Garante per la protezione dei dati personali (Italy) - 9827446

From GDPRhub
Garante per la protezione dei dati personali - 9827446
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 9 GDPR
Article 75 of the Codice in materia di protezione dei dati personali
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.10.2022
Published: 20.10.2022
Fine: 30,000 EUR
Parties: Policlinico Casilino di Roma (the controller)
National Case Number/Name: 9827446
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

The Italian DPA imposed a €30,000 fine on a clinic for having requested Covid passes before entering the clinic’s premises without a proper legal basis.

English Summary

Facts

The Italian DPA received a report from a data subject stating that the Policlinico Casilino di Roma (the controller) exclusively permitted Covid pass holders to access its outpatient clinic.

Following this, the DPA started an investigation into the matter. It noted that this indication was also reported on the controller's website and thus requested additional information from the controller. The controller submitted that it carried out real-time measurement of body temperature and required the voluntary presentation of the patients' Covid Certification, resulting from a negative swab result (done in the previous 48 hours), to safeguard public health and safety within the hospital. However, even if the patient did not have a Covid pass, the healthcare service would still be provided in compliance with prescribed protocols. The legal basis for the processing was to be found in the (verbal) consent of the person concerned given by voluntarily exhibiting the Covid certification. The healthcare service had to ensure that such a process was communicated by web communication, posters in the structure, and/or by the operator indicating it during the service booking.

Holding

The DPA noted that the requirement that all patients going to the controller's outpatient clinics be in possession of a Covid pass lacked a proper legal basis, given that such a restriction was not provided for by the sectoral rules. Indeed, the sectoral rules did not provide for Covid certification to be required for health needs, for which access is always permitted for the procurement of drugs and medical devices and, in any event, for any purpose of medical treatment.

Moreover, the DPA pointed out that possession of the Covid certificate did not prove immunity to the virus and therefore pointed out the disproportionality of the measure adopted by the controller according to which staff were provided with specific personal protective equipment only if in contact with data subjects who did not have Covid certification. The DPA believed that this measure, together with the provision of differentiated routes for such data subjects, not only failed to comply with national indications, but also risked discriminating against them.

Further, the DPA held that the processing of data carried out through the control of Covid passes qualified as a treatment carried out for public health reasons and as such should find its legal basis in the specific sector discipline (Article 9(2)(i) GDPR) and not in the consent of the data subject.

The Italian DPA held that the infringement of Article 5(1)(a) GDPR and Article 5(1)(b) GDPR and Article 9 GDPR, Article 75 of the national data protection legislation and the applicable sectoral regulations (Law no. 87/2021, Law Decree no. 44 of 01/04/2021 and Prime Ministerial Decree of 17 June 2021), caused by the conduct of the controller, was subject to the application of an administrative fine pursuant to Article 83(5) GDPR.

In view of all these elements, the Italian DPA imposed a €30,000 fine on the controller, pursuant to Article 58(2)(i) GDPR. In sanctioning the controller, the DPA took into account several aggravating factors, such as the fact that the processing, which lasted until June 2022, potentially concerned data capable of revealing information on the health of a significant number of data subjects (150,000/200,000 outpatient accesses) (Article 83(2)(a) GDPR and Article 83(2)(g) GDPR). It also considered the cooperation of the controller to remedy the infringement (Article 83(2)(f) GDPR) and the assertion of the controller in that it had acted in good faith to protect the health of patients and health professionals (Article 83(2)(k) GDPR) as mitigating factors.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9827446]

Injunction order against the Policlinico Casilino in Rome - 20 October 2022

Register of measures
no. 356 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and Dr. Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor n. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Geneva Cerrina Feroni;

WHEREAS

1. The preliminary investigation.

In the month of XX, the Guarantor received a report in which a violation of the regulations on the protection of personal data was complained of in relation to the circumstance that the Policlinico Casilino in Rome (hereinafter the Policlinico) allowed access to the clinics only to those in possession of a green certification.

Following what was reported, the Office found that this indication was also reported on the website of the aforementioned hospital (https://www.policlinicocasilino.it; https://www.policlinicocasilino.it/orari-di-visita/) and therefore requested information from the aforementioned Policlinico (note of the XX, prot. n. XX), which, with a reply note of the XX (prot. n XX), represented, in particular, that:

- "Eurosanità S.p.A., for the Policlinico Casilino, carries out the real-time detection of body temperature and requests the voluntary display of the Green Certification of the patients, deriving from a negative result of the swab in the previous 48 hours, in order to safeguard the safety and public health within the hospital as well as the containment of the spread of the Covid-19 virus in the care and work environments”;

- “If the patient does not have one at the time of entering the Facility, the healthcare service is always guaranteed according to the methods indicated in the procedure "Supplementary Note n. I of the XX of the XX";

- the aforementioned "Supplementary note" provides for the following for outpatients: "Patients who do not have a green pass are provided with an additional appointment, with an invitation to present themselves with a valid green pass, after having swabbed Covid-19 in the previous 48 hours. If the patient arrives at the second appointment without a green, the service will be rendered by the healthcare staff by adopting the precautions envisaged for patients without a certain medical history";

- ”Access to the requested outpatient services was therefore not denied. The patient could have used it at different times from those of the original booking (which inevitably does not report any prior information on the patient's status to the facility), following "safe" routes, i.e. not in contact with other patients, and accompanied and managed by administrative staff, paramedics and hospital doctors equipped with the required PPE”;

