Garante per la protezione dei dati personali (Italy) - 9835095

From GDPRhub
Revision as of 09:01, 5 February 2023 by Carloc (talk | contribs) (→‎Facts)
Garante per la protezione dei dati personali - 9835095
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6 GDPR
Article 38 GDPR
Article 2-ter d. lgs. 196/2023
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.11.2022
Published:
Fine: 6,000 EUR
Parties: Conservatorio Santa Cecilia di Roma
National Case Number/Name: 9835095
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Carloc

A conservatory was fined €6,000 for processing and disclosing the personal data of a student without a legal basis, for naming a DPO in a position of conflict of interest, and for appointing a data processor without a DPA.

English Summary

Facts

A student association held an assembly through the Zoom platform. An unknown person uploaded a recording of the assembly on a USB drive and left the drive in the Conservatory of Santa Cecilia. The drive was retrieved and viewed by the Conservatory's Director. The Director held that one of the Conservatory's students offended the Conservatory's reputation during the student assembly, based on the recording. The Conservaroty initiated a disciplinary procedure against the student. As a part of the procedure, the Conservatory appointed a sworn expert who transcribed the student's statements.

The student filed a complaint with the Italian DPA. The student is the data subject and the Conservatory is the data controller.

In its defense, the controller observed that school directors have disciplinary powers over students under Italian law and may investigate student misconduct outside of school. For this reason, the controller claimed that the processing of the student's data was based on Article 6(1)(e) GDPR (exercise of official authority). The controller also claimed that students had no expectation of privacy during the assembly because links to the Zoom session were publicly available on social media.

Holding

The DPA held that the Director had no authority to access personal data from a lost USB drive. For this reason, the DPA held that the original collection of the data lacked a legal basis. As a consequence, the DPA found that all further processing of the data during the disciplinary procedure (including their disclosure to the sworn expert) also lacked a legal basis. The DPA held this to be a violation of Articles Article 5(1)(a), Article 5(1)(b), and (6) GDPR as well as Article 2-ter of the Italian privacy code. The DPA clarified that the public nature of the student assembly was not relevant in this regard.

The DPA also found that the Director was the controller's DPO at the time of the complaint. The DPA held this to be a violation of Article 38(6) GDPR because the Director was in a position of conflict of interest. The DPA noted that this assessment was in line with its own guidelines and case law.

Comment

The DPA also held that the sworn expert acted as data processor without signing a data processing agreement. [Article 28 GDPR] (Processor) is mentioned in the motivation, but not in the operative part of the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9835095]

Injunction against the S. Cecilia Conservatory of Music in Rome - 10 November 2022

Register of measures
no. 367 of 10 November

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

With a complaint received by the Authority, a student of the "Santa Cecilia" State Conservatory of Music (hereinafter "the Conservatory") represented that he had received a disciplinary dispute based on the content of the statements made by the same during a student meeting, held via the Zoom platform and convened by the organization called "XX", on XX. Based on the complaints, the Conservatory would have acquired the recording and audio transcript of the video of the assembly despite the fact that the organizers of the same had not foreseen any recording.

2. The preliminary investigation.

With a note of the XX (prot. n XX) responding to the request for information formulated by the Office, the Conservatory represented, in particular, that:

- "the assembly of the XX (...), was not organized and/or convened by this Conservatory, but by the association XX ("XX") which is coordinated by a former student (of this Conservatory) and would seem to include among the own student associates of various institutions; non-student subjects also appear to have participated in the meeting. This circumstance, (...) is a prejudicial element, as the Conservatory does not seem to have to be contested for improper use of personal data, if such data refer, as in the case in question, to circumstances and events not organized by (and therefore external to the ) Conservatory itself”;

- "On the 20th date, in the rooms of the "Santa Cecilia" Conservatory, a USB key was found containing the video recording file of the 20th assembly (...). There is no evidence of whoever videotaped the assembly, nor of whoever left the aforementioned USB stick in the Conservatory which, as soon as it was found, was deposited by the Director in the Conservatory's confidential protocol (n. XX)";

- "Subsequently, the Conservatory commissioned the transcription in the form of a sworn appraisal to (...), sound expert and transcriber registered in the Register of Experts at the Ordinary Court of Rome";

- "During the assembly (the complainant) intervened several times with propalations that appeared to integrate (in terms of both form and content) the details for the configuration of the disciplinary responsibility against him, according to the provisions of the Regulation disciplinary for the students of the "Santa Cecilia" Conservatory of Rome, approved on the XX date (...). The claims of the (complainant), presumptively relevant also from a criminal point of view, appeared to be in contrast with the conduct obligations incumbent on the students, as well as damaging to the reputation of the Conservatory, the staff who work there and the management bodies, including the Director of the Conservatory”;

- "On the XX date, steps were therefore taken to contest the disciplinary charge against the student pursuant to art. 3 c. 2 and of the art. 4 letter. a) of the Disciplinary Regulations. Finally, having completed the procedure, the foreseen disciplinary sanction was imposed on the basis of the following reasons: “Your statements are highly damaging to the dignity and image of the “Santa Cecilia” Conservatory (…)”;

- “the sanction does not derive, not even in the slightest part, from the propaganda directed against the Director. (...) from a legal point of view, the Conservatory (and for it the Director) is obliged to carry out disciplinary action, where the conditions are recognised".

With a note of the XX (prot. n. XX) in response to the request to provide further information formulated by the Office, the Conservatory represented, in particular, that:

- “The Conservatory is subject to the provisions of law n. 508 of 1999, which pursuant to art. 2, paragraph 71, delegates to one or more regulations the discipline of the administrative and didactic organization of the institutions subject to this regulation. In this sense, the D.P.R. no. 132 of 2003 provides, pursuant to art. 6 paragraph 4 that "The director is the holder of the disciplinary action against the teaching staff and students". The R.D.L. also applies to the Conservatory. no. 1071/1935 and, in particular, the provisions of art. 16, paragraph 1, according to which "The disciplinary jurisdiction over students (...) is also exercised for facts committed by students outside the circle of university premises and establishments, when they are recognized as damaging to dignity and honour, without prejudice to any sanctions of law (…). The Institute, taking into account its statutory autonomy, has adopted a Disciplinary Regulation (...)";

- "It is believed that the disciplinary power (...) is, in general, connected to the exercise of public powers whose foundation is to be found in the aforementioned provisions. Nonetheless, the exercise of this power inevitably entails the processing of the personal data of the recipients of the final measure. The Conservatory, in fact, believes that this treatment finds its legitimizing legal basis in the combined provisions of art. 6, letter. e) of EU Regulation 2016/679 (hereinafter "Regulation" or "GDPR") and of art. 2-ter of Legislative Decree 196/2003 (hereinafter "Privacy Code")";

- "the Conservatory found on the premises of the Conservatory, on the 20th date, a USB stick containing the recording of an assembly of the 20th, convened, moreover, not following the normal authorization procedure that characterizes student meetings, envisaged by the current Regulation of the Consulta , but through the dissemination (via social media, instagram and facebook) of the connection to an electronic platform - "Zoom" - which allowed access to this meeting to anyone who wanted to use the aforementioned link, clearly visible on social networks (...) this meeting must be considered de facto public, with the consequent "making available" to the "public" also of the personal data of the participants and their statements. This determines that anyone who participated in said meeting was well aware that their personal data would have been made "manifestly public" and "disseminated", and this can be said even more for the adherents of the XX, organizers of the online meeting, among the which (the complainant)”;

- "Not being able to omit to consider the behavior of the complainant, also and above all in consideration of the fact that - as previously mentioned - the disciplinary powers can also be exercised as a result of the conduct of the students outside the premises of the Conservatory, the Institute determined in the disciplinary action, based not only on the facts that emerged during the meeting”;

- "with regard to the processing in question 'connected to the use of the declarations made in the public meeting and the relative transcript' it was specified that: "a) the aforementioned operations are identified in a purely endo-procedural act, secreted within of the confidential protocol of the Conservatory, kept in a suitable place and not accessible to anyone other than the Director; b) the processing of personal data connected to the transcription took place by a professional registered in a suitable register, who, in addition to being bound by professional secrecy, limited himself to transcription of what was deduced therein; c) the same recordings and related transcripts were not, therefore, subject to further dissemination and communication to third parties, having been used only in the preliminary phase of the disciplinary procedure; d) nor have they been transposed in the final provision imposed against the (claimant)";

- "with regard to the appointment of the RPD "the Conservatory designated, with effect from the XX, as RDP the Director (...). This decision was, (…) oriented as much by the urgency and by the desire to adapt, within the timescales, to the legislation in force, as by the observation that other public institutions (…) had also taken steps to designate, such as RDP, directors or other subjects of top”;

- "the Conservatory has taken steps with resolution of the XX (attached to this reply, doc. 3) to revoke the position of RDP to the Director (...) to assign it to the Company (...)".

