Garante per la protezione dei dati personali (Italy) - 9811361
|Garante per la protezione dei dati personali - 9811361|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 9 GDPR
|National Case Number/Name:||9811361|
|European Case Law Identifier:||n/a|
|Original Source:||GPDP (in IT)|
The Italian DPA held that an educational institute violated Articles 5, 6 and 9 GDPR because it published a register concerning the scheduled leave of its employees, reasons for the leave, and health data.
English Summary[edit | edit source]
Facts[edit | edit source]
An educational institute published a circular letter on its website containing a register (in the form of an attachment) of scheduled holidays of its staff and other specific reasons of absence. This register was also published in the ‘Classeviva’ portal, which was intended for internal use and available for every staff member of the institute. The register showed information such as the names of its staff, holidays and other reasons of absence. These reasons of absence were described in synthetic formulas or acronyms. One of these acronyms was a reference to the use of benefits described in Law No. 104 (referred as '104'), which regulated benefits and guarantees for the assistance, social integration and labour integration of disabled persons or their family members. The reason for the grant of benefits was however not disclosed in this register. After the circular was published on the website and the portal, a data subject filed a complaint at the DPA.
The controller stated that every staff member had login credentials to access the ‘Classeviva’ portal. By logging in to this portal, the employee could look at the internal digital notice board, where internal communications were published. Each communication was addressed exclusively to the worker or category concerned by the communication within the portal.
The controller stated that the publication of the register on the website was caused by human error. The document was wrongly considered an ordinary bulletin and therefore published on the website, instead of only keeping it within the ‘Classeviva’ portal. Additionally, instead of providing an attachment with only a register containing staff holiday. This was the case on both the website as within the portal.
The controller acknowledged that this was an error. It held that this error occurred because of the huge pressure of communication and contact tracing requirements at the beginning of the COVID pandemic, despite adequately trained secretariat staff. The controller stated that it had acted promptly to remove the document, published it in an area only accessible to teachers and replacing it with a version without sensitive data. It also provided training for its staff after the incident and reminded its employees about the prohibition to disclose sensitive data. It was also in process of drafting a policy to limit the risks of information leaks.
The controller also stated that the data subject in question didn’t ask the controller once to remove the circular. It also stated that the circular had been downloaded eight times using the internal tool of the portal.
Holding[edit | edit source]
The DPA held that the reference to Law No. 104 in the register constituted personal data regarding health (Article 4(15) GDPR), because it can contain information about the state of health of a person.
The DPA stated that employees' personal data in this case could not be disclosed to other parties outside of two exceptions: it could be disclosed to those who are party to the employment relationship and to those who are authorised to process this data under Article 29 GDPR and 2-quaterdecies of the Code. The DPA also referred to another of its decisions (No. 146 of 5 June 2019). In this decision, the DPA held that that when personal data regarding work attendance is available to parties other than the employee, then the employer can’t specifically disclose what the reasons of absence exactly are. Not even acronyms or abbreviations can be used. The DPA stated that these explicit reasons for absence could make it possible to infer certain categories of personal data. The DPA concluded that the controller made its first error by publishing the register in the access-restricted portal. This is because the data was available to all employees and not only to authorised personnel. All the employees could not be considered authorised to process the personal data, especially because it contained health data and information regarding employment relationships. The DPA stated that the controller had therefore violated Articles 5, 6 and 9 GDPR as well as Articles 2-ter and 2-sexies of the Code.
The DPA also held that the publication of the register on the website resulted in further violations of Articles 5, 6 and 9 GDPR and Articles 2-ter and 2-sexies and 2-septies, paragraph 8, of the Code. The DPA considered that the publication of the circular on the website resulted in the dissemination of personal data including health data. The controller disseminated all this data without an appropriate legal basis.