- "In any case, if the patient had considered urgent medical assistance (and this despite the outpatient prescription did not specify the emergency regime), he could easily have gone to the hospital emergency room, access to which is a few tenths meters from that of the clinics”;

- "Following this, it should be noted that the Company promptly reiterated to the personnel authorized to verify the green certification, to further inform patients in order to make them understand the reasons for protecting the request for a preventive swab upon access to the hospital";

- "In the information on data processing pursuant to and for the purposes of art. 13 European Regulation 2016/679 - controls and containment measures necessary to prevent the spread of COVID-19 also by checking the Green Pass", in the documents, it is also reported that "As required by the Protocol represented above. pursuant to art. 2 entitled "Methods of entering the Company", as well as pursuant to Legislative Decree no. 127/2021 converted with Law n.165/2021 cited. and further provisions on the subject issued and to be issued, Eurosanità S.p.A, before users and patients access the premises of the Structure, will carry out the real-time detection of body temperature and request the exhibition of the Green Certification. This in order to safeguard public health and safety as well as to contain the spread of the Covid-19 virus in the workplace";

- “As regards the control of the Covid-19 green certification required under Legislative Decree no. 127/2021 (converted with Law no. 165/2021) and further provisions on the subject issued and to be issued, the legal basis of the processing is found in the (verbal) consent of the interested party expressed through voluntary exhibition of the green certification. If the patient does not have one at the time of entering the Facility, the health service will in any case always be guaranteed according to the methods indicated and disclosed by any means of web communication and billboards present in the Facility and/or declared by the operator at the time of booking the treatment. performance".

In relation to what emerged from the documentation in the records, the Office notified the Polyclinic, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforesaid owner to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981) (note of the XX, prot. n. XX).

In this deed, the Office noted that the following was still indicated on the home page of the Policlinico website: "HOSPITAL AND OUTDOOR CLINIC ACCESS PROVISIONS. Starting from 10.15.2021, access to hospital services will be allowed after verification of: Green pass; Body temperature below 37.5°C. Patients who do not have the green pass will be provided with a further appointment to which they must present themselves with a valid green pass, after having swabbed for Covid-19", and therefore represented that the request to possess the green certification at all the patients directed to the outpatient clinics of the Policlinico lacked an appropriate legal basis given that this limitation was not envisaged by the sector regulations in force at the time of the facts complained of by the reporting party and was never provided for by the legislation adopted in the persistence of the state of emergency , thus placing itself in violation of the articles 5, par. 1, lit. a) and b) and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021).

With a note of the XX (prot. n XX), the Policlinico sent its defense briefs, in the context of which it asked to be heard at a hearing and, in stating that the provisions subject to the investigation have currently ceased, has reaffirmed the peculiar context in which the system subject to investigation was put in place, considered, in good faith, as a necessary measure to prevent possible transmissions of infection.

On the 20th the remote hearing of the Polyclinic took place pursuant to art. 166, paragraphs 6 and 7 of the Code, in which it was further reaffirmed that "the green pass was requested on a voluntary basis, in compliance with art. 2 bis, legislative decree no. 52/20212" and that for those who did not intend to show it "the service (not having an urgent nature) was in any case usually provided even immediately or in any case in the following hours or days".

Subsequently, with a note of the XX (prot. n. XX) the Polyclinic reaffirmed what was already represented in the documents, highlighting again that "art. 2-bis, 1st paragraph, Legislative Decree 52/2021 pro tempore in force provides: "The health management of the facility is required to adopt the necessary measures to prevent possible transmission of infection"". “The Medical Director of the Polyclinic was therefore obliged to adopt measures to contain the virus. In other words, the law required the Medical Director to adopt precise prescriptions (none excluding, least of all, as far as is known, the request for voluntary display of the green pass) to stem the drama of the contagion, leaving the most appropriate and broad discretion to the Medical Directorate within the limits of available rights, in identifying the safeguards deemed most effective. In the face of this primary rule, for the purpose of mere deterrence, the Health Directorate has introduced, for access to visits, the request for a green pass, then leaving the actual presentation of the aforementioned certification to the "conscience" and will of the individual user " .

It was also represented that "For the protection of other people (other patients, staff, etc.) - as briefly represented in the introduction - those who did not show the green pass were accompanied on dedicated routes, being able to count on the performance of the service request in almost immediate times (subject to the need to obtain PPE for personnel who are not already equipped with it)". Finally, it was specified that in the clinics, "if there hadn't been the mandatory prescriptions dictated by the Medical Director, the 150,000/200,000 visits per year would have had to remain without any control".

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the Polyclinic in the documentation in the deeds and in the defense briefs, it is noted that:

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, fairness and transparency”), “collected for specified, explicit and legitimate purposes” (“purpose limitation”) (Article 5, paragraph 1, letters a) and b), of the Regulation);