Based on the elements acquired, the Office notified the Conservatory, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulations, since the Conservatory has processed the personal data contained in the audio/video recording file stored in the USB device in a manner that does not comply with the principles of "lawfulness, correctness and transparency", and "purpose limitation" in violation of art. . 5, paragraph 1, lett. a) and b) of the Regulation and in the absence of a suitable regulatory prerequisite, in violation of articles 6 of the Regulation and 2-ter of the Code; for not having regulated, in terms of data protection, the relationship with the expert in charge of transcription of the recording of the meeting pursuant to art. 28 of the Regulation by making the aforementioned data available to this subject in violation of the articles 5 and 6 of the Regulation and 2-ter of the Code; as well as for having designated the Director of the Institute as Head of Personal Data Protection (hereinafter "RPD"), in violation of art. 38, par. 6, of the Regulation. Therefore, the Guarantor invited the aforesaid owner to produce written defenses or documents or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of the 11/24/1981).

The Conservatory sent its defense briefs representing, in particular, that:

- "starting from the month of XX, the internal confrontation between the institutional bodies of the Conservatory and the student representatives has gradually escalated, also due to the establishment of an organization - initially anonymous - called XX (...) and the hard opposition and criticisms made by it, of which the (claimant) is also one of the representatives":

- "the facts mentioned above, as narrated in the Conservatory, are also part of a documented continuous series of exacerbations that has been going on since the beginning of the health emergency";

- "one cannot fail to note the contradiction between what was reported by the (complainant) regarding the fact that no recording of the meeting was envisaged (...) and the fact that, in one of the official communications of the XX, of which the (complainant) is one of the most active members, we can read that "every (…) meeting is recorded and the related minutes are drawn up for each meeting (…). It therefore seems hardly credible that he was not aware of the recording in question";

- with reference "to the processing of personal data contained in the audio/video file containing the recording of the XX of the XX (...) it should be noted that the use of the data contained in the recording in question was used in the context of the disciplinary action brought by the Conservatory towards the student, (…) and not for distinct or additional purposes. (…) pursuant to the Disciplinary Regulations for students of the Santa Cecilia Conservatory of Rome, approved with resolution of the Academic Council n. XX of the XX (the "Disciplinary Regulations"), disciplinary action on students is also exercised for facts committed by students outside the circle of the Institute's premises when they are recognized as damaging to the dignity and honor of the Institution (...) . The holder of the disciplinary action is the Director who, "having received the news of the alleged offence, orders the opening of the disciplinary procedure. The Director can acquire documents, hear witnesses, carry out any other activity he deems useful";

- “The acquisition of the transcript of the file contained in the USB key must therefore be traced back to this preliminary investigation context, through recourse to a special IT expert trained and authorized pursuant to art. 29 of the GDPR. Indeed, the specific legal basis can also be identified in it";

- the disciplinary power pursuant to art. 16, paragraph 1 of the R.D.L. no. 1071/1935 “is to be considered to all effects connected to the exercise of public powers vested in the Conservatory. Therefore, the processing was considered lawful by the owner because it was based on the legal basis pursuant to art. 6, paragraph 1, lett. e) and paragraphs 2 and 3 of the GDPR, as well as of the art. 2-ter of the Code, in the formulation prior to the changes introduced with d.1. 8 October 2021, no. 139”;

- "art. 7 of the Disciplinary Regulations provides that the Director may "acquire documents, [...] carry out any other activity he deems useful". However, the circumstance whereby an effective exercise of this activity can be based on the use of documents and data collected for purposes other than those that justified the initial collection cannot be overlooked, even more so in the event that the original owner who activity has been carried out by a third party. In any case, it is important to reiterate that the exercise of this investigative activity took place in the framework of freely accessible and knowable information by the students such as the information on the processing of personal data and the same Disciplinary Regulations”;

- with reference to the appointment of the DPO, “the intention to move quickly in the sense of fulfilling the specific legal obligation had led the Conservatory to carry out an incomplete assessment regarding the characteristics which the PD must enjoy. This assessment, indeed, had mainly regarded the practices widespread among other public institutions belonging to the AFAM system (…). Following the second request for information, and therefore in a phase prior to sending the notification of the violation, acting proactively and in the interest of bringing the Conservatory to a good level of compliance, a resolution of the XX proceeded to revoke the appointment of DP to the then Director to assign him to the company (…)”;

- "following the appointment of the new RDP, in the awareness of the need to align the personal data processing processes carried out by the Conservatory as owner, a path of compliance with the applicable legislation was undertaken".

During the hearing held on the 20th date, the Conservatory declared that:

"the Conservatory, having taken note of the findings of the Authority regarding the position of conflict of interest of the previous (...) DPO, promptly proceeded to designate a new DPO, collaborating profitably with the same in order to comprehensively review the procedures of the Conservatory regarding the protection of personal data and its internal organization, also on the basis of what emerged during the investigation launched by the Guarantor regarding the methods of managing disciplinary proceedings;

"the Conservatory has always acted, even in the event of a complaint, with the primary objective of serving the interests of its students";

"in the present case, the "XX" association had publicly disclosed the fact that all its meetings would have been recorded and, therefore, the complainant could not have a legitimate expectation of confidentiality";

"from a joint reading of the art. 6, par. 1, lit. e), of Regulation (EU) 2016/679, of the internal regulations of the Conservatory regarding disciplinary procedures, as well as of the r.d. 1071/1935, which attributes disciplinary power to the institutions of the Conservatory, it is possible to find a suitable legal basis to justify the processing of personal data in question, including those contained in the USB key found by the Conservatory”;

“the evidence search activity must always be considered compatible with the original purpose for which the data are processed; otherwise, in fact, the possibility of exercising or defending a right in court would be compromised”;

"in any case, it is necessary to consider that the Conservatory has an organizational structure of modest dimensions and characterized by elements of complexity at the management level, also due to the small administrative resources available to institutes of higher artistic education";

"the current Council, following the commissioning of the Conservatory, has launched every most appropriate initiative to reorganize the internal procedures and the governance of the Conservatory (also by initiating a digitization process, increasing data security and renewing the institutional website ), making employees aware of the important issue of personal data protection. More generally, the commissarial structure wanted to review the overall organizational structure of the Entity, which was characterized by a paternalistic approach and by a stratification of practices and procedures dating back over time and no longer effective, having been conceived in an era in which which the Entity acted on an authoritative basis".

3. Outcome of the preliminary investigation.

3.1 The applicable legislation.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), the processing of personal data carried out in the public sphere is lawful when it is necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task in the public interest or connected to the exercise of public powers vested in the data controller" (art. 6, paragraph 1, letter c) and e) and paragraphs 2 and 3 of the Regulation; art 2-ter of Legislative Decree no. 196 of 30 June 2003 - Code regarding the protection of personal data, in the text prior to the changes introduced with the d.l. 8 October 2021, no. 139, hereinafter, the "Code").

More generally, European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this regulation with regard to treatment, in accordance with paragraph 1, letters c) and e), determining with greater precision specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing (…)” (art. 6, paragraph 2 of the Regulation).