The DPA fined the controller €4000 considering several factors, such as the sensitivity of the data in questions as an aggravating factor. The DPA considered several mitigating factors as well, such as the fact that the controller had extensively cooperated with the DPA and that the violation was caused by a material error.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web n. 9811361] Injunction order against "Edoardo Amaldi" Liceo Statale di Alzano Lombardo - 1 September 2022 Record of measures n. 290 of 1 September 2022 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary; GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, "General Data Protection Regulation" (hereinafter, "Regulation"); GIVEN the legislative decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the "Code"); GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in the Official Gazette n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019"); Having seen the documentation in the deeds; Given the observations made by the secretary general pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, Doc. web n. 1098801; Rapporteur the lawyer Guido Scorza; WHEREAS 1. The complaint. With a complaint presented to the Guarantor, the publication on the institutional website of the Liceo Statale "Edoardo Amaldi" of Alzano Lombardo (BG) (hereinafter the "Institute") and, in particular, on the page https://www.liceoamaldi.edu .it / category / circulars, as well as on the "CLASSEVIVA" portal used by the Institute also with electronic register functionality, of a circular concerning the summer holidays of school collaborators containing, as an attachment, a prospectus of the holiday plan which reported, in correspondence with the own name and of other personnel, the reference to the use of the benefits deriving from the law 5 February 1992, n. 104 and, in particular, the indication "104". 2. The preliminary activity. With a note of the twentieth replying to the request for information formulated by this Authority, the Institute represented, in particular, that: - "The publication of the vacation plan for school collaborators normally takes place (...) within the restricted access area of the electronic register of the Lyceum on the" CLASSEVIVA "portal. Each worker has access credentials that allow him to view the internal digital bulletin board, in which internal communications and any other document of organizational value are published. Each communication is addressed exclusively to the worker or to the category affected by the communication itself "; - "The event object of the assessment, the existence of which is not disputed, occurred essentially due to a clerical error since the internal circular (n.XX), aimed at carrying out the survey necessary for the construction of the vacation plan, was considered as an ordinary circular (and therefore subject to publication on the page https://www.liceoamaldi.edu.it/categoria/circolari as well as on the portal of the “CLASSEVIVA” Institute). In addition, erroneously, instead of the staff vacation plan, the prospectus for internal use in the office was attached, relating to all the summer absences of ATA staff and not just vacations "; - "this oversight occurred, despite the secretarial staff being adequately trained, in a completely involuntary way due to causes attributable to the enormous pressure resulting from the need for communication and contact tracing following the COVID emergency, in an area (...) that it has been on the front line since the first moments of the pandemic, pressure which has added to the already numerous administrative tasks ”and to the reduced number of resources present in the Secretariat; - the complainant "has never, in any way and in no time, challenged the Headmaster for the publication of this deed and consequently requested its removal, so much so that the management (...) was informed only on the 20th of the request confirmation received from the same Authority and immediately removed the document from the public area "; - "through the" CLASSEVIVA "application, the overall access report for viewing the aforementioned circular was downloaded, which totaled eight". On the basis of the elements acquired, the Office notified the Institute, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulations, as the publication on the Institute's website of the referenced circular and its annex resulted in the "dissemination" of personal data, including health related data, of the complainant and other interested parties in violation of Articles 5, 6 and 9 of the Regulation and 2-ter and 2 sexies as well as 2-septies, paragraph 8, of the Code) and the making available of the aforementioned documentation, albeit in a reserved area of the electronic register, not accessible to anyone, would have gave rise to a "communication" of personal data in violation of articles 5, 6, 9 of the Regulation and 2-ter and 2-sexies of the Code). Therefore, he invited the aforementioned owner to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 24/11/1981). The Institute sent its defense briefs, representing, in particular, that: - “the reason that led the employee to have recognized the benefits pursuant to Law 104/92 was not disclosed. There was therefore no publication of a real health data but only an index from which to deduce a certain disability of a person "; - "the file was published in an area of the electronic register, reserved for teachers only, in the period between 22 October and 3 November 2021; - "the writer, as seen, moved promptly in order to delete the document, published in an area accessible only to teachers, and replace it with one without sensitive data, thus limiting any negative effect of the violation, which , on the other hand, it must be remembered, it concerns a data already known by the colleagues of the interested party "; - “the staff has received adequate training in which it is recalled that sensitive data should not be disclosed unless required by law and, in any case, even in that case, it is necessary to minimize, as the Guarantor of provision no. 243 of May 15, 2014. […] all staff received a designation deed (also available on the school website) in which the absolute prohibition against disclosing sensitive data is recalled ”; - “The school, in concert with the DPO, is drafting a policy aimed at further limiting the risk of such negligent leaks of information. The use of digital stamps and different colored sheets is under consideration depending on whether the document is internal or intended for publication ". 