Garante per la protezione dei dati personali (Italy) - 9896808;
Garante per la protezione dei dati personali - 9896808; | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 26 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.04.2023 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 9896808; |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Italian |
Original Source: | Garante (Italy) (in IT) |
Initial Contributor: | n/a |
The Italian DPA reprimanded a municipality for processing personal data of museum visitors with a system using a face detection algorithm without a legal basis, failing to comply with Article 26 GDPR, and providing data subjects with insufficient information about the processing.
English Summary
Facts
A "ShareArt" project was implemented in the Municipal Art Collections of Palazzo D'Accursio in Bologna in order to obtain information on the characteristics of the visitors and on the ways in which they interacted with some works of art. The project followed a collaboration agreement between ENEA and the Bologna Museums Institution which is an instrumental body of the Municipality of Bologna (the “Municipality”).
The information was collected with a system using a face detection algorithm (“ShareArt”) developed by the National Agency for New Technologies, Energy and Sustainable Economic Development (“ENEA”). The face detection algorithm was based on convolutional neural networks (CNN) to detect faces in the images. Visitors were informed about the system with a notice at the ticket office that stated, inter alia, that the algorithm "does not imply face recognition”.
An Italian civil rights organisation (Hermes Center for Transparency and Digital Human Rights) submitted a report to the Italian DPA in relation to the used ShareArt system. The report stated, inter alia, that ShareArt, using a camera, automatically detected faces looking in the direction of art work, contextually acquiring a series of information relating to behaviour when observing works of art. The report highlighted that only very few signs were in place to indicate to the museum visitors that the system was used: small black cameras attached to the walls and a disclaimer at the ticket office.
Following the report, the DPA launched an investigation and requested for information from the Municipality as well as ENEA. The parties argued, inter alia, that the system does not involve the collection and processing of data relating to identified or identifiable natural persons. Moreover, the Municipality viewed that it did not have any kind of role with regard to the data processing.
Holding
Contrary to what was claimed by the controllers, the DPA found that the face detection algorithms process personal data consisting of images of people's faces, albeit for a very short period of time.
Moreover, the Municipality and ENEA were seen as joint controllers, since they jointly determined the purposes and means of the processing. However, the DPA found that the Collaboration Agreement did not satisfy the requirements under Article 26 GDPR. In particularly, it was noted that the agreement did not include the contact details of the joint controllers, or the respective data protection officers, nor did it define the legal basis of the processing, the data retention period, or mention the data subjects' rights.
Having clarified that the use of the ShareArt system involves processing of personal data, it was also found that there was no legal basis under Article 6 GDPR in place for the processing. Furthermore, the DPA concluded that the processing was therefore carried out in a manner that does not comply with the principle of lawfulness, fairness and transparency pursuant to Article 5(1)(a) GDPR.
Lastly, the notice that informed visitors about the ShareArt system did not contain all the elements required by Article 13 GDPR. Consequently, the DPA found that the processing took place in in violation of Articles 5(1)(a), 12 and 13 GDPR.
After an overall assessment, the DPA deemed it sufficient to reprimand the Municipality as a controller for its multiple GDPR violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9896808] Provision of April 13, 2023 Register of measures no. 123 of 13 April 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter the “Code”); CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); Given the documentation in the deeds; Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801; Speaker Prof. Pasquale Stanzione; WHEREAS 1. Introduction. The Hermes Center for Transparency and Digital Human Rights submitted a report to the Guarantor in relation to "the ShareArt system developed by ENEA, the National Agency for New Technologies, Energy and Sustainable Economic Development [hereinafter, the "Agency" or the "Enea"), in collaboration with the Bologna Museums Institution" [instrumental body of the Municipality of Bologna - hereinafter, the "Municipality" - without legal personality], whose purpose would be "to measure "the approval of a work of art" and detect the correct use of a mask and distance". In particular, "through a camera, the ShareArt system automatically detects faces looking in the direction of the work, contextually acquiring a series of information relating to behavior when observing works of art, such as the path taken to approach the work, the number of people who observed it, the time and distance of observation, the gender, age class and mood of the observing visitors”. With regard to information relating to gender, the report states that "the classification based on gender risks confusing biological sex with gender, producing wrong classifications and discriminating against all transgender subjects or those who do not identify in the gender binary". According to what was reported in a technical document of the Agency, attached to the report, the system in question would use a "new face detection algorithm, based on convolutional neural networks (CNN) which also provides an observer tracking function". When the observer enters the field of view of the camera, in fact, he would be "assigned a numerical ID and followed, whether or not he was looking towards the work, so that the number of faces observing the work detected by the system refers to the specific id and therefore to each individual visitor". The system would be able to "obtain information such as, for example, the average observation time or distance divided by gender and age group, the points of view of the work preferred by children or older people, the preferred routes by men and those preferred by women”. Furthermore, "when it is no longer mandatory to wear a mask and the data will be reliable, the ShareArt system provides for [the collection of] information" on how the public's mood varies based on the work observed or on how a work arouses different emotions on observers of different ages”, considering that “the evaluation of the state of mind of the observers [...] would allow to further refine the profiling and would satisfy another request made by museum curators.” Finally, with regard to transparency obligations, the report states that "[there are] very few signs to indicate that the system was active, beyond the small black cameras attached to the walls and a disclaimer at the ticket office". 2. The preliminary investigation. With a note dated XX (prot. n. XX), ENEA, in response to a request for information from the Authority (prot. n. XX of XX), stated, in particular, that: "the purpose of the research activity is to provide the curators of museum collections, exhibitions, exhibitions, with a set of data useful for studying the methods of use of works of art, in order to highlight strengths, weaknesses, improvements for optimize the exposure of the works themselves”; "the system does not involve the collection and processing of data relating to identified or identifiable natural persons and, a fortiori, of biometric data [...]"; "for each frame produced by the camera [...] the following data is generated:1) date and time of the detection (dd/mm/yyyy hh:mm:ss), 2) time elapsed from the moment the Device was switched on to that of the detection , 3) coordinates, in pixels, of the frame surrounding the face, 4) width, in pixels, of the frame of the face, 5) height, in pixels of the frame of the face, 6) identification number (ID),7) presence or less than the mask”; “[…] the neural network used applies a face detection technique which, contrary to face recognition, oriented towards the identification of people, is limited to detecting the presence of human faces. It follows that the identification number (ID) refers to the square of the face as a geometric figure and not to the biometric characteristics of the person and is used to identify its movement within the area framed by the camera. If the person leaves the imaged area and re-enters it immediately afterwards, a new ID would be associated with the detected face frame that has no references to the previous one. In fact, the ID is not related to biometric data, but to a "centroid object tracking" algorithm; "[...] it is not possible to trace the image acquired by the video camera and, consequently, the identity of the natural person to whom this image is associated, starting from the data obtained by the computer directly on local media and immediately sent to the databases of ENEA after being translated into numerical form”; “[…] the number of faces in the image (frame), coordinates and size within the frame are acquired by the system. The frame is processed by the algorithm (CNN) in an SBC (Single Board Computer) electronic card, in a dedicated internal volatile memory (RAM) and therefore the frame is not accessible from other systems and the content is not preserved. Consequently, the image in this case cannot be considered "personal data" as it cannot be traced back to the face of the natural person (the data that transit, for a few thousandths of a second, in the volatile memory of the SBC are information inside the frame, do not coincide with the image of the visitor's face)”; "the neural networks used are of the convolutional type (CNN) and, as known from the scientific literature, they do not work based on the extraction of biometric data, but carry out the classification thanks to a training carried out with a training set of images"; "at the end of this processing, which lasts about 100 milliseconds, the frame and the box of each face detected by the processing are canceled from the RAM memory of the SBC electronic card and overwritten by a new frame"; "the data generated is sent via the "mqtt" protocol to the SERVER, consisting of a virtual machine of the ENEA Grid infrastructure installed in the calculation room of the ENEA Research Center in Bologna, protected with high IT security standards"; "[...] the Device can be considered as a "black box" that captures images in real time and, without storing or transferring them, generates alphanumeric data output"; "each Device [...] acts as an isolated system and the face of a visitor captured by a Device cannot in any way be associated with it in the event that he pauses in front of another Device or, once out of the field of recovery of the first, you go back”; “[…] it is not possible to trace the number of visitors, even estimated, as the surveys carried out by the system could refer, hypothetically, to the same subject who passed through different exhibition halls or several times in front of the same work, as well as to different visitors, neither identifiable nor numerically definable”; “[…] seeing a visitor's face, even if only instantaneously, represents an event whose possibility of occurring is purely hypothetical (which could derive, for example, from an abusive access to the system, due to an external intentional action: this eventuality would, however, be extremely remote in practice, considering the technical security measures integrated, by design, into the system in order to prevent unauthorized access to it and the organizational security measures implemented by the Bologna Museums Institution, as the video cameras are installed in an environment that already provides surveillance for the protection of the artistic heritage on display)"; "even if we want to hypothesize [...] the execution of technical maintenance activities of the system during its use (occurrence, as mentioned, to date never verified and which is absolutely not foreseen), any possible access to the frame of the visitors' faces, in the fraction of a second in which it is collected and processed by the algorithm, would be purely accidental and, in any case, the extremely short time of the processing process would make the possibility that the operator in charge of maintenance operations, in practice, extremely remote ENEA research staff, can perceive it as a face that can be associated with an identified or identifiable natural person”; “[…] ENEA has paid the utmost attention […] to the adoption of adequate measures in order to prevent access, even if only accidental, to the image of the visitor's face, the processing of which (equal to a few thousandths of a second) it takes place exclusively within the RAM memory of the electronic board installed in the museum, with no possibility of connection with other external communication networks”; "a dedicated internal network was provided, with the installation of 18 WiFi points to which only the Devices themselves can connect, in order to avoid risks deriving from any external connections (caused, for example, by hacker attacks) to and from the Wifi network of the Museum”; "in any case, on the XX date, the system was deactivated as a precaution, until the resolution of the matter to be reported"; "even imagining possible discriminatory uses of the system, it would not have been, in fact, possible for ENEA to adopt potentially unequal decisions towards people of non-binary gender"; "in relation to the roles respectively assumed by ENEA and the Istituzione Bologna Musei,[...] it was considered that, excluding the material scope pursuant to art. 2 of the [Regulation], it is not possible to formalize it [...]