The national legislation has introduced more specific provisions to adapt the application of the rules of the Regulation, determining, with greater precision, specific requirements for the treatment and other measures aimed at guaranteeing a lawful and correct treatment (Article 6, paragraph 2 of the Regulation ) and, in this context, has established that personal data processing operations are permitted only when provided for by a law or, in the cases provided for by law, a regulation (Article 2-ter, paragraphs 1 and 3, of the Code in the text prior to the changes introduced with Legislative Decree No. 139 of 8 October 2021).

The data controller is then, in any case, required to comply with data protection principles and to process the data through authorized and duly trained personnel regarding access to the data (articles 5 and 4, par. 10, articles 29, 32, paragraph 4, of the Regulation and article 2-quaterdecies of the Code).

For the purposes of compliance with the legislation on the protection of personal data, it is also important to precisely identify the subjects who, for various reasons, can process personal data and clearly define their respective attributions, in particular that of owner and manager of the treatment (art. 4, par. 1, point 7 of the Regulation and art. 28 of the Regulation).

The relationship between the owner and the manager is governed by a contract or other legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to issue instructions to the manager and provides, in detail, what the subject is regulated, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner.

The Data Processor is, therefore, entitled to process the data of the interested parties "only on documented instruction from the owner" (Article 28, paragraph 3, letter a) of the Regulation).

With regard to the figure of the DPO, the Regulation provides that this must be mandatorily designated by the data controller "when the processing is carried out by a public authority or a public body" (Article 37, paragraph 1, of the Regulation). The DPO must be equipped with the “resources necessary to perform [his] duties (…)” and “may perform other tasks and functions. The data controller or the data processor ensures that these tasks and functions do not give rise to a conflict of interest" (Article 38, paragraphs 2 and 6, of the Regulation; see cons. 97 of the Regulation, where it is stated that DPOs “should be able to carry out the functions and duties assigned to them independently”).

With specific reference to the prohibition of conflicts of interest, the "Guidelines on data protection officers" (adopted by the Article 29 Working Party on 13 December 2016, in the amended version on 5 April 2017) specify that "the absence of of interests is strictly connected to the independence obligations. Even if a DPO may perform other functions, the assignment of these additional tasks and functions is possible only on the condition that they do not give rise to conflicts of interest. This means, in particular, that a DPO cannot play, within the organization of the data controller or data processor, a role that involves defining the purposes or methods of processing personal data. This is an element to be taken into consideration on a case-by-case basis, looking at the specific organizational structure of the individual data controller or data processor" (par. 3.5, p. 21).

3.2 Illegality of the processing of personal data contained in the USB device

Following the preliminary investigation it emerged that, in the present case, according to what was declared, the assembly of the students of the XX, held via connection to an electronic platform, "was not (was) organized and/or convened by (... ) Conservatorio” but announced by a student association. On the 20th date "a USB stick containing the recording of an assembly" was found "in the premises of the Conservatory" without any elements suitable to identify the owner of the device. Nonetheless, the then Director of the Conservatory, having read the contents of the device, proceeded to deposit the aforementioned USB stick with the confidential protocol of the Conservatory and commissioned an expert to transcribe the contents of the file stored on the support, thus acquired.

Subsequently, the Conservatory initiated a proceeding and imposed a specific disciplinary sanction against the complainant based on the statements that, according to the aforementioned transcript, would be attributable to him during the aforementioned meeting.
It also appears that pending the disciplinary procedure, following a specific request for access to administrative documents presented by the complainant, through his lawyer, pursuant to articles 22 et seq. of the law 7 August 1990, n. 241, the Conservatory accepted the request by providing the "extract of the transcript of the Audio of the student assembly".

Given the above, it must first be reiterated that any processing of personal data must take place in compliance with the Regulation and the Code, in particular, personal data must be processed "in a lawful, correct and transparent manner in relation to the interested party" and "collected for specific, explicit and legitimate" (principle of limitation of purpose). In this context, however, the possibility of subsequent processing is admissible only if "it is not incompatible with [the] initial purposes" of the processing (Article 5, paragraph 1, letters a) and b), of the Regulation).

This means that the owner can only use personal data lawfully collected for further processing in the presence of an appropriate legal basis, having previously "satisfied all the requirements for the lawfulness of the original processing" (see cons. n. 50 of the Regulation) , and therefore to the extent that the original collection was lawfully carried out, having regard to the main purpose and in compliance with the general principles of data protection.

In the present case, the Conservatory acquired, not through institutional channels but following the "random" discovery of the aforementioned device, the personal data of the students contained/stored therein (in particular images and declarations of the participants in the student assembly).

The investigation also confirmed that the personal data acquired in this way were subsequently also processed by a professional for the purpose of transcribing the content as well as kept and further used by the Conservatory for the purposes of the disciplinary procedure. Although this further use was made, as reaffirmed in the defense briefs, in the context of the exercise of the disciplinary powers that the sector framework attributes to the Conservatory with respect to students, it is believed that the casual discovery of an object, in this case a mobile data storage device, cannot constitute a sufficient reason to legitimize the processing of the personal data stored therein.

Nor, for the purposes of the overall assessment of the legitimacy of the collection of the data contained in the USB device, can it be considered relevant what was declared by the Conservatory regarding the fact that, since the link for the connection to the meeting is visible on some social networks, this meeting could be considered accessible to anyone. This is also due to the fact that, at the time the device was found, its contents were not known.

In this regard, in fact, albeit in a different context, the Guarantor declared that the use by a municipal administration of a certified e-mail address found online, to notify an employee a disciplinary measure, clarifying, in particular, that this violation occurs "even when, as in the present case, the employee's certified e-mail address can be found on an online professional register, given that the personal data published in public registers, lists, deeds or documents that can be known by anyone can be processed with the limits and methods that the applicable sector laws establish for the knowledge and publicity of the data" (see provision of 12 March 2020, n. 56, web doc. n 9429218).

In the light of the foregoing considerations, and considering that during the investigation, no indications were provided regarding the specific legal basis that would have legitimized the original collection of personal data in question, it must be concluded that, in the present case, the Conservatory should have abstained from processing the personal data contained in the USB device, object of casual discovery and in the absence of elements aimed at identifying its legitimate owner, limiting itself to handing it over to the competent authorities. As shown in the documents, however, the Conservatory has acquired and processed, also through third parties (the expert who carried out the transcription), the personal data contained in the device in the absence of a suitable prerequisite of lawfulness, in violation of articles 5 and 6 of the Regulation and art. 2-ter of the Code.

With regard to the circumstance of further use of the same data acquired in this way, also in the context of administrative and disciplinary proceedings, the following is noted.

The extent of the disciplinary powers attributed by the sector provisions to the Director of the Conservatory in any case presupposes the receipt of a news/report which constitutes a prerequisite for the legitimate initiation of a consequent proceeding ("having received the news of the alleged offense, orders the opening of the proceeding The Director can acquire documents, hear witnesses, carry out any other activity he deems useful", see Disciplinary Regulations for students of the Santa Cecilia Conservatory of Rome, approved with resolution of the Academic Council n. XX of XX). This circumstance has not been proven in the present case, nor can it be found in having read the contents of a USB device that was found and which, in the absence of further elements, could have contained personal data referring to anyone and of any nature.

Given the unusability of "personal data processed in violation of the relevant data processing regulations" (Article 2-decies of the Code), it is believed that subsequent processing - even if carried out in the exercise of duties and powers attributed to the Conservatory - have occurred in a manner that does not comply with the regulations on the protection of personal data in violation of articles 5 and 6 of the Regulation, and art. 2-ter of the Code. Nor can having used the same data in the exercise of the aforementioned functions be considered sufficient to fill the lack of legal basis of the original collection.

We acknowledge the particular context in which the facts object of this investigation occurred characterized by a "continuous series of exacerbations" in the relations between the Conservatory and the student association of which the complainant was a promoter and which, as stated by the Commissioner extraordinary during the hearing of the XX, the initiatives put in place by the Conservatory at the time of the events in question are the result of the previous management of the institution, "characterized by a paternalistic approach and by a stratification of practices and procedures dating back to and no longer effective, having been conceived at a time when the Organization acted on an authoritative basis”. However, these circumstances cannot be considered sufficient to exclude the holder's liability in the present case.