3. Applicable law. 3.1 The regulatory framework. The personal data protection discipline provides that public subjects, even if they operate in the performance of their duties as employers, can process the personal data of workers, if the processing is necessary, in general, for the management of the employment relationship. and to fulfill specific obligations or tasks provided for by the national sector regulations (articles 6, par. 1, lett. c), 9, par. 2, lett. b), and 4, and 88 of the Regulation) or "for the performance of a task of public interest or connected to the exercise of public authority vested in the data controller" (Article 6, paragraph 1, lett e), of the Regulation). European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing, in accordance with paragraph 1, letters c) and e), by determining more precisely specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing […] ”(Article 6, par. 2, of the Regulation). In this regard, it should be noted that the processing operations consisting in the "dissemination" and "communication" of personal data are allowed only when provided for by a law or regulation or by general administrative acts (Article 2-ter, paragraphs 1 and 3 of the Code). With regard to the particular categories of personal data, the processing is, as a rule, permitted, as well as to fulfill specific obligations "in the field of labor law [...] to the extent that it is authorized by law [...] in the presence of appropriate guarantees "(Article 9, par. 2, letter b), of the Regulation), even where" necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject "(Article 9, paragraph 2, letter g), of the Regulation), provided that the processing are "provided for by European Union law or, in internal law, by provisions of law or regulation or by general administrative acts that specify the types of data that can be processed, the operations that can be carried out and the reason for relevant public interest, as well as appropriate and specific measures to protect the fundamental rights and interests of the data subject "(art. 2-sexies, paragraph 1, of the Code). In any case, data relating to health, ie those “relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health” (art. 4, par. 1, n. 15, of the Regulation; see also cons. 35 of the same), due to their particular sensitivity, "they cannot be disseminated" (art. 2-septies, paragraph 8, and art. 166, paragraph 2, of the Code and art.9, par. 1, 2, 4, of the Regulation). The employer, the data controller, is, in any case, required to comply with the general principles regarding the protection of personal data (Article 5 of the Regulation) and must process the data through "authorized" and "trained" personnel regarding access and data processing (articles 4, point 10), 29, and 32, par. 4, of the Regulation). 3.2 The processing of personal data carried out by the Institute. As is clear from the deeds and declarations made by the data controller during the investigation as well as from the assessment made on the basis of the elements acquired following the investigation and subsequent assessments of this Department, the Institute has published, on the website institutional, and, in particular, at the address https://www.liceoamaldi.edu.it/categoria/circolari, as well as on the “CLASSEVIVA” portal, circular no. XX concerning the summer holidays of school collaborators and containing, as an attachment, a prospectus containing information relating to the absences from the service requested by individual employees, with the express indication of the specific reasons for absence (reported using synthetic formulas or acronyms, eg. "F ") Among which, in correspondence with the name of the complainant and other personnel, the reference to the fruition of the benefits deriving from the law 5 February 1992, n. 104, with the wording: "104". 3.3. The consultation of the personal data of employees in the restricted access area of the electronic register of the Lyceum on the "CLASSEVIVA" portal. With regard to the provision of the aforementioned circular and its attachment on the "CLASSEVIVA" portal, in the section accessible to all staff of the Institute, the following is highlighted. Preliminarily, in recalling that, pursuant to art. 4 paragraph 1, no. 15 of the Regulation are considered health data "personal data relating to the physical and mental health of a natural person, including the provision of health care services, which reveal information on his state of health", it should be noted that, as recently clarified from the Guarantor, also the reference to law 104, which notoriously regulates benefits and guarantees for the assistance, social and work integration of disabled people or their families, allows to obtain information on the state of health of a person ((in this regard see, lastly, provision of 28 April 2022, n. 150 web doc. n. 9777200, see also provision of 28 May 2020, n. 92, web doc. n. 9434609). As constantly clarified by the Guarantor, the personal