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation (Article 24, paragraph 1, of the Regulation). In particular, in consideration of the risk incumbent on the rights and freedoms of the data subjects, the data controller must - "from the design stage" and "by default" (Article 25 of the Regulation) - adopt adequate technical and organizational measures to implement the principles of data protection, integrating into the processing the necessary guarantees to meet the requirements of the Regulation and protect the rights and freedoms of the data subjects (see "Guidelines 4/2019 on article 25 - Data protection by design and for default setting ", adopted by the European Data Protection Board on 20 October 2020, spec. points 42, 44 and 49). This obligation “applies [also] to […] the retention period […]” of the data (Article 25, paragraph 2, of the Regulation). In the present case, at the outcome of the investigation, it emerged that the Municipality - although for the sole purpose of testing the functioning of some so-called "Camera traps" to combat the phenomenon of illegal waste abandonment - has processed personal data of the subjects taken by the latter, without, however, taking "acts or measures prodromal to the start of preventive and repressive activities". The Municipality, having not adopted any organizational act in relation to the use of the aforementioned video devices and having not made any determination regarding the protection of personal data before starting the processing of the personal data in question, has consequently not adopted technical and organizational measures adequate measures aimed at effectively implementing the basic principles on data protection and, during the investigation, did not prove that they had respected them (not even having been able to "provide any information regarding the date, and the number of uses of the tools referred to in the request in question "), acting in a manner that does not comply with the principle of accountability, in violation of art. 5, par. 2 (in conjunction with art. 24, paragraphs 1 and 2) of the Regulation. It was therefore not ensured, both at the time of determining the means of processing and during the processing itself, that the protection of personal data was integrated into the processing from its design and by default during the entire life cycle of the data. , "Incorporating [d] or in the processing the measures and guarantees adequate to ensure the effectiveness of the data protection principles, the rights and freedoms of the data subjects" and making sure that "[was] carried out by default only the processing strictly necessary to achieve the specific and lawful purpose ", also with regard to the data retention period," at all stages of the design of the processing activities, including contracts, tenders, outsourcing, development, support, maintenance, testing, storage, cancellation, etc. " ("Guidelines 4/2019 on article 25 - Data protection by design and by default", cit.), In violation of art. 25 of the Regulation. Consequently, the Municipality has not even taken steps to identify in a certain and documented manner the maximum retention times of the images taken by the video devices in question, in violation of art. 5, par. 1, lett. e), of the Regulations. 3.2. Information for interested parties. In compliance with the principle of "lawfulness, correctness and transparency" (Article 5, paragraph 1, letter a), of the Regulation, the data controller must take appropriate measures to provide the interested party with all the information referred to in Articles. 13 and 14 of the Regulations in a concise, transparent, intelligible and easily accessible form, in simple and clear language (see Article 12 of the Regulations). When video surveillance systems are used, the data controller, in addition to making the first level information by affixing warning signs near the area subject to video surveillance, must also provide the interested parties with "second level information", which must "Contain all the mandatory elements pursuant to Article 13 of the [Regulation]" and "be easily accessible for the interested party" ("Guidelines 3/2019 on the processing of personal data through video devices", cit., In particular par . 7; but see already the "Provision on video surveillance" of the Guarantor of 8 April 2010, web doc. N. 1712680, in particular par. 3.1; see FAQ n. 4 of the Guarantor on video surveillance, doc. . web n. 9496574). The first level information (warning sign) "should communicate the most important data, for example the purposes of the processing, the identity of the data controller and the existence of the rights of the data subject, together with information on the most significant impacts of the processing "(" Guidelines 3/2019 on the processing of personal data through video devices ", cit., par. 114). In addition, the signs must also contain information that may be unexpected for the person concerned. This could be, for example, the transmission of data to third parties, in particular if located outside the EU, and the retention period. If this information is not indicated, the interested party should be able to trust that there is only real-time surveillance (without any data recording or transmission to third parties) (ibidem, cit., Par. 115). The first level warning signs must also contain a clear reference to the second level of information, for example by indicating a website on which the text of the extended information can be consulted. The first level information should be positioned in such a way as to allow the interested party to easily recognize the circumstances