Since the declaration of the state of emergency approved by the Council of Ministers on 31 January 2020, many emergency regulatory acts have been adopted, which also contain provisions relating to the processing of personal data carried out as part of the interventions relating to the aforementioned health emergency. Having said this, it should be noted that the emergency provisions adopted over the last few months provide for emergency interventions which involve the processing of data and which are the result of a delicate balance between public health needs and those relating to the protection of personal data, in compliance with the provisions of the European Regulation for the pursuit of reasons of public interest in the public health sector (see Article 9, paragraph 2, letter i), of the Regulation). Obviously, it remains understood that the processing of personal data connected to the management of the aforementioned health emergency must take place in compliance with the current legislation on the protection of personal data and, in particular, with the principles and limits applicable to the processing, pursuant to art. 5 of the Regulation partially referred to above;

the processing of data carried out through the control of green certifications therefore qualifies as a treatment carried out for public health reasons and as such finds its legal basis in the specific sector discipline and not also on the consent of the interested party (see art. 9, paragraph 2, letter i), of the Regulation);

with specific reference to the processing of data carried out through green certifications, as known, the Guarantor has given its opinion on the draft decree of the President of the Council of Ministers, which must be adopted, pursuant to art. 9, paragraph 10, of the legislative decree no. 52/2021, in agreement with the Minister of Health, the Minister for Technological Innovation and Digital Transition and the Minister of Economy and Finance, in relation to the processing of personal data, also relating to health, carried out through the Platform national digital green certificate (“National Platform-DGC”) for the issue, issue and verification of Covid-19 green certifications (EU Digital COVID Certificate, formerly Digital Green Certificate, hereinafter green certifications) (provision available on www. gpdp.it, web doc. n. 9668064; dpcm 17 June 2021). Subsequently, the Guarantor also issued its opinion on the decrees that modified the aforementioned regulations (opinion of 31 August 2022, web doc. n. 9694010; opinion of 11 October 2022, web doc. n. 9707431, opinion of 18 February 2022, web document n. 9746905). In these opinions, the Board of the Authority considered that the certifications attesting the vaccination or recovery from Covid-19 or the negative result of an antigen or molecular test cannot be considered a necessary condition to allow access to places or services or for the establishment or identification of the procedures for carrying out legal relationships except within the limits in which this is provided for by a primary-ranking rule, in the context of the adoption of the public health measures necessary for the containment of the virus SARS-CoV-2;

with reference to the present case, it should be noted that the sector regulations, also referred to on the website of the Ministry of Health and the Government during the regulatory interventions that have taken place after the entry into force of the provisions on green certifications, do not provide that green certification is required for health needs, for which access is always allowed for the supply of drugs and medical devices and, in any case, for any purpose of prevention, diagnosis and treatment (https://www.dgc. gov.it/web/per-cosa-serve.html#strutture);

to this should be added that the legislation in force at the time of the events provided that it was allowed to remain in the waiting rooms of the emergency and reception departments of the first aid departments as well as in the departments of hospitals, diagnostic entrances, specialist polyclinics only for carers of patients not affected by Covid-19, in possession of green certifications, as well as to the companions of patients in possession of the recognition of disability with a serious connotation (art. 2-bis of decree law 22 April 2021, n. 52 and dPCM 21 January 2022) . Except in cases of objective impossibility due to urgency, assessed by healthcare personnel, for access to first aid services it was also always necessary to undergo the rapid or molecular antigen test at the same time (art. 2-bis of the decree-law of 22 April 2021 , no. 52);

carers of patients in possession of the recognition of disability with a serious connotation pursuant to article 3, paragraph 3, of the law of 5 February 1992, n. 104, it was also always permitted to access and remain in the waiting rooms of the emergency and reception departments and first aid departments as well as the departments of hospital structures, diagnostic centers and specialist outpatient clinics. Furthermore, the accompanying persons were always allowed to provide assistance, even in the hospital ward, in compliance with the indications of the medical director of the structure;

from 1 April 2022, considering the end of the state of emergency, the access of users and their companions to health, social and medical facilities and medical offices, public or private, for any purpose of prevention, diagnosis and treatment is allowed without having to exhibit your green certification. However, it remains necessary to exhibit the so-called green certification. "BASE" (vaccination, healing, swab) for the permanence of carers of patients not affected by Covid-19 in the waiting rooms of the emergency and acceptance departments, first aid departments and hospital wards, diagnostic centers and specialist outpatient clinics and for the permanence in health and social care facilities of carers of patients with serious disabilities or people suffering from Alzheimer's or other dementias or certified cognitive deficits (see table drawn up by the Government - annex 1);

starting from 10 March 2022 and until 31 December 2022, for visitors to access the hospital wards, access with the green COVID-19 c.d. certification is also allowed. strengthened (issued following the administration of the booster dose following the primary vaccination cycle) and in some cases also together with a certification certifying the negative outcome of the rapid or molecular antigen test, performed in the forty-eight hours prior to access (art. 1 bis, paragraph 1 sexies, Legislative Decree 01/04/2021, n. 44). Medical directors are given the option to adopt more restrictive precautionary measures in relation to the specific epidemiological context, guaranteeing in any case a minimum daily access of no less than forty-five minutes (paragraph added by art. 7, paragraph 1, letter b), Legislative Decree 24 December 2021, no. 221, converted, with amendments, by Law February 18, 2022, n. 11, and, subsequently, thus modified by art. 7, paragraph 2, lett. b), Legislative Decree 24 March 2022, no. 24);

the Authority has repeatedly highlighted that the competence regarding the introduction of measures for the limitation of fundamental rights and freedoms that involve the processing of personal data falls within the matters subject to the reserve of state law (Constitutional Court, sentence 271/ 2005 on the reservation of the state law on data protection; Constitutional Court, sentence 37/21), also recalling what was indicated by the Constitutional Court, according to which "the ongoing pandemic has required and requires interventions falling within the field of international prophylaxis of exclusive competence of the State pursuant to art. 117, second paragraph, letter q), of the Constitution.” (Ordinance of n. 4/21) (provisions of 25 May 2021, web doc. n. 9590466 and of 18 June 2021, web doc. n. 9671917);