3.3 The role of the expert in charge of carrying out the transcription

As evidenced by the declarations in the documents, "the Conservatory (...) has commissioned the transcription" of the "video recording file of the 20th assembly" to a "phonic expert and transcriber registered in the Register of Experts at the Ordinary Court of Rome", who therefore, as confirmed by the Conservatory "the processing of personal data connected to the transcription took place by a professional registered in a suitable register".

In this regard, it should be noted that, based on the data protection regulations, in the cases in which the processing of personal data is carried out on behalf of the data controller by a different subject (in this case the expert), it is necessary that the relative relationship is governed by a contract or other legal act pursuant to art. 28 of the Regulation (see also recital 81 and art. 4, point 8 of the Regulation) also in order to avoid processing (communication to third parties) in the absence of a suitable prerequisite of lawfulness (given the notion of "third party" pursuant to art 4, point 10, of the Regulation; see art. 2-ter, paragraphs 1 and 4, letter a), of the Code, with regard to the definition of "communication").

In the present case it appears that the Conservatory has appointed an expert to carry out processing operations on its behalf in relation to the personal data contained in the file stored on the USB device found in the premises of the Conservatory. In this regard, without prejudice to the assessments relating to the legitimacy of the overall treatment (esp. par. 3.2), there is no evidence in the deeds of a prior regulation of the relationship with the expert pursuant to art. 28 of the Regulation.

Nor are there, in the present case, contrary to what is represented by the Conservatory, the conditions for considering the professional in question, an authorized person pursuant to art. 29 of the Regulation, having to believe that the reference to acting "under the direct authority of the owner or manager" and being "instructed" regarding access to data, refers to persons belonging to the legal and organizational structure of the controller or processor as specified by the European Data Protection Board (see "Guidelines 07/2020 on the concepts of data controller and processor in the GDPR", adopted on 7 July 2021 by the European Data Protection Board personal data, specifically pp. 31-32, paragraphs 88, 89 where express reference is made to "an employee or a person who occupies a position very similar to that of an employee, for example the staff of a temporary employment agency" ).

The making available to another subject, unrelated to the organizational structure of the personal data owner, who does not operate pursuant to art. 29 of the Regulation, and also in the absence of regulation of the related relationship pursuant to art. 28 of the Regulation, gives rise to a communication to third parties of personal data (cf. art. 4, point 10, 5 and 6 of the Regulation and art. 2-ter, paragraphs 1 and 4, letter a), of the Code).

This prerequisite of lawfulness cannot be found, in the case in question, in the contract stipulated between the professional and the Conservatory given that the expression "necessary for the execution of a contract" referred to in art. 6, par. 1, lit. b) of the Regulation), refers to the case in which the processing is necessary to fulfill the contractual obligations with each interested party and not instead, as in the present case, in the execution of a contract between the owner and a third party (cf. " Guidelines on consent pursuant to EU Regulation 2016/679, of the European Committee for the protection of personal data, which expressly provide in this regard that "a direct and objective connection between the processing of data and the purpose of the execution of the contract is necessary with the interested parties", see also what was clarified by the Guarantor with provision n. 384 of 28 October 2021, web doc. n. 9722661).

In the light of the foregoing considerations, the Conservatory has made the personal data contained in the USB device available to a third party, in the absence of an appropriate legal basis, giving rise to unlawful processing, in violation of articles 5, par. 1, lit. a), and 6 of the Regulation and of the art. 2-ter of the Code (on the lack of legitimacy to process data in similar cases see provision no. 81 of 7 March 2019, web doc. no. 9121890; provision no. 160 of 17 September 2020, web doc. n. 9461168; provision n. 280 of 17 December 2020, web doc. n. 9524175; "Guidelines 07/2020 on the concepts of data controller and data processor in the GDPR", cited p.35, spec. note 42) .

3.4 The independence of the DPO

As shown in the deeds and confirmed by the Conservatory, the Director of the Conservatory held the position of DPO from "from 13 June 2018" to "28 January 2022".

Considering the role played by the Director within the organizational structure of the Conservatory, as well as the numerous tasks assigned to this figure by the sector discipline, the following can be observed.

As clarified by this Authority in the "Faq on the Data Protection Officer (DPO) in the public sphere" of 15 December 2017 (web doc. n. 7322110), "in the public sphere, in addition to top management roles, there may be situations of conflict of interest with respect to senior figures of the administration vested with decision-making powers regarding the purposes and means of the processing of personal data implemented by the public body" (FAQ no. 7, see also part. 3.5 of the "Guidelines on data protection officers” referred to above). These indications were recently reiterated by the Guarantor, stating that there is "a conflict of interest in relation to roles [...] such as the human resources or accounting management, the IT manager or the corruption prevention and transparency manager, since these are sectors in which the processing of personal data is certain and transversal to the entire administration, as well as significant in terms of quantity and quality of the personal data processed, as well as risks on the fundamental rights and freedoms of the interested parties" (par. 10.1 of the "Document on the designation, position and duties of the Data Protection Officer (DPO) in the public sphere)", attached to provision 29 April 2021, no. 186, doc. web no. 9589104).

It should also be noted that, taking into account the numerous and burdensome duties attributed by law to the figure of the Director, the latter could hardly have had sufficient time to adequately perform the function of DPO (see the "Faqs on the Manager of Data Protection (RPD) in the public sphere", referred to above, in particular n. 7, where it is clarified that "depending on the nature of the treatments and the activities and dimensions of the structure of the owner or manager, any further duties attributed to the DPO should not therefore detract from the time necessary to fulfill the related responsibilities"; see also paragraph 9 of the "Guidance document on the designation, position and duties of the Data Protection Officer (DPO) in the public sphere)" , aforementioned).

Given the above, although according to what was declared the appointment in question "was, (...) oriented by the urgency and the desire to adapt, within the timescales, to the legislation in force", it must be concluded that the appointment of the DPO took place in violation of the art. 38, par. 6 of the Regulation having assigned this task to a person who, due to the role held within the structure of the Institute, was in a position of conflict of interest.

Nor can what was declared regarding the fact that the choice in question was based on the fact that "also other public institutions (...) had taken steps to designate, such as RDP, directors or other subjects at the top" given that the Authority has clearly explained the opposition of these choices to the data protection regulatory framework both with the aforementioned documents of general scope since 2018 and with decisions on individual cases (cf. precisely with regard to an Academy of Fine Arts, provision n. 318 of 16 September 2021, web doc n. 9718134).

In acknowledging that, with resolution of the XX, the Conservatory proceeded to revoke the assignment in question by subsequently designating a new DPO, it must be concluded that up to the aforementioned date the Conservatory has operated in violation of art. 38, par. 6, of the Regulation.

4. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ it should be noted that the elements provided by the data controller in the defense briefs do not allow for overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of the present proceeding, not resorting Moreover, any of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed, and the unlawfulness of the processing of personal data carried out by the Conservatory in violation of articles 5, 6 and 38 of the Regulation and Article 2-ter of the Code.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, para. 4 and 5 of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code – the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular delicacy of the unlawfully processed personal data concerning students and the opinions expressed by them in the exercise of the free expression of thought in the context of a student assembly and, therefore, in the context of the expression of the right of association (Articles 2, 18 and 21 of the Constitution).

On the other hand, it was considered that it was an isolated case, the result of the climate of tension that characterized the relationship between the Conservatory and the students at the time of the facts object of the complaint and that what occurred, based on what was declared, was the result of an initiative developed in the context of the management of the institution, characterized by a paternalistic approach and old-fashioned practices. The owner has also manifested full collaboration with the Authority during the preliminary investigation of the present proceeding, acknowledging that he has started, also with the support of the DPO in office, a complex activity of reorganization of the administrative structure as well as the adoption of measures aimed at ensuring compliance with the regulations on the protection of personal data also from a security point of view. Furthermore, it was favorably taken into account that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine the amount of the pecuniary sanction, in the amount of 6,000.00 (six thousand) euros for the violation of articles 5, 6 and 38 of the Regulation and of the art. 2-ter of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account the nature of the data being processed, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), declares the conduct held by the S. Cecilia Conservatory of Music in Rome to be unlawful, described in the terms set out in the justification, consisting in the violation of articles 5, 6 and 38 of the Regulation and of the art. 2-ter Code;

ORDER

pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the S. Cecilia Conservatory of Music in Rome, with registered office in Via Dei Greci 18 - 00187 Rome (RM), Tax Code 80203690583, to pay the sum of 6,000.00 (six thousand) euros as an administrative fine for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

at the S. Cecilia Conservatory of Music in Rome – without prejudice to the provisions of art. 166, paragraph 8 of the Code, to pay the sum of Euro 6,000.00 (six thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of Regulation no. 1/2019).