. Instead, it is believed that the use of the ShareArt system involves the processing of electronic data other than personal data, falling within the scope of application of Regulation (EU) 2018/1807 of 14 November 2018 [...], as the results of the experimentation are provided to the Bologna Museums Institution, which uses them as a service aimed at analyzing the methods of use of the exhibited works and the consequent optimization of the methods of exhibition”. With regard to the same request for information, the Municipality, with note prot. n.XX, declared, in particular, that: "the Bologna Museums Institution was set up by the Municipality of Bologna [...,] [it is a] instrumental body of the Municipality without legal personality [...] created [or] for the management and coordination of the municipal museum system", being " subject to the power of direction and control of the Municipality itself [...] It therefore falls within the perimeter of ownership of the Municipality”; "in the first months of the 20th century, ENEA presented the research and development activities relating to a system called "ShareArt" to the Bologna Museums Institution"; the "Institution, in adherence to an approach favoring innovation and research, therefore accepted the proposal for a Collaboration Agreement received from ENEA, in implementation of which the Municipality made available to the research Institution the environments where the Same could pursue the institutional mission referred to in Law 221/2015, or the experimentation activities of the "ShareArt" system; "from an organizational point of view, given the opportunity to inform visitors of the presence of the devices of the "ShareArt" system, a sign has been placed at the Museum cash desk; ENEA has also positioned each device in a clearly visible way next to the work concerned". In response to a subsequent request for information from the Authority (note prot. n. XX of XX), Enea, with note prot. no. XX, stated, in particular, that: “the legal basis for the processing of the deemed personal data (visitor images) [can] be identified in the art. 6, p. 1, lit. e) of Regulation (EU) 2016/679”; Enea "is a public-law body aimed at research and technological innovation, as well as the provision of advanced services to businesses, public administration and citizens in the fields of energy, the environment and economic development"; the art. 2 of the institution's statute provides that "ENEA operates in the sectors of energy, the environment and sustainable economic development, and provides the country with multidisciplinary skills and consolidated experience in the management of complex projects", being the Enea "defined as an entity aimed at research, technological innovation and the provision of advanced services to businesses, the public administration and citizens"; the art. 3, paragraph 2, lett. g), of the Statute of the Body provides that the same "carries out and provides public and private subjects with studies, research, data analysis, measurements, tests and evaluations in the sectors of competence"; within the TERIN Department, Department of Energy Technologies and Renewable Sources of the Body, "the Division for the Development of Information Technology and ICT Systems (TERIN ICT) carries out research, technological innovation and provision of advanced services in the sectors of energy and sustainable economic development, through the implementation of ICT, with particular regard, among other things, [...] to the development of ICT for artistic heritage, with the development of data acquisition and representation systems for Cultural Heritage”; "in relation to the institutional activity of the Agency in support of the production and services system, the Conservation of cultural heritage is, in fact, one of the sectors of intervention of ENEA [...]"; "in this area of developing innovative solutions and technologies for the monitoring and conservation of artistic and cultural heritage and the enhancement of local realities, the ShareArt system was developed [...]"; "the research activity [...] has the purpose of providing the curators of museum collections, shows, exhibitions, with a set of data useful for studying the methods of use of works of art, in order to highlight strengths, weaknesses , improvements to optimize the exposure of the works themselves”; “in particular, the ShareArt system has been applied in the context of research and development activities related to IT methodologies based on IoT/BigData applications and neural networks. In relation, therefore, to the aims of the project, it seems useful to specify that these pertain exclusively to the pursuit of scientific studies and research, in line with the express provisions of the aforementioned art. 2 of the ENEA Statute, and in compliance with the institutional purposes of scientific research whose pursuit is entrusted to ENEA directly by the aforementioned legislation, as a task of public interest"; “the data, already anonymised, are studied only by ENEA and ISTBO for the respective purposes of the project and are not communicated to third parties. Eventually they could be published, exclusively in aggregate form, for the sole purpose of disseminating the results of scientific research"; "Devices of the ShareArt system in operation do not generate any video stream that can be "intercepted" from the outside and [...] it is not possible to trace the image acquired by the camera and, consequently, the identity of the natural person to whom this image is associated , starting from the data obtained by the computer directly on local supports and immediately sent to the ENEA databases after being translated into numerical form; the data generated by the system are completely anonymous and are archived in dedicated databases accessible only to authorized personnel of ENEA, for the exclusive purposes of technical-scientific analysis and statistical aggregation”; "the ShareArt system, therefore, has been set up in order to process only totally anonymised data"; "in any case, thanks to the security measures adopted [...], a hypothetical intrusion into the device would not allow camera control, nor the interception of the video stream and the local memory without this also causing the interruption of the execution of the ShareArt application. In fact, the ShareArt application, running on each device, assumes exclusive control of the camera present on the device itself, preventing any other process from accessing the same camera: a hypothetical interruption/intrusion into the device, therefore, would be detected in real time from the ENEA Center server, since the periodic sending of the control signal (heartbeat), generated by the ShareArt program itself in constant execution on each device, would also be interrupted”. With regard to the same request for information, the Municipality, with note prot. no. XX, stated, in particular, that: "the participation in the initiative by the Museum is inherent in a regulatory and institutional framework - to which the Institution belongs - of absolute favor towards initiatives, including technologically innovative ones, which can produce positive effects in order to enhance the public cultural heritage"; "given the absolutely experimental nature of the "Share Art" initiative, the Institution allowed ENEA to conduct tests and analyzes on about 10 works (out of 24,000 works present in the 11 civic museums managed) and subject to a guarantee from by ENEA of the compliance of the project with the applicable legislation on the matter. Furthermore, it should be noted that the experimentation was conducted by ENEA coinciding with the period of reduced public presence due to the frequent periods of closure of the Museum due to the pandemic"; “The Bologna Museums Institution: has not assumed any role in the conception, implementation, management, storage of the data flow; has never had access to or used the data processed and processed by the application platform (except for the number three processing of some statistical and aggregate data, transmitted by ENEA for purely demonstrative purposes and presented at the press conference of the XX); does not have access users to the application platform.” "the "Share Art" devices do not have access to the institution's network"; "the conception, implementation, management, conservation, study, analysis and use of the information processed by the platform were the exclusive responsibility of ENEA, which, consequently, will provide the information requested by the Authority regarding the legal basis of the processing and security measures”; In response to a third request for information from the Authority (note prot. n. XX of XX), addressed exclusively to ENEA, the latter, with note prot. no. XX, stated, in particular, that: "the ShareArt system does not involve the collection and processing of data relating to identified or identifiable natural persons"; “an algorithm is used that does not recognize the face. In fact, only the number of faces in the image (frame) is acquired by the system. In this case, the image cannot be considered "personal data" as it cannot be traced back to the face of the natural person (the data that transit, for a few thousandths of a second, in the volatile memory of the SBC are information inside the frame, not coinciding with the image of the visitor's face, in any case not suitable for identifying him"; "Devices of the ShareArt system in operation do not generate any video stream and [...] it is not possible to trace the frame acquired by the camera"; "the data generated by the system [...] are archived in dedicated databases accessible only to authorized personnel of ENEA, for the exclusive purposes of technical-scientific analysis and statistical aggregation inherent to the project"; "the ShareArt system, therefore, was set up in order to process - from the initial acquisition phase - only anonymous data"; "it was not [, therefore,] considered necessary to proceed with the provisions of the "Ethical rules for processing for statistical or scientific research purposes", including the implementation of the project pursuant to Article 3"; "data processing, where they should be considered personal data pursuant to the [Regulation], could be carried out by ENEA on the basis of art. 6, p. 1, lit. e) of the [Regulation]”; in fact, "within the TERIN Department, the IT and ICT Systems Development Division (TERIN ICT) carries out research, technological innovation and provision of advanced services in the energy and sustainable economic development sectors , through the implementation of ICT, with particular regard, among other things, to scientific computing, high-performance networks, cloud computing and the development of ICT for artistic heritage, with the development of acquisition and representation systems of data for Cultural Heritage”; "in this context, the Memorandum of Understanding was signed between the Ministry of Cultural Heritage and Activities and Tourism MiBACT and ENEA "For Energy Efficiency, Innovation, Prevention and Safety of Cultural Heritage", prot. no. XX, No. XX […]; the art. 2 "Subject" provides that the parties undertake to collaborate for the preparation and implementation of projects of national interest concerning the following thematic areas ... Applications of ICT technologies for energy efficiency, diagnosis, security and virtualization of cultural heritage " ; "the research activity [...] has the purpose of providing the curators of museum collections, shows, exhibitions, with a set of aggregate data useful for studying the methods of use of works of art, in order to highlight strengths, criticalities, improvements to optimize the exposure of the works themselves. In particular, the ShareArt system has been applied in the context of research and development activities related to IT methodologies based on IoT/BigData applications and neural networks"; between the 20th and 20th centuries the ShareArt system was tested on two occasions; at the time this system was based "on an image processing algorithm called "haar cascade" which is based on the search for an "archetype" of face, provided by the image processing libraries, within the image acquired by the camera. In order to identify faces located more or less far from the infrared camera, the search algorithm scales the archetype to various sizes and associates a confidence interval to the detection, which indicates the goodness of the likelihood. This procedure only allows the detection ("detection", in English) of the presence of a face and does not allow recognition ("recognition", in English)" [and allowed to obtain data such as:] 1) number of faces detected over time ; 2) distance of faces detected over time; 3) distribution of the average observation time; 4) distribution of the mean observation distance; 5) map in false colors of the position of the observers with respect to the work"; after these experiments, "the possibility of using a more performing product, the Raspberry Pi4 Model B+, has allowed the improvement of the "face detection" which has passed from the "Haar Cascade" classifier to the use of convolutional neural networks"; “the use of neural networks has made it possible to acquire new data [, such as]: 1) presence or absence of the mask in the detected face; 2) gaze direction, 3) age estimation (continuous variable between 18 and 75 years), 4) gender estimation (binary male-female classification)”; "simultaneously with the technical development of the device, a Collaboration Agreement was concluded with the Bologna Museums Institution (IstBO) [...], given the common scientific interest in experimenting with new systems based on the application of IoT/Big Data methods in order to be able quantify quantities useful for defining the degree of fruition of works of art exhibited in museums”; “on the basis of the aforementioned Agreement, the Bologna Museums Institution (IstBO) has made its museums available for the duration of two years with the aim of applying the ShareArt system in two phases. In the first, for which the use of 5 devices was foreseen, statistical and sociological experimental results were expected; if these results had been deemed by the parties to be useful and scientifically valid, phase two would have been passed using the system along an entire museum itinerary, within the overall context of an exhibition or a permanent exhibition to study the methods of use of the works to be part of the visitors”; "since the purpose of the ShareArt system is to provide the curators of museums and their exhibitions, a system (technology, method and algorithm) to obtain objective data on the use of works of art within a museum so that it is possible to understand the state current and improve exposures, the data is acquired anonymously, therefore always analyzed in an aggregate manner. The intent of the research with ShareArt, in fact, is not focused on the single visitor, but on the totality of the public”; "all the acquired data do not allow to trace the individual visitor nor do they allow to make decisions and carry out actions even potentially suitable to discriminate in any way one visitor from another"; "visitors whose faces are detected by the system are absolutely not, not even potentially, subjected to decisions based on the information acquired and generated by this system, nor can decisions be taken that are even potentially capable of impacting the rights and freedoms of these subjects , precisely because the system is not able to associate the extrapolated data with directly or indirectly identifiable natural persons”; following the pandemic, "the team of researchers involved in the ShareArt project paid attention to a further possible utility of the system, represented by the study of data relating to the use of the mask and social distancing which were introduced in the second version of the system ShareArt which, as previously described, employs the use of convolutional neural networks”; “in fact, it is the purpose of research with ShareArt to study whether the introduction of the legislation that regulated the use of the mask inside museums could have changed the normal ways in which one visits the museum and looks at the works. This information can be obtained by cross-referencing the histogram of the average observation time with the percentage data of the presence of the mask on the faces of the observers. By comparing the average observation time for the same work, in conditions of the presence of a mask and in the absence, when the legislation allows it, it will be possible to understand whether the obligation to wear a mask has had any impact on the way in which the works are used " ; "similarly, acquiring the data on compliance with social distancing as imposed by the legislation could provide information on the change in the average observation distance and on the average observation time if compared with the data acquired in the absence of the legislation imposing the distancing. Furthermore, it is possible to study whether this legislation has changed the way people visit the museum by analyzing whether there are groups of 2, 3 or more people in front of the work”; "the fact of informing visitors placed in front of the work of non-compliance with the indications of the legislation (mask and social distancing) through a discreet visual signal was provided for the benefit of the