the Guarantor has also repeatedly considered that the limitation of personal freedoms also carried out through the processing of data on the health of the interested parties and achieved through the provision of making access to places and services subject to the possession of a certification attesting to the vaccination or recovery from Covid-19, or the negative result of an antigen or molecular test, is in fact admissible only if provided for by a state law (articles 6, paragraph 2, and 9 of the Regulation and articles 2-ter and 2 -sexies of the Code regarding the protection of personal data, Recital No. 48 of the Regulation of the European Parliament and of the Council on the EU digital COVID certificate adopted on 14 June 2021; see also Constitutional Court, sent 271/2005 on the reservation of state law on data protection; Constitutional Court, sentence 37/2021, see also cited provision of 9 June 2021);

the Authority has in fact considered that the certifications attesting the successful vaccination or recovery from Covid-19, or the negative result of an antigen or molecular test, cannot be considered a necessary condition to allow access to places or services if not to the extent that this is provided for by a standard of primary rank. On this point, it should be noted that the Constitutional Court in sentence no. 164/2022 reaffirmed the "exclusive state competence in the field of international prophylaxis (art. 117, second paragraph, letter q, Constitution)," and that "art. 9, paragraph 10-bis, of the legislative decree no. 52 of 2021, as converted, establishes that "[e]ach different or new use of the COVID-19 green certifications is established exclusively by State law", thus expressly confirming, with a provision added upon conversion into law, what is already deductible from the previous paragraph 10, which entrusts the regulation of the aforementioned National Platform-DGC to a d.P.C.M ". In this sentence, the Court finally recognized that "it is up to the State, and for it to the Guarantor for the protection of personal data, to definitively limit the processing of data connected to the use of the green certification";

in this regard, it should be noted that the text of the decree-law of 22 April 2021, n. 52 (in the Official Gazette n. 96 of 22 April 2021), coordinated with the conversion law 17 June 2021, n. 87 containing: "Urgent measures for the gradual recovery of economic and social activities in compliance with the need to contain the spread of the epidemic from COVID-19" (in Official Gazette No. 146 of 21-06-2021) expressly provides that green certifications may be used exclusively for the purposes referred to in articles 2, paragraph 1, 2-bis, paragraph 1, 2-quater, 5, 9 -bis, 9-bis.1, 9-quinquies, 9-sexies and 9-septies of the aforementioned decree, as well as in article 1-bis of the decree-law of 1 April 2021, n. 44, which includes the provisions relating to the health sector referred to above (art. 9, paragraph 10-bis, law no. 87/2021);

in relation to some local initiatives in the context of which the display of green certifications in the health context was required also for purposes other than those strictly envisaged by the aforementioned law, this Office, with a note of the XX (prot. XX) attached in copy ( annex n. 2), drew the attention of the Regions and the State-Regions Conference on the need to postpone the adoption or implementation of territorial initiatives which envisage the use of green certifications for other purposes and in different ways than those expressly provided for by national law. On that occasion it was also pointed out that, with reference to the aforementioned possible treatments, the Authority reserved any assessment regarding the adoption of measures aimed at imposing a temporary or definitive limitation to the treatment, including the prohibition of treatment (art. 58, paragraph 2, letter f) of the Regulation).

a system that is not coordinated at national level for verifying green certifications risks compromising the efficiency of the entire measure as it cannot ensure the accuracy and updating of the data (Article 5, paragraph 1, letter d) of the Regulation ), as well as the possibility for the interested party to use the aforementioned certification throughout the national territory;

in the reconciliation between the protection of the rights of the interested parties and the protection of the health of the patients, it must be taken into consideration that, to date, no mapping of the entire population has been carried out with regard to the contagion from Covid-19. Therefore, in line with what is recommended by the ISS, until the spread of the Sars Cov 2 virus persists, individual protection measures must be taken during each visit, as the visitor's Coronavirus positivity status may not yet have been ascertained. It is also represented that the possession of the green certification does not certify the negativity to the virus. Therefore, the non-proportionality of the measure adopted by the Polyclinic is highlighted according to which the staff is equipped with specific personal protective equipment only if in contact with subjects who do not present green certifications. This measure, together with the provision of differentiated pathways for these patients, in addition to not complying with national indications, runs the risk of discriminating against them.

3. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ and considering that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed of initiation of the proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out at the Policlinico Casilino is noted, in the terms set out in the justification, in violation of articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021).

In this context, it being understood that the General Hospital has declared that it has modified the procedures for accessing the interested parties to outpatient services, considering, in any case, that the conduct has exhausted its effects, the conditions for adopting the corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021), caused by the conduct put in place by the Polyclinic, is subject to the application of the administrative sanction pecuniary pursuant to art. 83, par. 5, of the Regulation and of the art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is observed that:

the Authority became aware of the event following a report (Article 83, paragraph 2, letter h), of the Regulation);

the processing, which continued until June 2022, potentially concerns data suitable for detecting information on the health of a significant number of data subjects (150,000/200,000 outpatient visits) (Article 83, paragraph 2, letter a) and g ), of the Regulation);

the Authority has already intervened on the matter with the numerous provisions mentioned in this provision (Article 83, paragraph 2, letter a) of the Regulation);