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 10 November 2022

PRESIDENT
station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew

[doc. web no. 9835095]

Injunction against the S. Cecilia Conservatory of Music in Rome - 10 November 2022

Register of measures
no. 367 of 10 November

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

Given the documentation in the deeds;

Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801;

Speaker Prof. Pasquale Stanzione;

WHEREAS

1. The complaint.

With a complaint received by the Authority, a student of the "Santa Cecilia" State Conservatory of Music (hereinafter "the Conservatory") represented that he had received a disciplinary dispute based on the content of the statements made by the same during a student meeting, held via the Zoom platform and convened by the organization called "XX", on XX. Based on the complaints, the Conservatory would have acquired the recording and audio transcript of the video of the assembly despite the fact that the organizers of the same had not foreseen any recording.

2. The preliminary investigation.

With a note of the XX (prot. n XX) responding to the request for information formulated by the Office, the Conservatory represented, in particular, that:

- "the assembly of the XX (...), was not organized and/or convened by this Conservatory, but by the association XX ("XX") which is coordinated by a former student (of this Conservatory) and would seem to include among the own student associates of various institutions; non-student subjects also appear to have participated in the meeting. This circumstance, (...) is a prejudicial element, as the Conservatory does not seem to have to be contested for improper use of personal data, if such data refer, as in the case in question, to circumstances and events not organized by (and therefore external to the ) Conservatory itself”;

- "On the 20th date, in the rooms of the "Santa Cecilia" Conservatory, a USB key was found containing the video recording file of the 20th assembly (...). There is no evidence of whoever videotaped the assembly, nor of whoever left the aforementioned USB stick in the Conservatory which, as soon as it was found, was deposited by the Director in the Conservatory's confidential protocol (n. XX)";

- "Subsequently, the Conservatory commissioned the transcription in the form of a sworn appraisal to (...), sound expert and transcriber registered in the Register of Experts at the Ordinary Court of Rome";

- "During the assembly (the complainant) intervened several times with propalations that appeared to integrate (in terms of both form and content) the details for the configuration of the disciplinary responsibility against him, according to the provisions of the Regulation disciplinary for the students of the "Santa Cecilia" Conservatory of Rome, approved on the XX date (...). The claims of the (complainant), presumptively relevant also from a criminal point of view, appeared to be in contrast with the conduct obligations incumbent on the students, as well as damaging to the reputation of the Conservatory, the staff who work there and the management bodies, including the Director of the Conservatory”;

- "On the XX date, steps were therefore taken to contest the disciplinary charge against the student pursuant to art. 3 c. 2 and of the art. 4 letter. a) of the Disciplinary Regulations. Finally, having completed the procedure, the foreseen disciplinary sanction was imposed on the basis of the following reasons: “Your statements are highly damaging to the dignity and image of the “Santa Cecilia” Conservatory (…)”;

- “the sanction does not derive, not even in the slightest part, from the propaganda directed against the Director. (...) from a legal point of view, the Conservatory (and for it the Director) is obliged to carry out disciplinary action, where the conditions are recognised".

With a note of the XX (prot. n. XX) in response to the request to provide further information formulated by the Office, the Conservatory represented, in particular, that:

- “The Conservatory is subject to the provisions of law n. 508 of 1999, which pursuant to art. 2, paragraph 71, delegates to one or more regulations the discipline of the administrative and didactic organization of the institutions subject to this regulation. In this sense, the D.P.R. no. 132 of 2003 provides, pursuant to art. 6 paragraph 4 that "The director is the holder of the disciplinary action against the teaching staff and students". The R.D.L. also applies to the Conservatory. no. 1071/1935 and, in particular, the provisions of art. 16, paragraph 1, according to which "The disciplinary jurisdiction over students (...) is also exercised for facts committed by students outside the circle of university premises and establishments, when they are recognized as damaging to dignity and honour, without prejudice to any sanctions of law (…). The Institute, taking into account its statutory autonomy, has adopted a Disciplinary Regulation (...)";

- "It is believed that the disciplinary power (...) is, in general, connected to the exercise of public powers whose foundation is to be found in the aforementioned provisions. Nonetheless, the exercise of this power inevitably entails the processing of the personal data of the recipients of the final measure. The Conservatory, in fact, believes that this treatment finds its legitimizing legal basis in the combined provisions of art. 6, letter. e) of EU Regulation 2016/679 (hereinafter "Regulation" or "GDPR") and of art. 2-ter of Legislative Decree 196/2003 (hereinafter "Privacy Code")";

- "the Conservatory found on the premises of the Conservatory, on the 20th date, a USB stick containing the recording of an assembly of the 20th, convened, moreover, not following the normal authorization procedure that characterizes student meetings, envisaged by the current Regulation of the Consulta , but through the dissemination (via social media, instagram and facebook) of the connection to an electronic platform - "Zoom" - which allowed access to this meeting to anyone who wanted to use the aforementioned link, clearly visible on social networks (...) this meeting must be considered de facto public, with the consequent "making available" to the "public" also of the personal data of the participants and their statements. This determines that anyone who participated in said meeting was well aware that their personal data would have been made "manifestly public" and "disseminated", and this can be said even more for the adherents of the XX, organizers of the online meeting, among the which (the complainant)”;

- "Not being able to omit to consider the behavior of the complainant, also and above all in consideration of the fact that - as previously mentioned - the disciplinary powers can also be exercised as a result of the conduct of the students outside the premises of the Conservatory, the Institute determined in the disciplinary action, based not only on the facts that emerged during the meeting”;

- "with regard to the processing in question 'connected to the use of the declarations made in the public meeting and the relative transcript' it was specified that: "a) the aforementioned operations are identified in a purely endo-procedural act, secreted within of the confidential protocol of the Conservatory, kept in a suitable place and not accessible to anyone other than the Director; b) the processing of personal data connected to the transcription took place by a professional registered in a suitable register, who, in addition to being bound by professional secrecy, limited himself to transcription of what was deduced therein; c) the same recordings and related transcripts were not, therefore, subject to further dissemination and communication to third parties, having been used only in the preliminary phase of the disciplinary procedure; d) nor have they been transposed in the final provision imposed against the (claimant)";

- "with regard to the appointment of the RPD "the Conservatory designated, with effect from the XX, as RDP the Director (...). This decision was, (…) oriented as much by the urgency and by the desire to adapt, within the timescales, to the legislation in force, as by the observation that other public institutions (…) had also taken steps to designate, such as RDP, directors or other subjects of top”;

- "the Conservatory has taken steps with resolution of the XX (attached to this reply, doc. 3) to revoke the position of RDP to the Director (...) to assign it to the Company (...)".

Based on the elements acquired, the Office notified the Conservatory, as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulations, since the Conservatory has processed the personal data contained in the audio/video recording file stored in the USB device in a manner that does not comply with the principles of "lawfulness, correctness and transparency", and "purpose limitation" in violation of art. . 5, paragraph 1, lett. a) and b) of the Regulation and in the absence of a suitable regulatory prerequisite, in violation of articles 6 of the Regulation and 2-ter of the Code; for not having regulated, in terms of data protection, the relationship with the expert in charge of transcription of the recording of the meeting pursuant to art. 28 of the Regulation by making the aforementioned data available to this subject in violation of the articles 5 and 6 of the Regulation and 2-ter of the Code; as well as for having designated the Director of the Institute as Head of Personal Data Protection (hereinafter "RPD"), in violation of art. 38, par. 6, of the Regulation. Therefore, the Guarantor invited the aforesaid owner to produce written defenses or documents or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of the 11/24/1981).