safety of all museum visitors and for the benefit of the discretion of the signal" ; "here too, therefore, there is no processing of personal data pursuant to the [Regulation] as the system does not allow for the identification, directly or indirectly, of visitors who do not wear a mask"; “The aim of the experimentation is the development of a method and a non-invasive system of the way in which visitors approach the artistic works, capable of giving useful - and anonymous - information to the curators of museums and exhibitions. It is therefore the experimentation of a prototype which, on the one hand, perfects the counting and detection techniques and, on the other, serves to discover and identify the information useful for improving the fruition of artistic and cultural heritage. Only at the end of this first preparatory phase will it be possible to use the system "in production" also for statistical purposes". With a note of the XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lit. a), 6, 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), for having implemented the processing of personal data in a non- compliant with the principle of "lawfulness, correctness and transparency", in the absence of a suitable regulatory prerequisite and in the absence of adequate information on the processing of personal data, as well as without having previously stipulated a joint-controlling agreement with ENEA. With the same note, the Municipality was invited to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l 24 November 1981, no. 689). With a note of the XX (prot. n. XX), the Municipality presented its defense brief, declaring, in particular, that: - "[…] ENEA, an organization aimed at research and technological innovation, as well as the provision of advanced services in support of sustainable economic development, has developed a platform called "ShareArt", which allows, by applying a camera near the work of art that one intends to monitor, to estimate a series of information relating to how observers use the work”; - "the agreement with the Municipality provided for two distinct phases, as expressly represented in art. 5 of the same: “The experimentation will be carried out in two phases: the first aimed at optimizing the system proposed by ENEA with the expansion of its potential. For this first phase, the Bologna Museums Institution will allow the personnel involved to be able to verify directly in the field, within the museum identified for the test, the effectiveness of the changes made to the system, thus creating a "field laboratory" for the duration of the 'agreement. At the end of the first phase, only if the parties deem the results useful and scientifically valid, will we proceed to develop a project involving the overall scope of an exhibition or permanent exhibition, agreeing on the specific purposes and methods""; - "in the Technical Annex it was also represented that "First phase - The optimization interventions of the single devices of the first phase will be aimed at making the audience survey faster, more reliable and more detailed" "Second phase - will proceed to develop a project that involves the overall scope of an exhibition or a permanent exhibition, agreeing on the specific purposes, methods and sustainability. In particular, ENEA's interest is to be able to experiment with the "ShareArt" system in a temporary and/or permanent exhibition"; - "following the investigation opened by the Guarantor Authority, the project was interrupted during the first phase"; - "art. 3 of the agreement entitled "Commitments of the Parties" reports that "ENEA - Department of Energy Technologies - Division for the development of IT and ICT systems (DTE-ICT) will make available the skills of its personnel as well as the equipment present in the Bologna Research Laboratories, which are necessary for the realization of the object of this Agreement". “The Bologna Museums Institution will make available its personnel and/or representatives as well as the equipment present in its laboratories and the consumables necessary for carrying out the research referred to in this Agreement, undertaking to develop the Project exclusively with ENEA””; - "the purpose underlying the aforementioned agreement is therefore to develop and fine-tune IT methodologies based on IoT/Big Data and data collection applications, to be used for a "quantification" of the way in which the works are used in a permanent exhibition and/or or temporary in order to optimize the methods of exposure”; - "the scientific collaboration between the Bologna Museums Institution and ENEA should have further developed (compared to ENEA's previous experiences) the "ShareArt" system and carried out a "large-scale" experimentation"; - "[...] this broad purpose should have been carried out in two distinct phases: in the first, the main purpose had been defined in the sense of applying "the optimization interventions of the individual devices in order to make the audience detection faster, more reliable and more detailed . With this in mind, the implementation of an observer "tracking" algorithm is proposed, which makes it possible to make the detection of individual observers more precise and to improve the definition of the path followed by each one in the space in front of the work. Furthermore, the profiling of each observed observer will be introduced, with the use of specially trained neural networks, estimating their age and gender. Compatibly with development times and with the technologies available, the possibility of further refining the profiling with an assessment of the state of mind of the observers is not excluded"; - "the activities described could only be carried out by ENEA in its capacity as owner of the "instrument" and depositary of skills that the Municipality of Bologna and the Museums certainly do not possess"; - "the first phase included activities of incremental relevance ranging from optimizing the devices to the implementation of "an application for the management and presentation of data generated by individual devices". The collaboration was interrupted in the constant phase of optimizing the devices”; - "in summary, ENEA, in its first phase, should have developed the tool and "in the second phase, only if the parties deem the results useful and scientifically valid, will a project be developed involving the overall scope of an exhibition or of a permanent exhibition, agreeing on the specific purposes, methods and sustainability""; - "[...] the "Project" was in its first stage of the first phase, in which the Municipality of Bologna could not (and was not able) to exercise any influence on the purpose of the processing, since in this first phase the purposes had the essential features of research and experimentation”; - "these purposes constitute elements that are irrelevant and not pertinent to the perimeter of competences institutionally envisaged for the Istituzione Musei"; - "on this point, also the jurisprudence of the CJEU [...] case [...] C-40/17 [...] in point 74 states that: «On the other hand, and without prejudice to any civil liability provided for by national law in this regard, this natural or legal person cannot be held responsible, pursuant to that provision, for the previous or subsequent operations of the processing chain of which it determines neither the purposes nor the means""; - “the plan of analysis changes profoundly considering the second phase. It emerges that, in this context, the division of roles in relation to the regulation on the protection of personal data pertaining to the second phase must be understood in the forms widely represented by the Guarantor Authority, or in a joint controllership regime between ENEA and the Municipality of Bologna . Second phase, it is emphasized, only possible, or subordinated to the achievement of scientifically useful results deriving from the aforementioned research and experimentation activity. In fact, only in this second phase was the existence confirmed for the Municipality and for ENEA of "a mutual advantage deriving from the same processing operation (... provided that each of the subjects involved participates in determining the purposes and means of the processing in question )" referred to in par. 60 of the aforementioned Guidelines [of the European Data Protection Board]"; - "on the other hand, only in the second phase, i.e. in the light of the outcomes correlated to the research and experimentation phase carried out by ENEA, would the Istituzione Musei be in a position to choose to use for its own purposes (those of improving the analysis of the fruition of the works for a better administration) a tool or another system developed by others for the treatment of personal data which, as represented by par. 67 of the Guidelines, would probably have constituted a joint decision on the means of such treatment by the subjects in question"; - with regard to the elements in relation to which art. 26 of the Regulation requires the joint controllers to determine and distribute their responsibilities, the Municipality "could not exercise any dominion or governance [over these elements] not being aware of the logic of algorithmic processing and punctual functioning of the system with substantial effects in terms of the protection of the interested parties”; - in any case "the Entity acted in the conviction, supported by the reassurances of ENEA, of the legitimacy of its conduct, which, with specific reference to the operations and processing carried out, did not present any risk of damage for the interested parties" and "the good faith rises to an exempting element", having to understand "by good faith [...] "error on the lawfulness of the fact""; - it pleads "the impossibility on the part of the Municipality to carry out a complete assessment of compliance with the legislation on the protection of personal data on advanced processing systems that are not in its availability and for which know-how would be necessary which is objectively unlikely to identify in a structure that manages the cultural heritage of the city”; - “the project took place in a pandemic period with a reduced number of museum opening days and a low number of visitors per day also due to quotas and the various obligations and limitations for access. From XX to XX - only 4 days a week with reduced hours for a total of 52 days. opening; from XX to XX total closure; from XX to XX, open for a total of 12 days, with reduced hours; from the 20th the museums were closed again until the 20th; from XX to XX opening for 60 days. at reduced hours. Furthermore, the experimentation took place all during the ongoing pandemic and for the entire period both the public and museum operators were obliged to wear a mask. For most of the period (100 days) there were two video cameras, for 18 days there were 9 and for 6 days there were 14. Especially in the XX - late XX period, the 2 video cameras were not always active as they were in progress installation tests with ENEA personnel. We understand that full functionality has been activated since the end of May”; - the Municipality "has not contributed in any way to the drafting of ENEA's technical proposal, nor has it contributed to establishing its means and aims. Furthermore, it has not received or used any data: it has only received three reports of statistical data in the form of graphs transmitted by ENEA for demonstration purposes only on the occasion of a press conference on XX”; - "starting from the XX, during the preliminary meetings for the stipulation of the agreement proposed by ENEA, which took place on the XX date, and then again at the start of the project (for example, we cite the meeting which took place on the XX date, the Municipality expressly requested and obtained reassurances from ENEA regarding compatibility with the provisions of the GDPR regulation. The Institution therefore acted in good faith, relying on ENEA's reassurances, an expression of a high level of specialist expertise"; - "at the first notification received from the Guarantor there was the immediate suspension of the experimentation. It was not necessary to adopt further measures because the Istituzione Musei has never had access and has not even used the data processed by the IT platform"; - "the trial was in any case carried out in supervised premises"; - "for the entire period concerned, both the public and museum operators were obliged to wear a mask, which in any case made them unrecognizable"; During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on the XX date (minutes prot. n. XX of the XX), the Municipality declared, in particular, that: "from the agreement entered into with ENEA it emerges clearly that neither the purposes nor the means of the processing have been defined by the Entity"; - it is necessary to consider the “distinction into two phases of the experimentation activities. The first relating to the ShareArt test, the other to definitions of new collaborations on the basis of the results of the experimentation [, given that] the investigation by the Guarantor and the consequent interruption of activities occurred in the first phase, when the "Project ” was in its first stage of the initial phase, in which the Municipality of Bologna could not (and was not able) to exercise any influence on the purpose of the activities, since in this first phase the purposes had the essential features of the research and of experimentation”; - "these purposes constitute elements that are irrelevant and irrelevant to the scope of institutionally envisaged responsibilities of the Istituzione Musei". 3. Outcome of the preliminary investigation. 