the Policlinico cooperated in order to remedy the violation (Article 83, paragraph 2, letter f) of the Regulation);

the Polyclinic claimed to have operated in good faith in order to protect the state of health of patients and healthcare professionals (Article 83, paragraph 2, letter k), of the Regulation);

the Policlinico has already been the recipient of a sanction measure for the violation of the articles 5 and 9 of the Regulation, albeit pertaining to a heterogeneous case (provision of 21 April 2021, n. 148, web doc. n. 9675228) (art. 83, paragraph 2, letter e), of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, letter. a), of the Regulation, to the extent of 30,000 euros (thirty thousand) for the violation of articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and the sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021), as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the illegality of the processing of personal data carried out by the Policlinico Casilino of Rome for the violation of the articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Minister's Decree of June 17, 2021) in the terms set out in the justification.

ORDER

pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, at the Policlinico Casilino in Rome, Tax Code and P.I. 06726891002, in the person of the pro-tempore legal representative, to pay the sum of 30,000 (thirty thousand) euros as an administrative fine for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 30,000 (thirty thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision in full on the website of the Guarantor and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
Cerrina Feroni

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9827446]

Injunction order against the Policlinico Casilino in Rome - 20 October 2022

Register of measures
no. 356 of 20 October 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and Dr. Guido Scorza, components, and dr. Claudio Filippi, deputy secretary general;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor n. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Prof. Geneva Cerrina Feroni;

WHEREAS

1. The preliminary investigation.

In the month of XX, the Guarantor received a report in which a violation of the regulations on the protection of personal data was complained of in relation to the circumstance that the Policlinico Casilino in Rome (hereinafter the Policlinico) allowed access to the clinics only to those in possession of a green certification.

Following what was reported, the Office found that this indication was also reported on the website of the aforementioned hospital (https://www.policlinicocasilino.it; https://www.policlinicocasilino.it/orari-di-visita/) and therefore requested information from the aforementioned Policlinico (note of the XX, prot. n. XX), which, with a reply note of the XX (prot. n XX), represented, in particular, that:

- "Eurosanità S.p.A., for the Policlinico Casilino, carries out the real-time detection of body temperature and requests the voluntary display of the Green Certification of the patients, deriving from a negative result of the swab in the previous 48 hours, in order to safeguard the safety and public health within the hospital as well as the containment of the spread of the Covid-19 virus in the care and work environments";

- “If the patient does not have one at the time of entering the Facility, the healthcare service is always guaranteed according to the methods indicated in the procedure "Supplementary Note n. I of the XX of the XX";

- the aforementioned "Supplementary note" provides for the following for outpatients: "Patients who do not have a green pass are provided with an additional appointment, with an invitation to present themselves with a valid green pass, after having swabbed Covid-19 in the previous 48 hours. If the patient arrives at the second appointment without a green, the service will be rendered by the healthcare staff by adopting the precautions envisaged for patients without a certain medical history";

- ”Access to the requested outpatient services was therefore not denied. The patient could have used it at different times from those of the original booking (which inevitably does not report any prior information on the patient's status to the facility), following "safe" routes, i.e. not in contact with other patients, and accompanied and managed by administrative staff, paramedics and hospital doctors equipped with the required PPE”;

- "In any case, if the patient had considered urgent medical assistance (and this despite the outpatient prescription did not specify the emergency regime), he could easily have gone to the hospital emergency room, access to which is a few tenths meters from that of the clinics”;

- "Following this, it should be noted that the Company promptly reiterated to the personnel authorized to verify the green certification, to further inform patients in order to make them understand the reasons for protecting the request for a preventive swab upon access to the hospital";

- "In the information on data processing pursuant to and for the purposes of art. 13 European Regulation 2016/679 - controls and containment measures necessary to prevent the spread of COVID-19 also by checking the Green Pass", in the documents, it is also reported that "As required by the Protocol represented above. pursuant to art. 2 entitled "Methods of entering the Company", as well as pursuant to Legislative Decree no. 127/2021 converted with Law n.165/2021 cited. and further provisions on the subject issued and to be issued, Eurosanità S.p.A, before users and patients access the premises of the Structure, will carry out the real-time detection of body temperature and request the exhibition of the Green Certification. This in order to safeguard public health and safety as well as to contain the spread of the Covid-19 virus in the workplace";

- “As regards the control of the Covid-19 green certification required under Legislative Decree no. 127/2021 (converted with Law no. 165/2021) and further provisions on the subject issued and to be issued, the legal basis of the processing is found in the (verbal) consent of the interested party expressed through voluntary exhibition of the green certification. If the patient does not have one at the time of entering the Facility, the health service will in any case always be guaranteed according to the methods indicated and disclosed by any means of web communication and billboards present in the Facility and/or declared by the operator at the time of booking the treatment. performance".

In relation to what emerged from the documentation in the records, the Office notified the Polyclinic, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, inviting the aforesaid owner to produce defense writings or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 11/24/1981) (note of the XX, prot. n. XX).

In this deed, the Office noted that the following was still indicated on the home page of the Policlinico website: "HOSPITAL AND OUTDOOR CLINIC ACCESS PROVISIONS. Starting from 10.15.2021, access to hospital services will be allowed after verification of: Green pass; Body temperature below 37.5°C. Patients who do not have the green pass will be provided with a further appointment to which they must present themselves with a valid green pass, after having swabbed for Covid-19", and therefore represented that the request to possess the green certification at all the patients directed to the outpatient clinics of the Policlinico lacked an appropriate legal basis given that this limitation was not envisaged by the sector regulations in force at the time of the facts complained of by the reporting party and was never provided for by the legislation adopted in the persistence of the state of emergency , thus placing itself in violation of the articles 5, par. 1, lit. a) and b) and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021).