The Conservatory sent its defense briefs representing, in particular, that:

- "starting from the month of XX, the internal confrontation between the institutional bodies of the Conservatory and the student representatives has gradually escalated, also due to the establishment of an organization - initially anonymous - called XX (...) and the hard opposition and criticisms made by it, of which the (claimant) is also one of the representatives":

- "the facts mentioned above, as narrated in the Conservatory, are also part of a documented continuous series of exacerbations that has been going on since the beginning of the health emergency";

- "one cannot fail to note the contradiction between what was reported by the (complainant) regarding the fact that no recording of the meeting was envisaged (...) and the fact that, in one of the official communications of the XX, of which the (complainant) is one of the most active members, we can read that "every (…) meeting is recorded and the related minutes are drawn up for each meeting (…). It therefore seems hardly credible that he was not aware of the recording in question";

- with reference "to the processing of personal data contained in the audio/video file containing the recording of the XX of the XX (...) it should be noted that the use of the data contained in the recording in question was used in the context of the disciplinary action taken by the Conservatory towards the student, (…) and not for distinct or additional purposes. (…) pursuant to the Disciplinary Regulations for students of the Santa Cecilia Conservatory of Rome, approved with resolution of the Academic Council n. XX of the XX (the "Disciplinary Regulations"), disciplinary action on students is also exercised for facts committed by students outside the circle of the Institute's premises when they are recognized as damaging to the dignity and honor of the Institution (...) . The holder of the disciplinary action is the Director who, "having received the news of the alleged offence, orders the opening of the disciplinary procedure. The Director can acquire documents, hear witnesses, carry out any other activity he deems useful";

- “The acquisition of the transcript of the file contained in the USB key must therefore be traced back to this preliminary investigation context, through recourse to a special IT expert trained and authorized pursuant to art. 29 of the GDPR. Indeed, the specific legal basis can also be identified in it";

- the disciplinary power pursuant to art. 16, paragraph 1 of the R.D.L. no. 1071/1935 “is to be considered to all effects connected to the exercise of public powers vested in the Conservatory. Therefore, the processing was considered lawful by the owner because it was based on the legal basis pursuant to art. 6, paragraph 1, lett. e) and paragraphs 2 and 3 of the GDPR, as well as of the art. 2-ter of the Code, in the formulation prior to the changes introduced with d.1. 8 October 2021, no. 139”;

- "art. 7 of the Disciplinary Regulations provides that the Director may "acquire documents, [...] carry out any other activity he deems useful". However, the circumstance whereby an effective exercise of this activity can be based on the use of documents and data collected for purposes other than those that justified the initial collection cannot be overlooked, even more so in the event that the original owner who activity has been carried out by a third party. In any case, it is important to reiterate that the exercise of this investigative activity took place in the framework of freely accessible and knowable information by the students such as the information on the processing of personal data and the same Disciplinary Regulations”;

- with reference to the appointment of the DPO, “the intention to move quickly in the sense of fulfilling the specific legal obligation had led the Conservatory to carry out an incomplete assessment regarding the characteristics which the PD must enjoy. This assessment, indeed, had mainly regarded the practices widespread among other public institutions belonging to the AFAM system (…). Following the second request for information, and therefore in a phase prior to sending the notification of the violation, acting proactively and in the interest of bringing the Conservatory to a good level of compliance, a resolution of the XX proceeded to revoke the appointment of DP to the then Director to assign him to the company (…)”;

- "following the appointment of the new RDP, in the awareness of the need to align the personal data processing processes carried out by the Conservatory as owner, a path of compliance with the applicable legislation was undertaken".

During the hearing held on the 20th date, the Conservatory declared that:

"the Conservatory, having taken note of the findings of the Authority regarding the position of conflict of interest of the previous (...) DPO, promptly proceeded to designate a new DPO, collaborating profitably with the same in order to comprehensively review the procedures of the Conservatory regarding the protection of personal data and its internal organization, also on the basis of what emerged during the investigation launched by the Guarantor regarding the methods of managing disciplinary proceedings;

"the Conservatory has always acted, even in the event of a complaint, with the primary objective of serving the interests of its students";

"in the present case, the "XX" association had publicly disclosed the fact that all its meetings would have been recorded and, therefore, the complainant could not have a legitimate expectation of confidentiality";

"from a joint reading of the art. 6, par. 1, lit. e), of Regulation (EU) 2016/679, of the internal regulations of the Conservatory regarding disciplinary procedures, as well as of the r.d. 1071/1935, which attributes disciplinary power to the institutions of the Conservatory, it is possible to find a suitable legal basis to justify the processing of personal data in question, including those contained in the USB key found by the Conservatory”;

“the evidence search activity must always be considered compatible with the original purpose for which the data are processed; otherwise, in fact, the possibility of exercising or defending a right in court would be compromised”;

"in any case, it is necessary to consider that the Conservatory has an organizational structure of modest dimensions and characterized by elements of complexity at the management level, also due to the small administrative resources available to institutes of higher artistic education";

"the current Council, following the commissioning of the Conservatory, has launched every most appropriate initiative to reorganize the internal procedures and the governance of the Conservatory (also by initiating a digitization process, increasing data security and renewing the institutional website ), making employees aware of the important issue of personal data protection. More generally, the commissarial structure wanted to review the overall organizational structure of the Entity, which was characterized by a paternalistic approach and by a stratification of practices and procedures dating back over time and no longer effective, having been conceived in an era in which which the Entity acted on an authoritative basis".

3. Outcome of the preliminary investigation.

3.1 The applicable legislation.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"), the processing of personal data carried out in the public sphere is lawful when it is necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task in the public interest or connected to the exercise of public powers vested in the data controller" (art. 6, paragraph 1, letter c) and e) and paragraphs 2 and 3 of the Regulation; art 2-ter of Legislative Decree no. 196 of 30 June 2003 - Code regarding the protection of personal data, in the text prior to the changes introduced with the d.l. 8 October 2021, no. 139, hereinafter, the "Code").

More generally, European legislation provides that "Member States may maintain or introduce more specific provisions to adapt the application of the rules of this regulation with regard to treatment, in accordance with paragraph 1, letters c) and e), determining with greater precision specific requirements for processing and other measures aimed at guaranteeing lawful and correct processing (…)” (art. 6, paragraph 2 of the Regulation).

The national legislation has introduced more specific provisions to adapt the application of the rules of the Regulation, determining, with greater precision, specific requirements for the treatment and other measures aimed at guaranteeing a lawful and correct treatment (Article 6, paragraph 2 of the Regulation ) and, in this context, has established that personal data processing operations are permitted only when provided for by a law or, in the cases provided for by law, a regulation (Article 2-ter, paragraphs 1 and 3, of the Code in the text prior to the changes introduced with Legislative Decree No. 139 of 8 October 2021).

The data controller is then, in any case, required to comply with data protection principles and to process the data through authorized and duly trained personnel regarding access to the data (articles 5 and 4, par. 10, articles 29, 32, paragraph 4, of the Regulation and article 2-quaterdecies of the Code).

For the purposes of compliance with the legislation on the protection of personal data, it is also important to precisely identify the subjects who, for various reasons, can process personal data and clearly define their respective attributions, in particular that of owner and manager of the treatment (art. 4, par. 1, point 7 of the Regulation and art. 28 of the Regulation).

The relationship between the owner and the manager is governed by a contract or other legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to issue instructions to the manager and provides, in detail, what the subject is regulated, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner.

The Data Processor is, therefore, entitled to process the data of the interested parties "only on documented instruction from the owner" (Article 28, paragraph 3, letter a) of the Regulation).

With regard to the figure of the DPO, the Regulation provides that this must be mandatorily designated by the data controller "when the processing is carried out by a public authority or a public body" (Article 37, paragraph 1, of the Regulation). The DPO must be equipped with the “resources necessary to perform [his] duties (…)” and “may perform other tasks and functions. The data controller or the data processor ensures that these tasks and functions do not give rise to a conflict of interest" (Article 38, paragraphs 2 and 6, of the Regulation; see cons. 97 of the Regulation, where it is stated that DPOs “should be able to carry out the functions and duties assigned to them independently”).