3.1 The processing of personal data carried out through the ShareArt system The Regulation defines "personal data" as "any information relating to an identified or identifiable natural person ("data subject")" (Article 4, paragraph 1, no. 1). The use of the expression "any information", also used in the analogous definition pursuant to art. 2, lit. a), of Directive 95/46, “reflects the objective of the EU legislator to give a broad meaning to this notion, which is not limited to sensitive or private information, but potentially includes any type of information, both objective as well as subjective [...] provided that they are "concerning" the person concerned. As regards the latter condition, it is satisfied if, by reason of its content, its purpose or its effect, the information is connected to a specific person" (Court of Justice of the European Union, judgment of 20 December 2017 , C-434/16, Nowak, paragraph 34). Based on the jurisprudence of the Court of Justice of the European Union on the processing of personal data using video devices, it is common ground that an image of a person's face constitutes personal data and that the recording of this image involves the processing of personal data (see judgments of 20 October 2022, Koalitsia "Demokratichna Bulgaria - Obedinenie", C‑306/21, paragraph 32, 14 February 2019, C 345/17, Buivids, paragraphs 31 and 32 and of 11 December 2014, C -212/13, Ryneš, points 22 and 25), the fact that the data controller does not know the identity of the person in question or does not have information on his own that could allow him to identify the same is completely irrelevant (cf. recital 26 of the Regulation, where it is specified that, in order to establish the identifiability of a person, it is appropriate to consider all the means that not only the data controller but also a third party can reasonably use to identify said natural person directly or indirectly; in jurisprudence, see Cass. Civ., sent. no. 17440 of 2 September 2015, where it is stated that "it does not appear possible to doubt that the image constitutes personal data [...] since it is data immediately suitable for identifying a person, regardless of his notoriety"). In fact, it is abstractly possible to trace a person's identity, starting from the image of the face, in particular using information that is in the possession of third parties (for example, public or private databases) or publicly available (for example, networks social), having to consider that "in order for a datum to be qualified as «personal data» [...] it is not required that all the information that allows the person concerned to be identified be in the possession of a single person" (C‑434/16, Nowak, cited above, paragraph 31; see also judgment of 19 October 2016, Breyer, C‑582/14, paragraph 43). This is also implicitly confirmed in the cons. 51 of the Regulation, when it is stated that "the processing of photographs should not systematically constitute a processing of particular categories of personal data, since they fall within the definition of biometric data only when they will be processed through a specific technical device which allows the unambiguous identification or the authentication of a natural person", from which it follows that the image of a person, such as the one portrayed in a photograph or video, constitutes personal data, even though it is not in itself and in a systematic way personal data relating to special categories referred to in art. 9 of the Regulation. That said, the defensive arguments of the Municipality and Enea, aimed at illustrating in detail the functioning, from a technical point of view, of the video devices used in the context of the ShareArt project, do not allow us to overcome the remarks made with regard to the circumstance that the use of the aforesaid devices involves the processing of personal data, consisting of the image of the face of museum visitors. Indeed, as emerges from the technical documentation filed by Enea in the context of the same proceeding, the system in question uses a face detection algorithm in order to identify the faces of the visitors within the images taken by the cameras - or rather within the single frame that may contain one or more faces - even without the need to determine which face in the frame is and to whom it belongs. The face detection algorithm used does not permanently store the facial characteristics of the identified face so that if the software detects a face of a specific person in the frame and subsequently finds the same face on another image, it will not determine that the face belongs to the same person, counting the face twice in the shots. Unlike face recognition systems, face detection systems are not, in fact, aimed at recognizing specific people and are not connected to the identification and recognition of the data subjects. In any case, the system used makes it possible to acquire information relating to age, gender and some emotional elements of the faces identified in the various frames. The face detection algorithm used in the ShareArt system is based on convolutional neural networks (CNN) to detect faces in the images. In this context, the identification of faces generally takes place through the following phases: • preprocessing: the image is processed to improve image quality and remove noise; • image scanning: the image is divided into small regions or windows that run along the image; • feature extraction: a set of filters is applied to each window to extract image features, such as edges, textures, lines, angles, etc.; • classification: the extracted features are then passed through the convolutional neural network to determine whether the window contains a face or not; • merging: windows containing faces are merged together to form a final image with the detected faces; In summary, a frame in facial detection systems refers to a single digital image captured by a camera or video source that contains one or more human faces. Processing each frame is essential for identifying and recognizing faces and may require several processing operations, such as image segmentation, applying a classifier, and extracting facial features. In the light of what has been shown, it can only be assumed that the face detection algorithms require the processing of personal data, consisting of images of people's faces. It is, in fact, undeniable that the starting data used by the algorithm is the image of the face of the interested party, in front of the work of art. This data, present in the captured and subsequently processed frames, according to Enea, resides for about 100 milliseconds in the RAM of the SBC electronic board, to then be overwritten by the next frame. This operation involves the processing of personal data, albeit for a very short time, necessary for CNN to identify faces and to extract other relevant information. Although, therefore, the described system does not envisage the treatment of visitors' facial images, aimed at biometric recognition and identification, it is undeniable that the functioning of the system is based on an initial acquisition of images containing the visitors' faces , subsequently elaborated precisely in order to identify, within them, the faces. The frames reside on the system for a very short period, but in any case sufficient to implement the processing of personal data by the subjects involved (see provision no. 551 of 21 December 2017, web doc. no. 7496252, relating to a substantially similar case, in which "albeit for a short period of time, equal to a few tenths of a second, the system installed [by the data controller] involved [was] the processing of personal data, consisting of images of the faces of the data subjects, aimed at deducing from the facial image a series of information used to carry out analysis of the advertising audience"). Nor can the circumstance that no member of the data controller's organization be able to view the images memorized for such a short period of time assume significance, given that the qualification of information as personal data, for the purposes of the Regulation, cannot depend - even on protection of data subjects - from the fact that the data controller actually complies with technical-organisational limitations set up by himself in order to limit or prevent accessibility to the data, which could be disregarded at any time by members of the organization of the owner, or rendered ineffective as a result of computer attacks implemented by third parties. On the other hand, in the same collaboration agreement stipulated between the Municipality and ENEA (Annex No. 10 to the Enea Note Prot. No. XX, acquired in the context of the same procedure) it was assumed that the execution of the project would have involved the processing of visitors' personal data, although not attributable to the particular categories referred to in art. 9 of the Regulation ("it is important to underline how the technology used in the detection devices of the "ShareArt" system is completely compatible with the provisions of the [R]regulation [...] regarding [the] respect for the privacy of the museum public. In fact, in the algorithms for detecting faces, profiling (gender and age) and tracking of the viewer of the work there is no acquisition and storage of genetic, biometric data intended to uniquely identify a natural person [...] However, it is it is worth noting that the processing of photographs, a case similar to what happens in "ShareArt" acquisition devices, does not systematically constitute a processing of particular categories of personal data"). In the light of the foregoing considerations, it must be concluded, contrary to what was claimed by the Municipality and Enea during the preliminary investigation, that the ShareArt system involves the processing of personal data, consisting in the acquisition and temporary memorization of the face image of the visitors to the museum, albeit for a small fraction of the time. 3.2 The co-ownership relationship between the Municipality and Enea Pursuant to art. 4, par. 1, no. 7), of the Regulation, the data controller is “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data; when the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria applicable to his designation may be established by Union or Member State law". When two or more controllers jointly determine the purposes and means of processing, "they are joint controllers" and must "determine [in a transparent manner, through an internal agreement, their respective responsibilities for compliance with the obligations arising by this Regulation, in particular with regard to the exercise of the rights of the data subject, and the respective functions of communication of the information referred to in Articles 13 and 14, unless and insofar as the respective responsibilities are determined by Union law or of the Member State to which the controllers are subject. This agreement may designate a contact point for data subjects” (Article 26, paragraph 1, of the Regulation). The agreement between the joint controllers "adequately reflects the respective roles and relationships of the joint controllers with the data subjects" and the "essential content of the agreement [must be] made available to the data subject" (art. 26, paragraph 2, of the Regulation ). In this case, by stipulating the aforementioned collaboration agreement and implementing the "ShareArt" project at the Municipal Art Collections of Palazzo D'Accursio in Bologna, in order to obtain aggregate information on the subjective characteristics of the visitors and on the the ways in which they interacted with some works of art, the Municipality and Enea jointly determined the purposes and means of the processing. Indeed, as clarified by the European Data Protection Board, "the general criterion for the existence of joint controllership of processing is the joint participation of two or more subjects in defining the purposes and means of a processing operation. Joint participation can take the form of a joint decision, taken by two or more subjects [...]” (“Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted on 7 July 2021, paragraph 53). To this end, "an important criterion is that the treatment would not be possible without the participation of both subjects, in the sense that the treatments carried out by each subject are inseparable from each other, i.e. inextricably linked". With this agreement, the parties mutually acknowledged the fact that "it is in the interest of ENEA and the Bologna Museums institution to experiment with new systems based on the application of IoT/BigData methods in order to be able to quantify quantities useful for defining the degree of use of works of art exhibited in museums" and that "a collaboration in this sense between the Bologna Museums Institution and Enea constitutes a concrete opportunity to develop innovative solutions and technologies for the use of cultural heritage and the enhancement of their territorial realities". To this end, the Parties have "made their technical and scientific skills and resources available and in support of the project, according to [the aforementioned] objectives" and have agreed in detail "the description of the activities, the program and the resources employed” (see the technical attachment to the agreement), agreeing to bear the costs of the project, each to the extent of its own competence. The results of the project, in terms of aggregated data on the methods of use of the works of art, bring benefits both to the Municipality and to Enea, given that, as declared by Enea, "the data, already anonymised, are studied only by ENEA and ISTBO for the respective purposes of the project" and that the parties have expressly agreed, with the aforementioned agreement, to become co-owners of any results, or intellectual property rights, achieved as a result of the execution of the project, as well as to the right to "publish and/or disclose the results of the activities" (see the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cited above, paragraph 60, where it is stated that "[...] the co-ownership of the treatment can also occur if the subjects pursue strictly connected or complementary purposes. This can occur, for example, when there is a mutual advantage deriving from the same treatment operation [...]"). Therefore, the circumstance that the Municipality limited itself to making available to ENEA the environments "where it could pursue the institutional mission referred to in Law 221/2015, i.e. the testing activities of the system, is not reflected in the contractual agreements “ShareArt””. In any case, even if only by making these environments available to ENEA, authorizing the installation and use of video devices for the purposes of the project and allowing the acquisition of images of visitors to one of its museums, the Municipality has made it possible processing of personal data in question, which, in the absence of your collaboration with Enea, could not have taken place. In this regard, it should be noted that, as clarified by the Court of Justice of the European Union, the existence of a joint responsibility does not necessarily imply an equivalent responsibility, for the same processing of personal data, of the various subjects involved in it. On the contrary, these subjects can be involved in different phases of this treatment and at different levels, so that the degree of responsibility of each of them must be assessed taking into account all the relevant circumstances in the specific context (judgment C-40/17, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, of 29 July 2019: see also judgment C-210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018; see the "Guidelines 07/2020 on concepts of treatment and data controller pursuant to the GDPR”, cit., par. 58). Furthermore, it is not necessary that the determination of the purposes and means of the processing should be carried out by means of written instructions or assignments by the data controller. Therefore, a natural or legal person can be considered the data controller who, for purposes that are specific to him, influences the processing of personal data and therefore participates in the determination of the purposes and means of such processing (see Court of Justice of the European Union, judgment C-25/17, Jehovan todistajat, of 10 July 2018; see the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cit., paragraphs 57 and 58). The circumstance that the Municipality did not have access to the images collected through video devices is, in this regard, irrelevant. This is because, always recalling the jurisprudence of the Court of Justice of the European Union, "the joint responsibility of various subjects for the same treatment, pursuant to this provision, does not presuppose that each of them has access to the personal data in question" (judgment C-40/17, cited above; see also judgment C-25/17, Jehovan todistajat, of 10 July 2018 and C-210/16, Wirtschaftsakademie Schleswig-Holstein, of 5 June 2018; see also the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cited above, paragraph 56). In the light of the foregoing considerations, the processing of personal data, consisting of images of museum visitors, using video devices, was carried out by the Municipality and Enea as co-owners of the treatment, not having, however, the same previously stipulated an agreement of co-ownership of the treatment, in violation of the art. 26 of the Regulation. 