With a note of the XX (prot. n XX), the Policlinico sent its defense briefs, in the context of which it asked to be heard at a hearing and, in stating that the provisions subject to the investigation have currently ceased, has reaffirmed the peculiar context in which the system subject to investigation was put in place, considered, in good faith, as a necessary measure to prevent possible transmissions of infection.

On the 20th the remote hearing of the Polyclinic took place pursuant to art. 166, paragraphs 6 and 7 of the Code, in which it was further reaffirmed that "the green pass was requested on a voluntary basis, in compliance with art. 2 bis, legislative decree no. 52/20212" and that for those who did not intend to show it "the service (not having an urgent nature) was in any case usually provided even immediately or in any case in the following hours or days".

Subsequently, with a note of the XX (prot. n. XX) the Polyclinic reaffirmed what was already represented in the documents, highlighting again that "art. 2-bis, 1st paragraph, Legislative Decree 52/2021 pro tempore in force provides: "The health management of the facility is required to adopt the necessary measures to prevent possible transmission of infection"". “The Medical Director of the Polyclinic was therefore obliged to adopt measures to contain the virus. In other words, the law required the Medical Director to adopt precise prescriptions (none excluding, least of all, as far as is known, the request for voluntary display of the green pass) to stem the drama of the contagion, leaving the most appropriate and broad discretion to the Medical Directorate within the limits of available rights, in identifying the safeguards deemed most effective. In the face of this primary rule, for the purpose of mere deterrence, the Health Directorate has introduced, for access to visits, the request for a green pass, then leaving the actual presentation of the aforementioned certification to the "conscience" and will of the individual user " .

It was also represented that "For the protection of other people (other patients, staff, etc.) - as briefly represented in the introduction - those who did not show the green pass were accompanied on dedicated routes, being able to count on the performance of the service request in almost immediate times (subject to the need to obtain PPE for personnel who are not already equipped with it)". Finally, it was specified that in the clinics, "if there hadn't been the mandatory prescriptions dictated by the Medical Director, the 150,000/200,000 visits per year would have had to remain without any control".

2. Outcome of the preliminary investigation.

Having taken note of what is represented by the Polyclinic in the documentation in the deeds and in the defense briefs, it is noted that:

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), personal data must be "processed in a lawful, correct and transparent manner" (principle of "lawfulness, fairness and transparency”), “collected for specified, explicit and legitimate purposes” (“purpose limitation”) (Article 5, paragraph 1, letters a) and b), of the Regulation);

Since the declaration of the state of emergency approved by the Council of Ministers on 31 January 2020, many emergency regulatory acts have been adopted, which also contain provisions relating to the processing of personal data carried out as part of the interventions relating to the aforementioned health emergency. Having said this, it should be noted that the emergency provisions adopted over the last few months provide for emergency interventions which involve the processing of data and which are the result of a delicate balance between public health needs and those relating to the protection of personal data, in compliance with the provisions of the European Regulation for the pursuit of reasons of public interest in the public health sector (see Article 9, paragraph 2, letter i), of the Regulation). Obviously, it remains understood that the processing of personal data connected to the management of the aforementioned health emergency must take place in compliance with the current legislation on the protection of personal data and, in particular, with the principles and limits applicable to the processing, pursuant to art. 5 of the Regulation partially referred to above;

the processing of data carried out through the control of green certifications therefore qualifies as a treatment carried out for public health reasons and as such finds its legal basis in the specific sector discipline and not also on the consent of the interested party (see art. 9, paragraph 2, letter i), of the Regulation);

with specific reference to the processing of data carried out through green certifications, as known, the Guarantor has given its opinion on the draft decree of the President of the Council of Ministers, which must be adopted, pursuant to art. 9, paragraph 10, of the legislative decree no. 52/2021, in agreement with the Minister of Health, the Minister for Technological Innovation and Digital Transition and the Minister of Economy and Finance, in relation to the processing of personal data, also relating to health, carried out through the Platform national digital green certificate (“National Platform-DGC”) for the issue, issue and verification of Covid-19 green certifications (EU Digital COVID Certificate, formerly Digital Green Certificate, hereinafter green certifications) (provision available on www. gpdp.it, web doc. n. 9668064; dpcm 17 June 2021). Subsequently, the Guarantor also issued its opinion on the decrees that modified the aforementioned regulations (opinion of 31 August 2022, web doc. n. 9694010; opinion of 11 October 2022, web doc. n. 9707431, opinion of 18 February 2022, web document n. 9746905). In these opinions, the Board of the Authority considered that the certifications attesting the vaccination or recovery from Covid-19 or the negative result of an antigen or molecular test cannot be considered a necessary condition to allow access to places or services or for the establishment or identification of the procedures for carrying out legal relationships except within the limits in which this is provided for by a primary-ranking rule, in the context of the adoption of the public health measures necessary for the containment of the virus SARS-CoV-2;