data of employees cannot be disclosed to subjects other than those who are part of the employment relationship (see definitions of "personal data" and "interested party", contained in art. 4, paragraph 1, n. 1) of the Regulation) and who are not entitled, due to the organizational choices of the data controller and the specific tasks performed, to process the same data, as authorized personnel (Article 29 of the Regulation and 2-quaterdecies of the Code; see, definition of "third party" contained in Article 4, paragraph 1, no. 10) of the Regulation). This principle, already contained in the "Guidelines on the processing of personal data of workers for the purpose of managing the employment relationship in the public sphere" (Provision no. 23 of June 14, 2007, web doc no. 1417809, was reiterated over time by the Guarantor in the context of decisions on individual cases and, more recently, with regard to the posting of service shifts and working hours on bulletin boards or in sections of the website with restricted access and also showing data relating to health or however related to personal events of colleagues (cf. with specific reference to the school context see in particular provision no.322 of 16 September 2021, web doc. no. 9711517, as well as provisions no. 214 of 27 May 2021 doc. web. 9689234 but also see provision no.105 of 18 June 2020, web doc. 1 of Legislative Decree 10 August 2018, n. 101, n. 146, of 5 June 2019, doc. web n. 9124510, annex 1, par. 1.5. lett. d)). It should also be noted that, more generally, the Provision no. 146 of 5 June 2019 (containing the provisions relating to the processing of particular categories of data, pursuant to art.21, paragraph 1 of Legislative Decree 10 August 2018, n.101, web doc. N.9124510) establishes that "When, for reasons of work organization, and in the context of the preparation of shifts of service, data relating to attendance and absences from the service are made available to subjects other than the interested party (for example, other colleagues), the employer of work must not specify, not even through acronyms or acronyms, the reasons for the absence from which it is possible to infer the knowledge of particular categories of personal data (eg trade union permits or health data) "(see Annex 1, par. 1.5 . lett. d) prov. cit.). Although, therefore, by mistake, the provision of the document in question, containing personal data relating to the days and reasons of absence from the service of the school staff, as well as information relating to the use of the benefits of Law 104/1992, took place in a restricted access area of the electronic register of the Institute - not accessible to anyone and such as not to cause the dissemination of personal data - the knowledge of the data contained therein has in any case occurred in favor of a very large number, determined or determinable, of subjects, that is, all the colleagues of the complainant belonging to the teaching staff and not, instead, exclusively for the benefit of only the secretarial staff authorized to access and process such personal data. For these reasons, the Institute has unjustifiedly informed all employees of the periods and reasons for the absence of other colleagues, including information on personal events and relating to the health of certain workers and / or their families. In light of the foregoing considerations, the consultation on the "CLASSEVIVA" portal of the circular recalled, enclosing personal data relating to the days and reasons of absence from the service of the school staff, as well as the reference to the use of the benefits of law 104/1992 of the complainant and other colleagues - has in fact made all employees mutually aware of personal, family situations or situations relating to the specific employment relationship of each one as well as information relating to the health of certain workers and / or their family members ( see the definition of "communication" of personal data contained in Article 2-ter paragraph 4 letter a) of the Code). Considering that all school staff cannot be considered authorized to process the data in question, the provision of personal data - especially if related to health or related to events - cannot be considered compliant with the regulatory framework on data protection. linked to the individual employment relationship - of all staff in service in a generalized and indistinct way (see lastly, with reference to the processing carried out through information protocol systems, provision no.98 of 24 March 2022, web doc no. 9763051, as well as provision of 11 February 2021, no. 50 web doc. no. 9562866). For these reasons, the Institute, albeit following a mere error, has put in place a processing of personal data, in violation of Articles 5, 6, 9 of the Regulation and 2-ter and 2 sexies of the Code (in this regard see, lastly, provision of 28 April 2022, no. 150 web doc. No. 9777200). 3.4. Dissemination of employees' personal data. Given the definition of personal data and data relating to health (Article 4, points 1 and 15, of the Regulation), it is believed that the publication on the institutional website of the aforementioned circular containing, as an attachment, data also relating to the health of personnel school (use of permits pursuant to law 104/1992) has determined, albeit as a result of a mere clerical error, the dissemination of personal data relating to the days and reasons for absence from the service, as well as information relating to the use of the benefits of law 104 / 1992, in the absence of a suitable regulatory requirement and in violation of the general prohibition on the dissemination of data relating to health (of articles 5, 6 and 9 of the Regulation and 2-ter and 2 sexies as well as 2-septies, paragraph 8, of Code). With