3.3 The lack of a legal basis for the treatment Public entities may, as a rule, process personal data using video devices if the processing is necessary for compliance with a legal obligation to which the data controller is subject or for the performance of a task in the public interest or connected with the exercise of public powers vested in the data controller (art. 6, paragraph 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code; see the "Guidelines 3/2019 on the processing of personal data through video devices" of the European Data Protection Board, adopted on 29 January 2020, par. 41). In any case, the data controller is required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party", as well as "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c ), of the Regulation). Having clarified that the use of the ShareArt system involves the processing of personal data (see previous par. 3.1), it should be noted that, during the preliminary investigation, the Municipality has not demonstrated that the processing in question could be considered based on a suitable legal basis, since the Municipality limited itself to claiming that no processing of personal data resulted from the use of this system. In this regard, in general, it must be remembered that, pursuant to articles 6, par. 3, of the Regulation and 2-ter, paragraph 1, of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts object of the investigation), the legal basis consisting in the need to carry out a processing of personal data "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letter e), of the Regulation) could be "exclusively constituted by a rule of law or, in the cases provided for by law, a regulation", it being understood, in any case, that the legal basis on which the treatment is based must pursue an objective of public interest, must be proportionate to the legitimate objective pursued and must meet the quality requirements in terms of precise regulation of the envisaged processing (see article 6, paragraph 3, last sentence, of the Regulation). Taking into account that these requirements "constitute an expression of those deriving from Article 52, paragraph 1, of the Charter [of fundamental rights of the European Union], they must be interpreted in the light of this provision" and, therefore, limitations on the fundamental rights to the respect for private life and the protection of personal data (see articles 8 of the European Convention on Human Rights and 7 and 8 of the Charter of Fundamental Rights of the European Union) "may [...] be made, provided that, in accordance with Article 52(1) of the Charter, they are provided for by law and respect the essence of fundamental rights as well as the principle of proportionality. By virtue of this principle, limitations may be made only where they are necessary and effectively meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others. They must operate within the limits of what is strictly necessary and the legislation involving the interference must lay down clear and precise rules governing the scope and application of the measure in question" (judgment of 1 August 2022, C-184/20, Vyriausioji tarnybinės etikos komisija, paragraph 64). In particular, "in order to satisfy the requirement of proportionality, which finds expression in Article 5, paragraph 1, letter c), of the regulation [...] the legislation on which the processing is based must provide for clear and precise rules governing the scope and the application of the [envisaged] measure and impose minimum requirements so that the persons whose personal data are concerned have sufficient guarantees to effectively protect [the] data against the risk of misuse. Such legislation must be legally binding under national law and, in particular, indicate under which circumstances and under which conditions a measure providing for the processing of such data may be taken, thus ensuring that the interference is limited to what is strictly necessary ” (judgment of February 24, 2022, C-175/20, Valsts ieņēmumu dienests, para. 83). In the present case, the Municipality has not proved the existence of any legal provision or, in the cases provided for by law, any regulation which expressly provides for the processing of personal data such as that carried out in the context of the ShareArt project. It must therefore be concluded that the same was carried out in a manner that does not comply with the principle of lawfulness, correctness and transparency, and in the absence of a legal basis, in violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), of the Regulation and 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021). 3.4 The insufficient transparency of the treatment It has been ascertained, and it is not controversial, that the Municipality and Enea have not provided museum visitors with complete information on the processing of personal data, despite having posted a notice to inform users of the use of the ShareArt system, in which was specified, in particular that “for the purpose of protecting the privacy of visitors, a detection algorithm has been implemented which does not imply face recognition. Furthermore, the system acquires data without recording the images: the useful information, in fact, is the number of people who are watching the work and not who is doing it". This notice does not contain all the elements required by art. 13 of the Regulation, with particular regard to the contact details of the joint data controllers, the contact details of the respective data protection officers, the legal basis of the processing, the data retention period (or the criteria for determining this period) and to the rights of the interested parties pursuant to articles 15-22 of the Regulation. The processing of the personal data in question therefore took place in a manner that did not comply with the principle of lawfulness, correctness and transparency, in violation of articles 5, par. 1, lit. a), 12 and 13 of the Regulation. 3.5 The alleged discriminatory effects of the system With regard, however, to what was stated in the report regarding the fact that "classification based on gender risks confusing biological sex with gender, producing wrong classifications and discriminating against all transgender subjects or those who do not identify with the gender binary ”, it is noted that, on the basis of what emerged during the investigation, the ShareArt system cannot materialize this risk, given that no type of decision, based on gender, which could have a direct impact on the interested parties, has been taken through this system. 4. Conclusions. In the light of the assessments referred to above, it should be noted that the statements made by the Municipality during the investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the closure of the present procedure, since none of the cases provided for by the 'art. 11 of the Regulation of the Guarantor n. 1/2019. Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Municipality through the ShareArt system is noted, for having processed the personal data of museum visitors in the absence of a legal basis, providing them with a unsuitable information on the processing of personal data and by failing to enter into an agreement of co-ownership of the processing with Enea, in violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021). That said, taking into account that: the processing did not concern biometric data or other data belonging to particular categories (see Article 9 of the Regulation); the images of the visitors' faces were stored in the ShareArt system for a few thousandths of a second; the overall treatment took place for a not too long period of time and in the context of the pandemic emergency from SARS-CoV-2, in which the number of visitors to the museum was in any case limited, having been, moreover, employed, for the most part of that period, only two devices (see the defensive brief of the Municipality in the connected proceeding, in the documents, where it is stated that "the project took place during a pandemic period with a reduced number of museum opening days and a low number of visitors per day also due to quotas and the various obligations and limitations for access. From XX - only 4 days a week with reduced hours for a total of 52 days. opening; from XX to XX total closure; from XX to XX, opening for a total of 12 days, at reduced hours; from the XX the museums were closed again until the XX; from XX to XX opening for 60 days at reduced hours [...] For most of the period (100 days) the cameras were two, for 18 days there were 9 and for 6 days there were 14. Especially in the XX - late XX period, the 2 cameras were not always active as installation tests with ENEA personnel were in progress"); the devices were used on a limited number of works of art (about 10 out of 24,000 works in the 11 civic museums managed by the Municipality); the violation is culpable, since the Municipality acted in good faith, in the erroneous belief, also gained on the basis of specific investigations (carried out by Enea before proceeding with the processing and, therefore, in any case worthy) that the use of the ShareArt system does not involve the processing of personal data; this also taking into account that the assessments that the Body was called to carry out in the context of the ShareArt project were characterized by a high degree of technical and legal complexity; although museum visitors could have been influenced in the context of the use of the works of art (considering the particular level of technological sophistication of the devices used, their location in close proximity to the works and the impossibility of opposing the treatment), the however, the processing took place in a public place, such as a museum, in which the interested parties cannot claim complete confidentiality, also given the possible use of traditional video surveillance devices, even if for the pursuit of the different purpose of protecting the artistic heritage ( see Article 1 of Decree Law No. 433 of 14 November 1992); although suitable information on the processing of personal data was not provided, visitors were nonetheless warned of the use of the ShareArt system by means of special signs, placed before the exhibition area; the Municipality cooperated satisfactorily with the Authority during the investigation; there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation; the circumstances of the specific case lead to qualifying the same as a "minor violation", pursuant to cons. 148 of the Regulation and the “Guidelines concerning the application and provision of administrative fines for the purposes of regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018. In the light of all of the above, and of the overall terms of the matter in question, it is therefore considered sufficient to admonish the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lit. b), of the Regulation (see also cons. 148 of the Regulation). In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation. Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019. ALL THIS CONSIDERING THE GUARANTOR a) declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Municipality of Bologna, in the person of its pro-tempore legal representative, with registered office in Piazza Maggiore 6 - 40121 Bologna (BO), C.F. 01232710374, for violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), in the terms set out in the justification; b) pursuant to art. 58, par. 2, lit. b) of the Regulation, admonishes the Municipality of Bologna, as data controller in question, for having violated the articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), as described above; c) believes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 13 April 2023 PRESIDENT Station THE SPEAKER Station THE SECRETARY GENERAL Matthew [doc. web no. 9896808] Provision of April 13, 2023 Register of measures no. 123 of 13 April 2023 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, components and the cons. Fabio Mattei, general secretary; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and repealing Directive 95/46/ CE, “General Data Protection Regulation” (hereinafter, “Regulation”); HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing the "Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter the “Code”); CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette no. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019"); Given the documentation in the deeds; Given the observations made by the general secretary pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the Guarantor's office for the protection of personal data, doc. web no. 1098801; Speaker Prof. Pasquale Stanzione; WHEREAS 1. Introduction. The Hermes Center for Transparency and Digital Human Rights submitted a report to the Guarantor in relation to "the ShareArt system developed by ENEA, the National Agency for New Technologies, Energy and Sustainable Economic Development [hereinafter, the "Agency" or the "Enea"), in collaboration with the Bologna Museums Institution" [instrumental body of the Municipality of Bologna - hereinafter, the "Municipality" - without legal personality], whose purpose would be "to measure "the approval of a work of art" and detect the correct use of a mask and distance". In particular, "through a camera, the ShareArt system automatically detects faces looking in the direction of the work, contextually acquiring a series of information relating to behavior when observing works of art, such as the path taken to approach the work, the number of people who observed it, the time and distance of observation, the gender, age class and mood of the observing visitors”. With regard to information relating to gender, the report states that "the classification based on gender risks confusing biological sex with gender, producing wrong classifications and discriminating against all transgender subjects or those who do not identify in the gender binary". According to what was reported in a technical document of the Agency, attached to the report, the system in question would use a "new face detection algorithm, based on convolutional neural networks (CNN) which also provides an observer tracking function". When the observer enters the field of view of the camera, in fact, he would be "assigned a numerical ID and followed, whether or not he was looking towards the work, so that the number of faces observing the work detected by the system refers to the specific id and therefore to each individual visitor". The system would be able to "obtain information such as, for example, the average observation time or distance divided by gender and age group, the points of view of the work preferred by children or older people, the preferred routes by men and those preferred by women”. Furthermore, "when it is no longer mandatory to wear a mask and the data will be reliable, the ShareArt system provides for [the collection of] information" on how the public's mood varies based on the work observed or on how a work arouses different emotions on observers of different ages”, considering that “the evaluation of the state of mind of the observers [...] would allow to further refine the profiling and would satisfy another request made by museum curators.” Finally, with regard to transparency obligations, the report states that "[there are] very few signs to indicate that the system was active, beyond the small black cameras attached to the walls and a disclaimer at the ticket office". 