with reference to the present case, it should be noted that the sector regulations, also referred to on the website of the Ministry of Health and the Government during the regulatory interventions that have taken place after the entry into force of the provisions on green certifications, do not provide that green certification is required for health needs, for which access is always allowed for the supply of drugs and medical devices and, in any case, for any purpose of prevention, diagnosis and treatment (https://www.dgc. gov.it/web/per-cosa-serve.html#strutture);

to this should be added that the legislation in force at the time of the events provided that it was allowed to remain in the waiting rooms of the emergency and reception departments of the first aid departments as well as in the departments of hospitals, diagnostic entrances, specialist polyclinics only for carers of patients not affected by Covid-19, in possession of green certifications, as well as to the companions of patients in possession of the recognition of disability with a serious connotation (art. 2-bis of decree law 22 April 2021, n. 52 and dPCM 21 January 2022) . Except in cases of objective impossibility due to urgency, assessed by healthcare personnel, for access to first aid services it was also always necessary to undergo the rapid or molecular antigen test at the same time (art. 2-bis of the decree-law of 22 April 2021 , no. 52);

carers of patients in possession of the recognition of disability with a serious connotation pursuant to article 3, paragraph 3, of the law of 5 February 1992, n. 104, it was also always permitted to access and remain in the waiting rooms of the emergency and reception departments and first aid departments as well as the departments of hospital structures, diagnostic centers and specialist outpatient clinics. Furthermore, the accompanying persons were always allowed to provide assistance, even in the hospital ward, in compliance with the indications of the medical director of the structure;

from 1 April 2022, considering the end of the state of emergency, the access of users and their companions to health, social and medical facilities and medical offices, public or private, for any purpose of prevention, diagnosis and treatment is allowed without having to exhibit your green certification. However, it remains necessary to show the so-called green certification "BASE" (vaccination, healing, swab) for the permanence of carers of patients not affected by Covid-19 in the waiting rooms of the emergency and acceptance departments, first aid departments and hospital wards, diagnostic centers and specialist outpatient clinics and for the permanence in health and social care facilities of carers of patients with serious disabilities or people suffering from Alzheimer's or other dementias or certified cognitive deficits (see table drawn up by the Government - annex 1);

starting from 10 March 2022 and until 31 December 2022, for visitors to access the hospital wards, access with the green COVID-19 c.d. certification is also allowed. strengthened (issued following the administration of the booster dose following the primary vaccination cycle) and in some cases also together with a certification certifying the negative outcome of the rapid or molecular antigen test, performed in the forty-eight hours prior to access (art. 1 bis, paragraph 1 sexies, Legislative Decree 01/04/2021, no. 44). Medical directors are given the option to adopt more restrictive precautionary measures in relation to the specific epidemiological context, guaranteeing in any case a minimum daily access of no less than forty-five minutes (paragraph added by art. 7, paragraph 1, letter b), Legislative Decree 24 December 2021, no. 221, converted, with amendments, by Law February 18, 2022, n. 11, and, subsequently, thus modified by art. 7, paragraph 2, lett. b), Legislative Decree 24 March 2022, no. 24);

the Authority has repeatedly highlighted that the competence regarding the introduction of measures for the limitation of fundamental rights and freedoms that involve the processing of personal data falls within the matters subject to the reserve of state law (Constitutional Court, sentence 271/ 2005 on the reservation of the state law on data protection; Constitutional Court, sentence 37/21), also recalling what was indicated by the Constitutional Court, according to which "the ongoing pandemic has required and requires interventions falling within the field of international prophylaxis of exclusive competence of the State pursuant to art. 117, second paragraph, letter q), of the Constitution.” (Ordinance of n. 4/21) (provisions of 25 May 2021, web doc. n. 9590466 and of 18 June 2021, web doc. n. 9671917);

the Guarantor has also repeatedly considered that the limitation of personal freedoms also carried out through the processing of data on the health of the interested parties and achieved through the provision of making access to places and services subject to the possession of a certification attesting to the vaccination or recovery from Covid-19, or the negative result of an antigen or molecular test, is in fact admissible only if provided for by a state law (Articles 6, paragraph 2, and 9 of the Regulation and Articles 2-ter and 2 -sexies of the Personal Data Protection Code, Recital No. 48 of the Regulation of the European Parliament and of the Council on the EU digital COVID certificate adopted on 14 June 2021; see also Constitutional Court, sentence 271/2005 on the reservation of state law on data protection; Constitutional Court, sentence 37/2021, see also the aforementioned provision of 9 June 2021);

the Authority has in fact considered that the certifications attesting the successful vaccination or recovery from Covid-19, or the negative result of an antigen or molecular test, cannot be considered a necessary condition to allow access to places or services if not to the extent that this is provided for by a standard of primary rank. On this point, it should be noted that the Constitutional Court in sentence no. 164/2022 reaffirmed the "exclusive state competence in the field of international prophylaxis (art. 117, second paragraph, letter q, Constitution)," and that "art. 9, paragraph 10-bis, of the legislative decree no. 52 of 2021, as converted, establishes that "[e]ach different or new use of the COVID-19 green certifications is established exclusively by State law", thus expressly confirming, with a provision added upon conversion into law, what is already deductible from the previous paragraph 10, which entrusts the regulation of the aforementioned National Platform-DGC to a d.P.C.M ". In this sentence, the Court finally recognized that "it is up to the State, and for it to the Guarantor for the protection of personal data, to definitively limit the processing of data connected to the use of the green certification";