of the surveillance, before entering the monitored area (approximately at eye level). It is not necessary to reveal the location of the camera, as long as there are no doubts about which areas are subject to surveillance and the context of surveillance is unambiguously clarified. The interested party must be able to estimate which area is covered by a camera in order to avoid surveillance or adapt their behavior, where necessary (ibidem, cit., Par. 113). In the present case, the Municipality has not, however, adopted any measures to provide information on the processing of personal data to data subjects subjected to video surveillance, having neither affixed signs containing first-level information near the video surveillance areas nor placed complete information on the processing of personal data is available (for example, by publishing it on its institutional website), in violation of articles 5, par. 1, lett. a), 12, par. 1, and 13 of the Regulations. 3.3. The contact details of the data protection officer. With regard to the figure of the DPO, the legislation on the protection of personal data provides that the data controller must communicate the contact details of the DPO to the supervisory authority (see Article 37, paragraph 7 of the Regulation). Given that the Municipality has communicated to the Guarantor, as the contact details of its DPO, the addresses "email@example.com" and "firstname.lastname@example.org", it should be noted that such data cannot be considered suitable for allowing direct communication between the Authority and the DPO. As, in fact, clarified by the Guarantor, the data controllers must "make available, both to the public and to the Authority, an ad hoc" institutional "box specifically assigned to the DPO alone, avoiding the use of boxes that are directly expression of the data controller (for example, because they refer to the "administration", the "secretariat" or the "protocol") "; moreover, also in order to be "effectively independent in the exercise of his functions (as required by cons. 97 of the Regulation)", the DPO must be able to be "contacted through channels that lead directly to him, without the intermediation of offices belonging to the owner "(" Guidance document on the designation, position and duties of the Data Protection Officer (RPD) in the public sphere "attached to the provision. April 29, 2021, no. 186, web doc. no. 9589104; see also the" Guidelines on data protection officers ", adopted by the European Data Protection Committee on 13 December 2016, as amended and adopted on 5 April 2017, in particular par. 2.6, which states that" these provisions [of the Regulation ] aim to ensure that both the data subjects (inside or outside the body / body responsible for the processing) and the supervisory authorities can contact the DPO easily and directly without having to contact to another structure operating at the owner / manager of the treatment "and that" confidentiality is also of equal importance "). The communication to the Authority, by the Municipality, of the contact details of the DPO, coinciding with their institutional contact details, therefore constitutes a violation of art. 37, par. 7, of the Regulations, as the data controller has not communicated any specific contact data of the DPO to the Authority but only those of the entity. This, also taking into account that, in the present case, since the DPO is a legal person external to the organization of the owner, the choice of the Municipality to allow the Authority to contact the aforementioned figure only indirectly, through a mailbox attributable to itself, and, therefore, without the possibility of providing an ad hoc communication channel, in line with the position of autonomy that the Regulations assign to the DPO. 4. Conclusions. In light of the aforementioned assessments, it is noted that the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to respond pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiating the procedure and are insufficient to allow the filing of this proceeding, however, none of the cases provided for by the 'art. 11 of the Guarantor Regulation n. 1/2019. Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality, for having processed personal data using video devices, in violation of Articles 5, para. 1, lett. a) and e), and 2 (in conjunction with art. 24), 12, par. 1, 13, 25, and 37, par. 7, of the Regulation. Limited to the alleged violation of art. 28 of the Regulation, on the other hand, the filing must be arranged, given that, as part of the related investigation launched against the company supplying the video devices used by the Municipality, it stated that "it does not carry out, nor has it ever carried out, for account of the Municipality of Orte any processing operation of the data collected with the use of camera traps ", having" never entered into any agreement with the Municipality of Orte concerning the management of camera traps, nor therefore on the protection of data collected independently by the Local Authority, through the use of the camera traps provided "(note of the XXth). The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation. 