2. The preliminary investigation. With a note dated XX (prot. n. XX), ENEA, in response to a request for information from the Authority (prot. n. XX of XX), stated, in particular, that: "the purpose of the research activity is to provide the curators of museum collections, exhibitions, exhibitions, with a set of data useful for studying the methods of use of works of art, in order to highlight strengths, weaknesses, improvements for optimize the exposure of the works themselves”; "the system does not involve the collection and processing of data relating to identified or identifiable natural persons and, a fortiori, of biometric data [...]"; "for each frame produced by the camera [...] the following data is generated:1) date and time of the detection (dd/mm/yyyy hh:mm:ss), 2) time elapsed from the moment the Device was switched on to that of the detection , 3) coordinates, in pixels, of the frame surrounding the face, 4) width, in pixels, of the frame of the face, 5) height, in pixels of the frame of the face, 6) identification number (ID),7) presence or less than the mask”; “[…] the neural network used applies a face detection technique which, contrary to face recognition, oriented towards the identification of people, is limited to detecting the presence of human faces. It follows that the identification number (ID) refers to the square of the face as a geometric figure and not to the biometric characteristics of the person and is used to identify its movement within the area framed by the camera. If the person leaves the imaged area and re-enters it immediately afterwards, a new ID would be associated with the detected face frame that has no references to the previous one. In fact, the ID is not related to biometric data, but to a "centroid object tracking" algorithm; "[...] it is not possible to trace the image acquired by the video camera and, consequently, the identity of the natural person to whom this image is associated, starting from the data obtained by the computer directly on local media and immediately sent to the databases of ENEA after being translated into numerical form”; “[…] the number of faces in the image (frame), coordinates and size within the frame are acquired by the system. The frame is processed by the algorithm (CNN) in an SBC (Single Board Computer) electronic card, in a dedicated internal volatile memory (RAM) and therefore the frame is not accessible from other systems and the content is not preserved. Consequently, the image in this case cannot be considered "personal data" as it cannot be traced back to the face of the natural person (the data that transit, for a few thousandths of a second, in the volatile memory of the SBC are information inside the frame, do not coincide with the image of the visitor's face)"; "the neural networks used are of the convolutional type (CNN) and, as known from the scientific literature, they do not work based on the extraction of biometric data, but carry out the classification thanks to a training carried out with a training set of images"; "at the end of this processing, which lasts about 100 milliseconds, the frame and the box of each face detected by the processing are canceled from the RAM memory of the SBC electronic card and overwritten by a new frame"; "the data generated is sent via the "mqtt" protocol to the SERVER, consisting of a virtual machine of the ENEA Grid infrastructure installed in the calculation room of the ENEA Research Center in Bologna, protected with high IT security standards"; "[...] the Device can be considered as a "black box" that captures images in real time and, without storing or transferring them, generates alphanumeric data output"; "each Device [...] acts as an isolated system and the face of a visitor captured by a Device cannot in any way be associated with it in the event that he pauses in front of another Device or, once out of the field of recovery of the first, you go back”; “[…] it is not possible to trace the number of visitors, even estimated, as the surveys carried out by the system could refer, hypothetically, to the same subject who passed through different exhibition halls or several times in front of the same work, as well as to different visitors, neither identifiable nor numerically definable”; “[…] seeing a visitor's face, even if only instantaneously, represents an event whose possibility of occurring is purely hypothetical (which could derive, for example, from an abusive access to the system, due to an external intentional action: such an eventuality would, however, be extremely remote in practicea, considering the technical security measures integrated, by design, into the system in order to prevent unauthorized access to the same and the organizational security measures implemented by the Bologna Museums Institution, as the cameras are installed in an environment that provides already a surveillance activity for the protection of the artistic heritage on display)"; "even if we want to hypothesize [...] the execution of technical maintenance activities of the system during its use (occurrence, as mentioned, to date never verified and which is absolutely not foreseen), any possible access to the frame of the visitors' faces, in the fraction of a second in which it is collected and processed by the algorithm, would be purely accidental and, in any case, the extremely short time of the processing process would make the possibility that the operator in charge of maintenance operations, in practice, extremely remote ENEA research staff, can perceive it as a face that can be associated with an identified or identifiable natural person”; “[…] ENEA has paid the utmost attention […] to the adoption of adequate measures in order to prevent access, even if only accidental, to the image of the visitor's face, the processing of which (equal to a few thousandths of a second) it takes place exclusively within the RAM memory of the electronic board installed in the museum, with no possibility of connection with other external communication networks”; "a dedicated internal network was provided, with the installation of 18 WiFi points to which only the Devices themselves can connect, in order to avoid risks deriving from any external connections (caused, for example, by hacker attacks) to and from the Wifi network of the Museum”; "in any case, on the XX date, the system was deactivated as a precaution, until the resolution of the matter to be reported"; "even imagining possible discriminatory uses of the system, it would not have been, in fact, possible for ENEA to adopt potentially unequal decisions towards people of non-binary gender"; “in relation to the roles respectively assumed by ENEA and by Istituzione Bologna Musei, [...] it was considered that, excluding the material scope of application pursuant to art. 2 of the [Regulation], it is not possible to formalize it [...]. Instead, it is believed that the use of the ShareArt system involves the processing of electronic data other than personal data, falling within the scope of application of Regulation (EU) 2018/1807 of 14 November 2018 [...], as the results of the experimentation are provided to the Bologna Museums Institution, which uses them as a service aimed at analyzing the methods of use of the exhibited works and the consequent optimization of the methods of exhibition”. With regard to the same request for information, the Municipality, with note prot. n.XX, declared, in particular, that: "the Bologna Museums Institution was set up by the Municipality of Bologna [...,] [it is a] instrumental body of the Municipality without legal personality [...] created [or] for the management and coordination of the municipal museum system", being " subject to the power of direction and control of the Municipality itself [...] It therefore falls within the perimeter of ownership of the Municipality”; "in the first months of the 20th century, ENEA presented the research and development activities relating to a system called "ShareArt" to the Bologna Museums Institution"; the "Institution, in adherence to an approach favoring innovation and research, therefore accepted the proposal for a Collaboration Agreement received from ENEA, in implementation of which the Municipality made available to the research Institution the environments where the Same could pursue the institutional mission referred to in Law 221/2015, or the experimentation activities of the "ShareArt" system; "from an organizational point of view, given the opportunity to inform visitors of the presence of the devices of the "ShareArt" system, a sign has been placed at the Museum cash desk; ENEA has also positioned each device in a clearly visible way next to the work concerned". In response to a subsequent request for information from the Authority (note prot. n. XX of XX), Enea, with note prot. no. XX, stated, in particular, that: “the legal basis for the processing of the deemed personal data (visitor images) [can] be identified in the art. 6, p. 1, lit. e) of Regulation (EU) 2016/679”; Enea "is a public-law body aimed at research and technological innovation, as well as the provision of advanced services to businesses, public administration and citizens in the fields of energy, the environment and economic development"; the art. 2 of the institution's statute provides that "ENEA operates in the sectors of energy, the environment and sustainable economic development, and provides the country with multidisciplinary skills and consolidated experience in the management of complex projects", being the Enea "defined as an entity aimed at research, technological innovation and the provision of advanced services to businesses, the public administration and citizens"; the art. 3, paragraph 2, lett. g), of the Statute of the Body provides that the same "carries out and provides public and private subjects with studies, research, data analysis, measurements, tests and evaluations in the sectors of competence"; within the TERIN Department, Department of Energy Technologies and Renewable Sources of the Body, "the Division for the Development of Information Technology and ICT Systems (TERIN ICT) carries out research, technological innovation and provision of advanced services in the sectors of energy and sustainable economic development, through the implementation of ICT, with particular regard, among other things, [...] to the development of ICT for artistic heritage, with the development of data acquisition and representation systems for Cultural Heritage”; "in relation to the institutional activity of the Agency in support of the production and services system, the Conservation of cultural heritage is, in fact, one of the sectors of intervention of ENEA [...]"; "in this area of developing innovative solutions and technologies for the monitoring and conservation of artistic and cultural heritage and the enhancement of local realities, the ShareArt system was developed [...]"; "the research activity [...] has the purpose of providing the curators of museum collections, shows, exhibitions, with a set of data useful for studying the methods of use of works of art, in order to highlight strengths, weaknesses , improvements to optimize the exposure of the works themselves”; “in particular, the ShareArt system has been applied in the context of research and development activities related to IT methodologies based on IoT/BigData applications and neural networks. In relation, therefore, to the aims of the project, it seems useful to specify that these pertain exclusively to the pursuit of scientific studies and research, in line with the express provisions of the aforementioned art. 2 of the ENEA Statute, and in compliance with the institutional purposes of scientific research whose pursuit is entrusted to ENEA directly by the aforementioned legislation, as a task of public interest"; “the data, already anonymised, are studied only by ENEA and ISTBO for the respective purposes of the project and are not disclosed to third parties. Eventually they could be published, exclusively in aggregate form, for the sole purpose of disseminating the results of scientific research"; "Devices of the ShareArt system in operation do not generate any video stream that can be "intercepted" from the outside and [...] it is not possible to trace the image acquired by the camera and, consequently, the identity of the natural person to whom this image is associated , starting from the data obtained by the computer directly on local supports and immediately sent to the ENEA databases after being translated into numerical form; the data generated by the system are completely anonymous and are archived in dedicated databases accessible only to authorized personnel of ENEA, for the exclusive purposes of technical-scientific analysis and statistical aggregation”; "the ShareArt system, therefore, has been set up in order to process only totally anonymised data"; "in any case, thanks to the security measures adopted [...], a hypothetical intrusion into the device would not allow camera control, nor the interception of the video stream and the local memory without this also causing the interruption of the execution of the ShareArt application. In fact, the ShareArt application, running on each device, assumes exclusive control of the camera present on the device itself, preventing any other process from accessing the same camera: a hypothetical interruption/intrusion into the device, therefore, would be detected in real time from the ENEA Center server, since the periodic sending of the control signal (heartbeat), generated by the ShareArt program itself in constant execution on each device, would also be interrupted”. With regard to the same request for information, the Municipality, with note prot. no. XX, stated, in particular, that: "the participation in the initiative by the Museum is inherent in a regulatory and institutional framework - to which the Institution belongs - of absolute favor towards initiatives, including technologically innovative ones, which can produce positive effects in order to enhance the public cultural heritage"; "given the absolutely experimental nature of the "Share Art" initiative, the Institution allowed ENEA to conduct tests and analyzes on about 10 works (out of 24,000 works present in the 11 civic museums managed) and subject to a guarantee from by ENEA of the compliance of the project with the applicable legislation on the matter. Furthermore, it should be noted that the experimentation was conducted by ENEA coinciding with the period of reduced public presence due to the frequent periods of closure of the Museum due to the pandemic"; “The Bologna Museums Institution: has not assumed any role in the conception, implementation, management, storage of the data flow; has never had access to or used the data processed and processed by the application platform (except for the number three processing of some statistical and aggregate data, transmitted by ENEA for purely demonstrative purposes and presented at the press conference of the XX); does not have access users to the application platform.” "the "Share Art" devices do not have access to the institution's network"; "the conception, implementation, management, conservation, study, analysis and use of the information processed by the platform were the exclusive responsibility of ENEA, which, consequently, will provide the information requested by the Authority regarding the legal basis of the processing and security measures”; In response to a third request for information from the Authority (note prot. n. XX of XX), addressed exclusively to ENEA, the latter, with note prot. no. XX, stated, in particular, that: "the ShareArt system does not involve the collection and processing of data relating to identified or identifiable natural persons"; “an algorithm is used that does not recognize the face. In fact, only the number of faces in the image (frame) is acquired by the system. In this case, the image cannot be considered "personal data" as it cannot be traced back to the face of the natural person (the data that transit, for a few thousandths of a second, in the volatile memory of the SBC are information inside the frame, not coinciding with the image of the visitor's face, in any case not suitable for identifying him"; "The Devices of the ShareArt system in operation do not generate any video stream and [...] it is not possible to