in this regard, it should be noted that the text of the decree-law of 22 April 2021, n. 52 (in the Official Gazette n. 96 of 22 April 2021), coordinated with the conversion law 17 June 2021, n. 87 containing: "Urgent measures for the gradual recovery of economic and social activities in compliance with the need to contain the spread of the epidemic from COVID-19" (in Official Gazette No. 146 of 21-06-2021) expressly provides that green certifications may be used exclusively for the purposes referred to in articles 2, paragraph 1, 2-bis, paragraph 1, 2-quater, 5, 9 -bis, 9-bis.1, 9-quinquies, 9-sexies and 9-septies of the aforementioned decree, as well as in article 1-bis of the decree-law of 1 April 2021, n. 44, which includes the provisions relating to the health sector referred to above (art. 9, paragraph 10-bis, law no. 87/2021);

in relation to some local initiatives in the context of which the display of green certifications in the health context was required also for purposes other than those strictly envisaged by the aforementioned law, this Office, with a note of the XX (prot. XX) attached in copy ( annex n. 2), drew the attention of the Regions and the State-Regions Conference on the need to postpone the adoption or implementation of territorial initiatives which envisage the use of green certifications for other purposes and in different ways than those expressly provided for by national law. On that occasion it was also pointed out that, with reference to the aforementioned possible treatments, the Authority reserved any assessment regarding the adoption of measures aimed at imposing a temporary or definitive limitation to the treatment, including the prohibition of treatment (art. 58, paragraph 2, letter f) of the Regulation).

a system that is not coordinated at national level for verifying green certifications risks compromising the efficiency of the entire measure as it cannot ensure the accuracy and updating of the data (Article 5, paragraph 1, letter d) of the Regulation ), as well as the possibility for the interested party to use the aforementioned certification throughout the national territory;

in the reconciliation between the protection of the rights of the interested parties and the protection of the health of the patients, it must be taken into consideration that, to date, no mapping of the entire population has been carried out with regard to the contagion from Covid-19. Therefore, in line with what is recommended by the ISS, until the spread of the Sars Cov 2 virus persists, individual protection measures must be taken during each visit, as the visitor's Coronavirus positivity status may not yet have been ascertained. It is also represented that the possession of the green certification does not certify the negativity to the virus. Therefore, the non-proportionality of the measure adopted by the Polyclinic is highlighted according to which the staff is equipped with specific personal protective equipment only if in contact with subjects who do not present green certifications. This measure, together with the provision of differentiated pathways for these patients, in addition to not complying with national indications, runs the risk of discriminating against them.

3. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ and considering that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances o produces false deeds or documents and is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the duties or the exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow to overcome the findings notified by the Office with the deed of initiation of the proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.

For these reasons, the unlawfulness of the processing of personal data carried out at the Policlinico Casilino is noted, in the terms set out in the justification, in violation of articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021).

In this context, it being understood that the General Hospital has declared that it has modified the procedures for accessing the interested parties to outpatient services, considering, in any case, that the conduct has exhausted its effects, the conditions for adopting the corrective measures pursuant to art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021), caused by the conduct put in place by the Polyclinic, is subject to the application of the administrative sanction pecuniary pursuant to art. 83, par. 5, of the Regulation and of the art. 166, paragraph 2 of the Code.

Consider that the Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in art. 83, par. 1, of the Regulation, in the light of the elements provided for in art. 85, par. 2, of the Regulation in relation to which it is observed that:

the Authority became aware of the event following a report (Article 83, paragraph 2, letter h), of the Regulation);

the processing, which continued until June 2022, potentially concerns data suitable for detecting information on the health of a significant number of data subjects (150,000/200,000 outpatient visits) (Article 83, paragraph 2, letter a) and g ), of the Regulation);

the Authority has already intervened on the matter with the numerous provisions mentioned in this provision (Article 83, paragraph 2, letter a) of the Regulation);

the Policlinico cooperated in order to remedy the violation (Article 83, paragraph 2, letter f) of the Regulation);

the Polyclinic claimed to have operated in good faith in order to protect the state of health of patients and healthcare professionals (Article 83, paragraph 2, letter k), of the Regulation);

the Policlinico has already been the recipient of a sanction measure for the violation of the articles 5 and 9 of the Regulation, albeit pertaining to a heterogeneous case (provision of 21 April 2021, n. 148, web doc. n. 9675228) (art. 83, paragraph 2, letter e), of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction provided for by art. 83, par. 5, letter. a), of the Regulation, to the extent of 30,000 euros (thirty thousand) for the violation of articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and the sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Ministerial Decree of June 17, 2021), as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the illegality of the processing of personal data carried out by the Policlinico Casilino of Rome for the violation of the articles 5, par.1, lett. a) and b), and 9 of the Regulation, of the art. 75 of the Code and sector regulations (Law No. 87/2021, Legislative Decree No. 44 of 01/04/2021 and Prime Minister's Decree of June 17, 2021) in the terms set out in the justification.

ORDER

pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation, as well as art. 166 of the Code, at the Policlinico Casilino in Rome, Tax Code and P.I. 06726891002, in the person of the pro-tempore legal representative, to pay the sum of 30,000 (thirty thousand) euros as an administrative fine for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 30,000 (thirty thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision in full on the website of the Guarantor and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation.

pursuant to art. 78 of the Regulation, of the articles 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 October 2022

PRESIDENT
station

THE SPEAKER
Cerrina Feroni

THE DEPUTY SECRETARY GENERAL
Philippi