specific reference to the nature of the data being disseminated, the statement by the school cannot be considered relevant as regards the fact that "the reason that led the employee to have recognized the benefits pursuant to Law 104/92 has not been disclosed. . There was therefore no publication of a real health data but only an index from which to deduce a certain disability of a person ". So much, also in light of the consolidated orientation of the Guarantor on the basis of which the reference to law no. 104, which notoriously regulates benefits and guarantees for the assistance, social and work integration of disabled people or their families, makes it possible to obtain information on the state of health of a person (see in this regard, lastly, provision of 150 of 28 April 2022, web doc. 9777200 as well as provision of 28 May 2020, no. 92, web doc. 9434609). 4. Conclusions. In light of the aforementioned assessments, taking into account the statements made by the data controller during the investigation ˗ the truthfulness of which one may be called to answer pursuant to art. 168 of the Code ˗ it is noted that the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of this proceeding, not resorting to moreover, some of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019. Therefore, the preliminary assessments of the Office are confirmed, and the unlawfulness of the processing of personal data carried out by the Institute is noted, in violation of Articles 5, 6, 9 of the Regulation and of the articles 2-ter, 2-sexies and 2-septies, paragraph 8, of the Code. The violation of the aforementioned provisions makes the administrative sanction provided for by art. 83, par. 5, of the Regulation, pursuant to art. 58, par. 2, lett. i), and 83, par. 3, of the same Regulation and art. 166, paragraph 2, of the Code. In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation. 5. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to "inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case "and, in this context," the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code "(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019). In this regard, taking into account art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same administrative fine provided for by art. 83, par. 5, of the Regulation. The aforementioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation. In relation to the aforementioned elements, the particular delicacy of the personal data unlawfully processed, also relating to health, as well as to personal, family and work events relating to the complainant and to fifteen other interested parties, was considered in contrast with the indications that, for some time, the Guarantor, has provided to public and private employers with the aforementioned Guidelines and with numerous decisions on individual cases mentioned above. On the other hand, it was considered that the unlawful conduct was determined by a mere clerical error consisting in the publication on the website of the Institute as well as on the "CLASSEVIVA" portal of the "internal (...) circular, aimed at carrying out the reconnaissance necessary for the construction of the vacation plan, as well as the prospectus for internal use of the office, relating to all the summer absences of ATA staff and not just the holidays "that the Institute has taken steps, as soon as the problem is reported, to remove the personal data in question from the site web and the electronic register, also showing extensive collaboration with the Authority during the investigation of this proceeding. It was also favorably acknowledged that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation. Due to the aforementioned elements, assessed as a whole, it is believed to determine the amount of the pecuniary sanction, in the amount of 4,000.00 (four thousand) euros for the violation of Articles 5, 6, 9 of the Regulation and 2-ter, 2-sexies as well as 2-septies, paragraph 8, of the Code, as an administrative pecuniary sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. Taking into account the nature of the data being processed, it is also believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019. Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. WHEREAS, THE GUARANTOR pursuant to art. 57, par. 1, lett. f), declares the unlawfulness of the processing of personal data carried out by the Liceo Statale "Edoardo Amaldi" of Alzano Lombardo (BG) in the terms described in the motivation, consisting in the violation of articles 5, 6, 9 of the Regulations and 2-ter, 2-sexies as well as 2-septies, paragraph 8 of the Code; ORDER pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations, as well as art. 166 of the Code, at the Liceo Statale "Edoardo Amaldi", in the person of the pro-tempore legal representative, with registered office in via Locatelli 16 - 24022 - Alzano Lombardo (Bergamo) - Tax Code 80032770168, to pay the sum of € 4,000.00 ( four thousand) as a pecuniary administrative sanction for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by payment, within the term of 30 days, for an amount equal to half of the sanction imposed; INJUNCES at the Liceo Statale "Edoardo Amaldi" - without prejudice to the provisions of art. 166, paragraph 8 of the Code, to pay the sum of 4,000.00 (four thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to article 27 of law no. 689/1981; HAS the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see Article 16 of the Guarantor Regulation No. 1/2019); the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation (see article 17 of Regulation no. 1/2019). Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad. Rome, 1 September 2022 PRESIDENT Stanzione THE RAPPORTEUR Peel THE SECRETARY GENERAL Mattei