With specific reference to the prohibition of conflicts of interest, the "Guidelines on data protection officers" (adopted by the Article 29 Working Party on 13 December 2016, in the amended version on 5 April 2017) specify that "the absence of of interests is strictly connected to the independence obligations. Even if a DPO may perform other functions, the assignment of these additional tasks and functions is possible only on the condition that they do not give rise to conflicts of interest. This means, in particular, that a DPO cannot play, within the organization of the data controller or data processor, a role that involves defining the purposes or methods of processing personal data. This is an element to be taken into consideration on a case-by-case basis, looking at the specific organizational structure of the individual data controller or data processor" (par. 3.5, p. 21).

3.2 Illegality of the processing of personal data contained in the USB device

Following the preliminary investigation it emerged that, in the present case, according to what was declared, the assembly of the students of the XX, held via connection to an electronic platform, "was not (was) organized and/or convened by (... ) Conservatorio” but announced by a student association. On the 20th date "a USB stick containing the recording of an assembly" was found "in the premises of the Conservatory" without any elements suitable to identify the owner of the device. Nonetheless, the then Director of the Conservatory, having read the contents of the device, proceeded to deposit the aforementioned USB stick with the confidential protocol of the Conservatory and commissioned an expert to transcribe the contents of the file stored on the support, thus acquired.

Subsequently, the Conservatory initiated a proceeding and imposed a specific disciplinary sanction against the complainant based on the statements that, according to the aforementioned transcript, would be attributable to him during the aforementioned meeting.
It also appears that pending the disciplinary procedure, following a specific request for access to administrative documents presented by the complainant, through his lawyer, pursuant to articles 22 et seq. of the law 7 August 1990, n. 241, the Conservatory accepted the request by providing the "extract of the transcript of the Audio of the student assembly".

Given the above, it must first be reiterated that any processing of personal data must take place in compliance with the Regulation and the Code, in particular, personal data must be processed "in a lawful, correct and transparent manner in relation to the interested party" and "collected for specific, explicit and legitimate" (principle of limitation of purpose). In this context, however, the possibility of subsequent processing is admissible only if "it is not incompatible with [the] initial purposes" of the processing (Article 5, paragraph 1, letters a) and b), of the Regulation).

This means that the owner can only use personal data lawfully collected for further processing in the presence of an appropriate legal basis, having previously "satisfied all the requirements for the lawfulness of the original processing" (see cons. n. 50 of the Regulation) , and therefore to the extent that the original collection was lawfully carried out, having regard to the main purpose and in compliance with the general principles of data protection.

In the present case, the Conservatory acquired, not through institutional channels but following the "random" discovery of the aforementioned device, the personal data of the students contained/stored therein (in particular images and declarations of the participants in the student assembly).

The investigation also confirmed that the personal data acquired in this way were subsequently also processed by a professional for the purpose of transcribing the content as well as kept and further used by the Conservatory for the purposes of the disciplinary procedure. Although this further use was made, as reaffirmed in the defense briefs, in the context of the exercise of the disciplinary powers that the sector framework attributes to the Conservatory with respect to students, it is believed that the casual discovery of an object, in this case a mobile data storage device, cannot constitute a sufficient reason to legitimize the processing of the personal data stored therein.

Nor, for the purposes of the overall assessment of the legitimacy of the collection of the data contained in the USB device, can it be considered relevant what was declared by the Conservatory regarding the fact that, since the link for the connection to the meeting is visible on some social networks, this meeting could be considered accessible to anyone. This is also due to the fact that, at the time the device was found, its contents were not known.

In this regard, in fact, albeit in a different context, the Guarantor declared that the use by a municipal administration of a certified e-mail address found online, to notify an employee a disciplinary measure, clarifying, in particular, that this violation occurs "even when, as in the present case, the employee's certified e-mail address can be found on an online professional register, given that the personal data published in public registers, lists, deeds or documents that can be known by anyone can be processed with the limits and methods that the applicable sector laws establish for the knowledge and publicity of the data" (see provision of 12 March 2020, n. 56, web doc. n 9429218).

In the light of the foregoing considerations, and considering that during the investigation, no indications were provided regarding the specific legal basis that would have legitimized the original collection of personal data in question, it must be concluded that, in the present case, the Conservatory should have abstained from processing the personal data contained in the USB device, object of casual discovery and in the absence of elements aimed at identifying its legitimate owner, limiting itself to handing it over to the competent authorities. As shown in the documents, however, the Conservatory has acquired and processed, also through third parties (the expert who carried out the transcription), the personal data contained in the device in the absence of a suitable prerequisite of lawfulness, in violation of articles 5 and 6 of the Regulation and art. 2-ter of the Code.

With regard to the circumstance of further use of the same data acquired in this way, also in the context of administrative and disciplinary proceedings, the following is noted.

The extent of the disciplinary powers attributed by the sector provisions to the Director of the Conservatory in any case presupposes the receipt of a news/report which constitutes a prerequisite for the legitimate initiation of a consequent proceeding ("having received the news of the alleged offense, orders the opening of the proceeding The Director can acquire documents, hear witnesses, carry out any other activity he deems useful", see Disciplinary Regulations for students of the Santa Cecilia Conservatory of Rome, approved with resolution of the Academic Council n. XX of XX). This circumstance has not been proven in the present case, nor can it be found in having read the contents of a USB device that was found and which, in the absence of further elements, could have contained personal data referring to anyone and of any nature.

Given the unusability of "personal data processed in violation of the relevant data processing regulations" (Article 2-decies of the Code), it is believed that subsequent processing - even if carried out in the exercise of duties and powers attributed to the Conservatory - have occurred in a manner that does not comply with the regulations on the protection of personal data in violation of articles 5 and 6 of the Regulation, and art. 2-ter of the Code. Nor can having used the same data in the exercise of the aforementioned functions be considered sufficient to fill the lack of legal basis of the original collection.

We acknowledge the particular context in which the facts object of this investigation occurred characterized by a "continuous series of exacerbations" in the relations between the Conservatory and the student association of which the complainant was a promoter and which, as stated by the Commissioner extraordinary during the hearing of the XX, the initiatives put in place by the Conservatory at the time of the events in question are the result of the previous management of the institution, "characterized by a paternalistic approach and by a stratification of practices and procedures dating back to and no longer effective, having been conceived at a time when the Organization acted on an authoritative basis”. However, these circumstances cannot be considered sufficient to exclude the holder's liability in the present case.

3.3 The role of the expert in charge of carrying out the transcription

As evidenced by the declarations in the documents, "the Conservatory (...) has commissioned the transcription" of the "video recording file of the 20th assembly" to a "phonic expert and transcriber registered in the Register of Experts at the Ordinary Court of Rome", who therefore, as confirmed by the Conservatory "the processing of personal data connected to the transcription took place by a professional registered in a suitable register".

In this regard, it should be noted that, based on the data protection regulations, in the cases in which the processing of personal data is carried out on behalf of the data controller by a different subject (in this case the expert), it is necessary that the relative relationship is governed by a contract or other legal act pursuant to art. 28 of the Regulation (see also recital 81 and art. 4, point 8 of the Regulation) also in order to avoid processing (communication to third parties) in the absence of a suitable prerequisite of lawfulness (given the notion of "third party" pursuant to art 4, point 10, of the Regulation; see art. 2-ter, paragraphs 1 and 4, letter a), of the Code, with regard to the definition of "communication").

In the present case it appears that the Conservatory has appointed an expert to carry out processing operations on its behalf in relation to the personal data contained in the file stored on the USB device found in the premises of the Conservatory. In this regard, without prejudice to the assessments relating to the legitimacy of the overall treatment (esp. par. 3.2), there is no evidence in the deeds of a prior regulation of the relationship with the expert pursuant to art. 28 of the Regulation.