5. Corrective measures (art. 58, par. 2, letter d), of the Regulation). Art. 58, par. 2, lett. d), of the Regulation provides that the Guarantor has the corrective powers to "order the data controller or the data processor to conform the treatments to the provisions of this regulation, if necessary, in a certain manner and within a certain term". Taking note of what emerged during the investigation phase and taking into account the fact that, despite the specific invitation addressed by the Authority to the Municipality, the latter did not communicate to the Authority the specific contacts of its DPO, other than the institutional contact details of the Municipality, it is necessary, pursuant to the aforementioned art. 58, par. 2, lett. d) of the Regulations, to order the latter to communicate these specific contact details of the DPO to the Authority, in accordance with the provisions of art. 37, par. 7, of the Regulation. Pursuant to art. 58, par. 1, lett. a), of the Regulation and 157 of the Code, the Municipality will have to communicate to this Authority, providing an adequately documented feedback, within thirty days from the notification of this provision, the initiatives undertaken in order to implement the aforementioned injunction pursuant to cited art. 58, par. 2, lett. d), of the Regulation. 6. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, taking into account art. 83, par. 3, of the Regulations, in this case the violation of the aforementioned provisions is subject to the application of the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation. In relation to the aforementioned elements, the high degree of responsibility of the data controller was considered, who essentially failed to consider the data protection profiles underlying the processing in question, before carrying out the same. Furthermore, the owner provided little collaboration with the Authority during the investigation, providing information and elements characterized by vagueness and imprecision, well beyond the assigned deadlines and processed the personal data of a large number of interested parties, although during a period of time that is not particularly extended. On the other hand, it was taken into consideration that the Municipality declared, albeit without providing precise time references, that it had made a limited use of the so-called camera traps, for the sole purpose of testing their operation, of having subsequently occasionally placed the devices on their territory, without card and battery, as a form of deterrence, and then completely cease any use of the same. It was also considered that, on the basis of what emerges from the documentation on file, the Municipality has installed a number of so-called camera traps not exceeding six (see attachment to the note prot. n. XX). Finally, there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation. Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction in the amount of € 20,000 (twenty thousand) for the violation of Articles 5, para. 1, lett. a) and e), and 2 (in conjunction with art. 24), 12, par. 1, 13, 25, and 37, par. 7, of the Regulations, as a pecuniary administrative sanction, pursuant to art. 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive. Taking into account that the video surveillance activity in question involved various places in the municipal area, resulting in the processing of personal data that "allows [to detect] the presence and behavior of people in the space considered" ("Guidelines 3/2019 on processing of personal data through video devices ", par. 2.1, cit.), without the subjects being filmed being aware of this circumstance, with consequent prejudice to their rights and fundamental freedoms, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019. WHEREAS, THE GUARANTOR declares, pursuant to art. 57, par. 1, lett. f), of the Regulations, the unlawfulness of the processing carried out by the Municipality of Orte for violation of Articles 5, para. 1, lett. a) and e), and 2 (in conjunction with art. 24), 12, par. 1, 13, 25, and 37, par. 7, of the Regulations, within the terms set out in the motivation; ORDER to the Municipality of Orte, in the person of the pro-tempore legal representative, with registered office in Piazza Del Plebiscito, 1 - 01028 Orte (VT), C.F. 00088570569, to pay the sum of € 20,000 (twenty thousand) as a pecuniary administrative sanction for the violations indicated in the motivation. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed; INJUNCES to the aforementioned Municipality: a) in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 20,000 (twenty thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the l. n. 689/1981; b) pursuant to art. 58, par. 2, lett. d), of the Regulations, to communicate to the Authority, pursuant to art. 37, par. 7, of the Regulations, the specific contact details of the DPO designated by the Municipality, other than the contact details of the Municipality itself; c) pursuant to art. 58, par. 1, lett. a), of the Regulation and 157 of the Code, to communicate to this Authority, providing an adequately documented feedback, within thirty days from the notification of this provision, the initiatives undertaken in order to implement the above ordered pursuant to the aforementioned art. 58, par. 2, lett. d), of the Regulation. HAS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code; the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation. Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, April 7, 2022 PRESIDENT Stanzione THE RAPPORTEUR Ghiglia THE SECRETARY GENERAL Mattei
- EDPB Guidelines 3/2019 on processing of personal data through video devices', 29 January 2020 (version 2.0). available here
- Provvedimento in materia di videosorveglianza - 8 April 2010 , par. 3.1, available here
- 'Guidelines on Data Protection Officers', 16/EN WP 243 rev.01, 13 Dec 2016, par. 2.6. available here
- Provvedimento del 29 aprile 2021 - Documento di indirizzo su designazione, posizione e compiti del Responsabile della protezione dei dati (RPD) in ambito pubblico  (RPD) in ambito pubblico”, . available here