Nor are there, in the present case, contrary to what is represented by the Conservatory, the conditions for considering the professional in question, an authorized person pursuant to art. 29 of the Regulation, having to believe that the reference to acting "under the direct authority of the owner or manager" and being "instructed" regarding access to data, refers to persons belonging to the legal and organizational structure of the controller or processor as specified by the European Data Protection Board (see "Guidelines 07/2020 on the concepts of data controller and processor in the GDPR", adopted on 7 July 2021 by the European Data Protection Board personal data, specifically pp. 31-32, paragraphs 88, 89 where express reference is made to "an employee or a person who occupies a position very similar to that of an employee, for example the staff of a temporary employment agency" ).

The making available to another subject, unrelated to the organizational structure of the personal data owner, who does not operate pursuant to art. 29 of the Regulation, and also in the absence of regulation of the related relationship pursuant to art. 28 of the Regulation, gives rise to a communication to third parties of personal data (cf. art. 4, point 10, 5 and 6 of the Regulation and art. 2-ter, paragraphs 1 and 4, letter a), of the Code).

This prerequisite of lawfulness cannot be found, in the case in question, in the contract stipulated between the professional and the Conservatory given that the expression "necessary for the execution of a contract" referred to in art. 6, par. 1, lit. b) of the Regulation), refers to the case in which the processing is necessary to fulfill the contractual obligations with each interested party and not instead, as in the present case, in the execution of a contract between the owner and a third party (cf. " Guidelines on consent pursuant to EU Regulation 2016/679, of the European Committee for the protection of personal data, which expressly provide in this regard that "a direct and objective connection between the processing of data and the purpose of the execution of the contract is necessary with the interested parties", see also what was clarified by the Guarantor with provision n. 384 of 28 October 2021, web doc. n. 9722661).

In the light of the foregoing considerations, the Conservatory has made the personal data contained in the USB device available to a third party, in the absence of an appropriate legal basis, giving rise to unlawful processing, in violation of articles 5, par. 1, lit. a), and 6 of the Regulation and of the art. 2-ter of the Code (on the lack of legitimacy to process data in similar cases see provision no. 81 of 7 March 2019, web doc. no. 9121890; provision no. 160 of 17 September 2020, web doc. n. 9461168; provision n. 280 of 17 December 2020, web doc. n. 9524175; "Guidelines 07/2020 on the concepts of data controller and data processor in the GDPR", cited p.35, spec. note 42) .

3.4 The independence of the DPO

As shown in the deeds and confirmed by the Conservatory, the Director of the Conservatory held the position of DPO from "from 13 June 2018" to "28 January 2022".

Considering the role played by the Director within the organizational structure of the Conservatory, as well as the numerous tasks assigned to this figure by the sector discipline, the following can be observed.

As clarified by this Authority in the "Faq on the Data Protection Officer (DPO) in the public sphere" of 15 December 2017 (web doc. n. 7322110), "in the public sphere, in addition to top management roles, there may be situations of conflict of interest with respect to senior figures of the administration vested with decision-making powers regarding the purposes and means of the processing of personal data implemented by the public body" (FAQ no. 7, see also part. 3.5 of the "Guidelines on data protection officers” referred to above). These indications were recently reiterated by the Guarantor, stating that there is "a conflict of interest in relation to roles [...] such as the human resources or accounting management, the IT manager or the corruption prevention and transparency manager, since these are sectors in which the processing of personal data is certain and transversal to the entire administration, as well as significant in terms of quantity and quality of the personal data processed, as well as risks on the fundamental rights and freedoms of the interested parties" (par. 10.1 of the "Document on the designation, position and duties of the Data Protection Officer (DPO) in the public sphere)", attached to provision 29 April 2021, no. 186, doc. web no. 9589104).

It should also be noted that, taking into account the numerous and burdensome duties attributed by law to the figure of the Director, the latter could hardly have had sufficient time to adequately perform the function of DPO (see the "Faqs on the Manager of Data Protection (RPD) in the public sphere", referred to above, in particular n. 7, where it is clarified that "depending on the nature of the treatments and the activities and dimensions of the structure of the owner or manager, any further duties attributed to the DPO should not therefore detract from the time necessary to fulfill the related responsibilities"; see also paragraph 9 of the "Guidance document on the designation, position and duties of the Data Protection Officer (DPO) in the public sphere)" , aforementioned).

Given the above, although according to what was declared the appointment in question "was, (...) oriented by the urgency and the desire to adapt, within the timescales, to the legislation in force", it must be concluded that the appointment of the DPO took place in violation of the art. 38, par. 6 of the Regulation having assigned this task to a person who, due to the role held within the structure of the Institute, was in a position of conflict of interest.

Nor can what was declared regarding the fact that the choice in question was based on the fact that "also other public institutions (...) had taken steps to designate, such as RDP, directors or other subjects at the top" given that the Authority has clearly explained the opposition of these choices to the data protection regulatory framework both with the aforementioned documents of general scope since 2018 and with decisions on individual cases (cf. precisely with regard to an Academy of Fine Arts, provision n. 318 of 16 September 2021, web doc n. 9718134).

In acknowledging that, with resolution of the XX, the Conservatory proceeded to revoke the assignment in question by subsequently designating a new DPO, it must be concluded that up to the aforementioned date the Conservatory has operated in violation of art. 38, par. 6, of the Regulation.

4. Conclusions.

In the light of the assessments referred to above, taking into account the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ it should be noted that the elements provided by the data controller in the defense briefs do not allow for overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the filing of the present proceeding, not resorting Moreover, any of the cases provided for by art. 11 of the Regulation of the Guarantor n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed, and the unlawfulness of the processing of personal data carried out by the Conservatory in violation of articles 5, 6 and 38 of the Regulation and Article 2-ter of the Code.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, para. 4 and 5 of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation and of the art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of corrective measures, pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

In this regard, taking into account the art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation.

In relation to the aforementioned elements, the particular delicacy of the unlawfully processed personal data concerning students and the opinions expressed by them in the exercise of the free expression of thought in the context of a student assembly and, therefore, in the context of the expression of the right of association (Articles 2, 18 and 21 of the Constitution).

On the other hand, it was considered that it was an isolated case, the result of the climate of tension that characterized the relationship between the Conservatory and the students at the time of the facts object of the complaint and that what occurred, based on what was declared, was the result of an initiative developed in the context of the management of the institution, characterized by a paternalistic approach and old-fashioned practices. The owner has also manifested full collaboration with the Authority during the preliminary investigation of the present proceeding, acknowledging that he has started, also with the support of the DPO in office, a complex activity of reorganization of the administrative structure as well as the adoption of measures aimed at ensuring compliance with the regulations on the protection of personal data also from a security point of view. Furthermore, it was favorably taken into account that there are no previous relevant violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is deemed necessary to determine the amount of the pecuniary sanction, in the amount of 6,000.00 (six thousand) euros for the violation of articles 5, 6 and 38 of the Regulation and of the art. 2-ter of the Code, as a pecuniary administrative sanction withheld, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Taking into account the nature of the data being processed, it is also believed that the ancillary sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it should be noted that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), declares the conduct held by the S. Cecilia Conservatory of Music in Rome to be unlawful, described in the terms set out in the justification, consisting in the violation of articles 5, 6 and 38 of the Regulation and of the art. 2-ter Code;

ORDER

pursuant to articles 58, par. 2, lit. i) and 83 of the Regulation, as well as art. 166 of the Code, to the S. Cecilia Conservatory of Music in Rome, with registered office in Via Dei Greci 18 - 00187 Rome (RM), Tax Code 80203690583, to pay the sum of 6,000.00 (six thousand) euros as an administrative fine for the violations indicated in this provision. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ENJOYS

at the S. Cecilia Conservatory of Music in Rome – without prejudice to the provisions of art. 166, paragraph 8 of the Code, to pay the sum of Euro 6,000.00 (six thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981;

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Guarantor's Regulation no. 1/2019);

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of Regulation no. 1/2019).

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 10 November 2022

PRESIDENT
Station

THE SPEAKER
Station

THE SECRETARY GENERAL
Matthew