trace the frame acquired by the camera"; "the data generated by the system [...] are archived in dedicated databases accessible only to authorized personnel of ENEA, for the exclusive purposes of technical-scientific analysis and statistical aggregation inherent to the project"; "the ShareArt system, therefore, was set up in order to process - from the initial acquisition phase - only anonymous data"; "it was not [, therefore,] considered necessary to proceed with the provisions of the "Ethical rules for processing for statistical or scientific research purposes", including the implementation of the project pursuant to Article 3"; "data processing, where they should be considered personal data pursuant to the [Regulation], could be carried out by ENEA on the basis of art. 6, p. 1, lit. e) of the [Regulation]"; in fact, "within the TERIN Department, the IT and ICT Systems Development Division (TERIN ICT) carries out research, technological innovation and provision of advanced services in the energy and sustainable economic development sectors , through the implementation of ICT, with particular regard, among other things, to scientific computing, high-performance networks, cloud computing and the development of ICT for artistic heritage, with the development of acquisition and representation systems of data for Cultural Heritage”; "in this context, the Memorandum of Understanding was signed between the Ministry of Cultural Heritage and Activities and Tourism MiBACT and ENEA "For Energy Efficiency, Innovation, Prevention and Safety of Cultural Heritage", prot. no. XX, No. XX [...]; the art. 2 "Subject" provides that the parties undertake to collaborate for the preparation and implementation of projects of national interest concerning the following thematic areas ... Applications of ICT technologies for energy efficiency, diagnosis, security and virtualization of cultural heritage " ; "the research activity [...] has the purpose of providing the curators of museum collections, shows, exhibitions, with a set of aggregate data useful for studying the methods of use of works of art, in order to highlight strengths, criticalities, improvements to optimize the exposure of the works themselves. In particular, the ShareArt system has been applied in the context of research and development activities related to IT methodologies based on IoT/BigData applications and neural networks"; between the 20th and 20th centuries the ShareArt system was tested on two occasions; at the time this system was based "on an image processing algorithm called "haar cascade" which is based on the search for an "archetype" of face, provided by the image processing libraries, within the image acquired by the camera. In order to identify faces located more or less far from the infrared camera, the search algorithm scales the archetype to various sizes and associates a confidence interval to the detection, which indicates the goodness of the likelihood. This procedure only allows the detection ("detection", in English) of the presence of a face and does not allow recognition ("recognition", in English)" [and allowed to obtain data such as:] 1) number of faces detected over time ; 2) distance of faces detected over time; 3) distribution of the average observation time; 4) distribution of the mean observation distance; 5) map in false colors of the position of the observers with respect to the work"; after these experiments, "the possibility of using a more performing product, the Raspberry Pi4 Model B+, has allowed the improvement of the "face detection" which has passed from the "Haar Cascade" classifier to the use of convolutional neural networks"; “the use of neural networks has made it possible to acquire new data [, such as]: 1) presence or absence of the mask in the detected face; 2) gaze direction, 3) age estimation (continuous variable between 18 and 75 years), 4) gender estimation (binary male-female classification)”; "simultaneously with the technical development of the device, a Collaboration Agreement was concluded with the Bologna Museums Institution (IstBO) [...], given the common scientific interest in experimenting with new systems based on the application of IoT/Big Data methods in order to be able quantify quantities useful for defining the degree of fruition of works of art exhibited in museums”; “on the basis of the aforementioned Agreement, the Bologna Museums Institution (IstBO) has made its museums available for the duration of two years with the aim of applying the ShareArt system in two phases. In the first, for which the use of 5 devices was foreseen, statistical and sociological experimental results were expected; if these results had been deemed by the parties to be useful and scientifically valid, phase two would have been passed using the system along an entire museum itinerary, within the overall context of an exhibition or a permanent exhibition to study the methods of use of the works to be part of the visitors”; "since the purpose of the ShareArt system is to provide the curators of museums and their exhibitions, a system (technology, method and algorithm) to obtain objective data on the use of works of art within a museum so that it is possible to understand the state current and improve exposures, the data is acquired anonymously, therefore always analyzed in an aggregate manner. The intent of the research with ShareArt, in fact, is not focused on the single visitor, but on the totality of the public”; "all the acquired data do not allow to trace the individual visitor nor do they allow to make decisions and carry out actions even potentially suitable to discriminate in any way one visitor from another"; "visitors whose faces are detected by the system are absolutely not, not even potentially, subjected to decisions based on the information acquired and generated by this system, nor can decisions be taken that are even potentially capable of impacting the rights and freedoms of these subjects , precisely because the system is not able to associate the extrapolated data with directly or indirectly identifiable natural persons”; following the pandemic, "the team of researchers involved in the ShareArt project paid attention to a further possible utility of the system, represented by the study of data relating to the use of the mask and social distancing which were introduced in the second version of the system ShareArt which, as previously described, employs the use of convolutional neural networks”; “in fact, it is the purpose of research with ShareArt to study whether the introduction of the legislation that regulated the use of the mask inside museums could have changed the normal ways in which one visits the museum and looks at the works. This information can be obtained by cross-referencing the histogram of the average observation time with the percentage data of the presence of the mask on the faces of the observers. By comparing the average observation time for the same work, in conditions of the presence of a mask and in the absence, when the legislation allows it, it will be possible to understand whether the obligation to wear a mask has had any impact on the way in which the works are used " ; "similarly, acquiring the data on compliance with social distancing as imposed by the legislation could provide information on the change in the average observation distance and on the average observation time if compared with the data acquired in the absence of the legislation imposing the distancing. Furthermore, it is possible to study whether this legislation has changed the way people visit the museum by analyzing whether there are groups of 2, 3 or more people in front of the work”; "the fact of informing visitors placed in front of the work of non-compliance with the indications of the legislation (mask and social distancing) through a discreet visual signal was provided for the benefit of the safety of all museum visitors and for the benefit of the discretion of the signal" ; "here too, therefore, there is no processing of personal data pursuant to the [Regulation] as the system does not allow for the identification, directly or indirectly, of visitors who do not wear a mask"; “The aim of the experimentation is the development of a non-invasive method and system of the way in which visitors approach the artistic works, capable of giving useful - and anonymous - information to the curators of museums and exhibitions. It is therefore the experimentation of a prototype which, on the one hand, fine-tunes the counting and detection techniques and, on the other, serves to discover and identify the information useful for improving the fruition of artistic and cultural heritage. Only at the end of this first preparatory phase will it be possible to use the system "in production" also for statistical purposes". With a note of the XX (prot. n. XX), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violations of articles 5, par. 1, lit. a), 6, 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), for having implemented the processing of personal data in a non- compliant with the principle of "lawfulness, correctness and transparency", in the absence of a suitable regulatory prerequisite and in the absence of adequate information on the processing of personal data, as well as without having previously stipulated a joint-controlling agreement with ENEA. With the same note, the Municipality was invited to produce written defenses or documents to the Guarantor or to ask to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l 24 November 1981, no. 689). With a note of the XX (prot. n. XX), the Municipality presented its defense brief, declaring, in particular, that: - "[…] ENEA, an organization aimed at research and technological innovation, as well as the provision of advanced services in support of sustainable economic development, has developed a platform called "ShareArt", which allows, by applying a camera near the work of art that one intends to monitor, to estimate a series of information relating to how observers use the work”; - "the agreement with the Municipality provided for two distinct phases, as expressly represented in art. 5 of the same: “The experimentation will be carried out in two phases: the first aimed at optimizing the system proposed by ENEA with the expansion of its potential. For this first phase, the Bologna Museums Institution will allow the personnel involved to be able to verify directly in the field, within the museum identified for the test, the effectiveness of the changes made to the system, thus creating a "field laboratory" for the duration of the 'agreement. At the end of the first phase, only if the parties deem the results useful and scientifically valid, will we proceed to develop a project involving the overall scope of an exhibition or permanent exhibition, agreeing on the specific purposes and methods""; - "in the Technical Annex it was also represented that "First phase - The optimization interventions of the single devices of the first phase will be aimed at making the audience survey faster, more reliable and more detailed" "Second phase - will proceed to develop a project that involves the overall scope of an exhibition or a permanent exhibition, agreeing on the specific purposes, methods and sustainability. In particular, ENEA's interest is to be able to experiment with the "ShareArt" system in a temporary and/or permanent exhibition"; - "following the investigation opened by the Guarantor Authority, the project was interrupted during the first phase"; - "art. 3 of the agreement entitled "Commitments of the Parties" reports that "ENEA - Department of Energy Technologies - Division for the development of IT and ICT systems (DTE-ICT) will make available the skills of its personnel as well as the equipment present in the Bologna Research Laboratories, which are necessary for the realization of the object of this Agreement". “The Bologna Museums Institution will make available its personnel and/or representatives as well as the equipment present in its laboratories and the consumables necessary for carrying out the research referred to in this Agreement, undertaking to develop the Project exclusively with ENEA””; - "the purpose underlying the aforementioned agreement is therefore to develop and fine-tune IT methodologies based on IoT/Big Data and data collection applications, to be used for a "quantification" of the way in which the works are used in a permanent exhibition and/or or temporary in order to optimize the methods of exposure”; - "the scientific collaboration between the Bologna Museums Institution and ENEA should have further developed (compared to ENEA's previous experiences) the "ShareArt" system and carried out a "large-scale" experimentation"; - "[...] this broad purpose should have been carried out in two distinct phases: in the first, the main purpose had been defined in the sense of applying "the optimization interventions of the individual devices in order to make the audience detection faster, more reliable and more detailed . With this in mind, the implementation of an observer "tracking" algorithm is proposed, which makes it possible to make the detection of individual observers more precise and to improve the definition of the path followed by each one in the space in front of the work. Furthermore, the profiling of each observed observer will be introduced, with the use of specially trained neural networks, estimating their age and gender. Compatibly with development times and with the technologies available, the possibility of further refining the profiling with an assessment of the state of mind of the observers is not excluded"; - "the activities described could only be carried out by ENEA in its capacity as owner of the "instrument" and depositary of skills that the Municipality of Bologna and the Museums certainly do not possess"; - "the first phase included activities of incremental relevance ranging from optimizing the devices to the implementation of "an application for the management and presentation of data generated by individual devices". The collaboration was interrupted in the constant phase of optimizing the devices”; - "in summary, ENEA, in its first phase, should have developed the tool and "in the second phase, only if the parties deem the results useful and scientifically valid, will a project be developed involving the overall scope of an exhibition or of a permanent exhibition, agreeing on the specific purposes, methods and sustainability""; - "[...] the "Project" was in its first stage of the first phase, in which the Municipality of Bologna could not (and was not able) to exercise any influence on the purpose of the processing, since in this first phase the purposes had the essential features of research and experimentation”; - "these purposes constitute elements that are irrelevant and not pertinent to the perimeter of competences institutionally envisaged for the Istituzione Musei"; - "on this point, also the jurisprudence of the CJEU [...] case [...] C-40/17 [...] in point 74 states that: «On the other hand, and without prejudice to any civil liability provided for by national law in this regard, this natural or legal person cannot be held responsible, pursuant to that provision, for the previous or subsequent operations of the processing chain of which it determines neither the purposes nor the means""; - “the plan of analysis changes profoundly considering the second phase. It emerges that, in this context, the division of roles in relation to the regulation on the protection of personal data pertaining to the second phase must be understood in the forms widely represented by the Guarantor Authority, or in a joint controllership regime between ENEA and the Municipality of Bologna . Second phase, it is emphasized, only possible, or subordinated to the achievement of scientifically useful results deriving from the aforementioned research and experimentation activity. In fact, only in this second phase was the existence confirmed for the Municipality and for ENEA of "a mutual advantage deriving from the same processing operation (... provided that each of the subjects involved participates in determining the purposes and means of the processing in question )" referred to in par. 60 of the aforementioned Guidelines [of the European Data Protection Board]"; - "on the other hand, only in the second phase, i.e. in the light of the outcomes correlated to the research and experimentation phase carried out by ENEA, would the Istituzione Musei be in a position to choose to use for its own purposes (those of improving the analysis of the fruition of the works for a better administration) a tool or another system developed by others for the treatment of personal data which, as represented by par. 67 of the Guidelines, would probably have constituted a joint decision on the means of such treatment by the subjects in question"; - with regard to the elements in relation to which art. 26 of the Regulation requires the joint controllers to determine and distribute their responsibilities, the Municipality "could not exercise any dominion or governance [over these elements] not being aware of the logic of algorithmic processing and punctual functioning of the system with substantial effects in terms of the protection of the interested parties”; - in any case "the Entity acted in the conviction, supported by the reassurances of ENEA, of the legitimacy of its conduct, which, with specific reference to the operations and processing carried out, did not present any risk of damage for the interested parties" and "the good faith rises to an exempting element", having to understand "by good faith [...] "error on the lawfulness of the fact""; - it pleads "the impossibility on the part of the Municipality to carry out a complete assessment of compliance with the legislation on the protection of personal data on advanced processing systems that are not in its availability and for which know-how would be necessary which is objectively unlikely to identify in a structure that manages the cultural heritage of the city”; - “the project took place in a pandemic period with a reduced number of museum opening days and a low number of visitors per day also due to quotas and the various obligations and limitations for access. From XX to XX - only 4 days a week with reduced hours for a total of 52 days. opening; from XX to XX total closure; from XX to XX, open for a total of 12 days, with reduced hours; from the 20th the museums were closed again until the 20th; from XX to XX opening for 60 days. at reduced hours. Furthermore, the experimentation took place all during the ongoing pandemic and for the entire period both the public and museum operators were obliged to wear a mask. For most of the period (100 days) there were two video cameras, for 18 days there were 9 and for 6 days there were 14. Especially in the XX - late XX period, the 2 video cameras were not always active as they were in progress installation tests with ENEA personnel. We understand that full functionality has been activated since the end of May”; - the Municipality "has not contributed in any way to the drafting of ENEA's technical proposal, nor has it contributed to establishing its means and aims. Furthermore, it has not received or used any data: it has only received three reports of statistical data in the form of graphs transmitted by ENEA for demonstration purposes only on the occasion of a press conference on XX”; - "starting from the XX, during the preliminary meetings for the stipulation of the agreement proposed by ENEA, which took place on the XX date, and then again at the start of the project (for example, we cite the meeting which took place on the XX date, the Municipality expressly requested and obtained reassurances from ENEA regarding compatibility with the provisions of the GDPR regulation. The Institution therefore acted in good faith, relying on ENEA's reassurances, an expression of a high level of specialist expertise"; - "at the first notification received from the Guarantor there was the immediate suspension of the experimentation. It was not necessary to adopt further measures because the Istituzione Musei has never had access and has not even used the data processed by the IT platform"; - "the trial was in any case carried out in supervised premises"; - "for the entire period concerned, both the public and museum operators were obliged to wear a mask, which in any case made them unrecognizable"; During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on the XX date (minutes prot. n. XX of the XX), the Municipality declared, in particular, that: "from the agreement entered into with ENEA it emerges clearly that neither the purposes nor the means of the processing have been defined by the Entity"; - it is necessary to consider the “distinction into two phases of the experimentation activities. The first relating to the ShareArt test, the other to definitions of new collaborations on the basis of the results of the experimentation [, given that] the investigation by the Guarantor and the consequent interruption of activities occurred in the first phase, when the "Project ” was in its first stage of the initial phase, in which the Municipality of Bologna could not (and was not able) to exercise any influence on the purpose of the activities, since in this first phase the purposes had the essential features of the research and of experimentation”; - "these purposes constitute elements that are irrelevant and irrelevant to the perimeter of institutionally envisaged responsibilities of the Museums Institution". 3. Outcome of the preliminary investigation. 3.1 The processing of personal data carried out through the ShareArt system The Regulation defines "personal data" as "any information relating to an identified or identifiable natural person ("data subject")" (Article 4, paragraph 1, no. 1). The use of the expression "any information", also used in the analogous definition pursuant to art. 2, lit. a), of Directive 95/46, “reflects the objective of the EU legislator to give a broad meaning to this notion, which is not limited to sensitive or private information, but potentially includes any type of information, both objective as well as subjective [...] provided that they are "concerning" the person concerned. As regards the latter condition, it is satisfied if, by reason of its content, its purpose or its effect, the information is connected to a specific person" (Court of Justice of the European Union, judgment of 20 December 2017 , C-434/16, Nowak, paragraph 34). Based on the jurisprudence of the Court of Justice of the European Union on the processing of personal data using video devices, it is common ground that an image of a person's face constitutes personal data and that the recording of this image involves the processing of personal data (see judgments of 20 October 2022, Koalitsia "Demokratichna Bulgaria - Obedinenie", C‑306/21, paragraph 32, 14 February 2019, C 345/17, Buivids, paragraphs 31 and 32 and of 11 December 2014, C -212/13, Ryneš, points 22 and 25), the fact that the data controller does not know the identity of the person in question or does not have information on his own that could allow him to identify the same is completely irrelevant (cf. recital 26 of the Regulation, where it is specified that, in order to establish the identifiability of a person, it is appropriate to consider all the means that not only the data controller but also a third party can reasonably use to identify said natural person directly or indirectly; in jurisprudence, see Cass. Civ., sent. no. 17440 of 2 September 2015, where it is stated that "it does not appear possible to doubt that the image constitutes personal data [...] since it is data immediately suitable for identifying a person, regardless of his notoriety"). In fact, it is abstractly possible to trace a person's identity, starting from the image of the face, in particular using information that is in the possession of third parties (for example, public or private databases) or publicly available (for example, networks social), having to consider that "in order for a datum to be qualified as «personal data» [...] it is not required that all the information that allows the person concerned to be identified be in the possession of a single person" (C‑434/16, Nowak, cited above, paragraph 31; see also judgment of 19 October 2016, Breyer, C‑582/14, paragraph 43). This is also implicitly confirmed in the cons. 51 of the Regulation, when it is stated that "the processing of photographs should not systematically constitute a processing of particular categories of personal data, since they fall within the definition of biometric data only when they will be processed through a specific technical device which allows the unambiguous identification or the authentication of a natural person", from which it follows that the image of a person, such as the one portrayed in a photograph or video, constitutes personal data, even though it is not in itself and in a systematic way personal data relating to special categories referred to in art. 9 of the Regulation. That said, the defensive arguments of the Municipality and Enea, aimed at illustrating in detail the functioning, from a technical point of view, of the video devices used in the context of the ShareArt project, do not allow us to overcome the remarks made with regard to the circumstance that the use of the aforesaid devices involves the processing of personal data, consisting of the image of the face of museum visitors. Indeed, as emerges from the technical documentation filed by Enea in the context of the same proceeding, the system in question uses a face detection algorithm in order to identify the faces of the visitors within the images taken by the cameras - or rather within the single frame that may contain one or more faces - even without the need to determine which face in the frame is and to whom it belongs. The face detection algorithm used does not permanently store the facial characteristics of the identified face so that if the software detects a face of a specific person in the frame and subsequently finds the same face on another image, it will not determine that the face belongs to the same person, counting the face twice in the shots. Unlike face recognition systems, face detection systems are not, in fact, aimed at recognizing specific people and are not connected to the identification and recognition of the data subjects. In any case, the system used makes it possible to acquire information relating to age, gender and some emotional elements of the faces identified in the various frames. The face detection algorithm used in the ShareArt system is based on convolutional neural networks (CNN) to detect faces in the images. In this context, the identification of faces generally takes place through the following stages: • preprocessing: the image is processed to improve image quality and remove noise; • image scanning: the image is divided into small regions or windows that run along the image; • feature extraction: a set of filters is applied to each window to extract image features, such as edges, textures, lines, angles, etc.; • classification: the extracted features are then passed through the convolutional neural network to determine whether the window contains a face or not; • merging: windows containing faces are merged together to form a final image with the detected faces; In summary, a frame in facial detection systems refers to a single digital image captured by a camera or video source that contains one or more human faces. Processing each frame is essential for identifying and recognizing faces and may require several processing operations, such as image segmentation, applying a classifier, and extracting facial features. In the light of what has been shown, it can only be assumed that the face detection algorithms require the processing of personal data, consisting of images of people's faces. Indeed, it is undeniable that the starting data used by the algorithm is the image of the person's face, in front of the work of art. This data, present in the captured and subsequently processed frames, according to Enea, resides for about 100 milliseconds in the RAM of the SBC electronic board, to then be overwritten by the next frame. This operation involves the processing of personal data, albeit for a very short time, necessary for CNN to identify faces and to extract other relevant information. Although, therefore, the described system does not envisage the treatment of visitors' facial images, aimed at biometric recognition and identification, it is undeniable that the functioning of the system is based on an initial acquisition of images containing the visitors' faces , subsequently elaborated precisely in order to identify, within them, the faces. The frames reside on the system for a very short period, but in any case sufficient to implement the processing of personal data by the subjects involved (see provision no. 551 of 21 December 2017, web doc. no. 7496252, relating to a substantially similar case, in which "albeit for a short period of time, equal to a few tenths of a second, the system installed [by the data controller] involved [was] the processing of personal data, consisting of images of the faces of the data subjects, aimed at deducing from the facial image a series of information used to carry out analysis of the advertising audience"). Nor can the circumstance that no member of the data controller's organization be able to view the images memorized for such a short period of time assume significance, given that the qualification of information as personal data, for the purposes of the Regulation, cannot depend - even on protection of data subjects - from the fact that the data controller actually complies with technical-organisational limitations set up by himself in order to limit or prevent accessibility to the data, which could be disregarded at any time by members of the organization of the owner, or rendered ineffective as a result of computer attacks implemented by third parties. On the other hand, in the same collaboration agreement entered into between the Municipality and ENEA (Annex No. 10 to the Enea Note Prot. No. XX, acquired in the context of the same procedure) it was assumed that the execution of the project would have involved the processing of visitors' personal data, although not attributable to the particular categories referred to in art. 9 of the Regulation ("it is important to underline how the technology used in the detection devices of the "ShareArt" system is completely compatible with the provisions of the [R]regulation [...] regarding [the] respect for the privacy of the museum public. In fact, in the algorithms for detecting faces, profiling (gender and age) and tracking of the observer of the work there is no acquisition and storage of genetic, biometric data intended to uniquely identify a natural person […] However, it is it is worth noting that the processing of photographs, a case similar to what occurs in "ShareArt" acquisition devices, does not systematically constitute a processing of particular categories of personal data"). In the light of the foregoing considerations, it must be concluded, contrary to what was claimed by the Municipality and Enea during the preliminary investigation, that the ShareArt system involves the processing of personal data, consisting in the acquisition and temporary memorization of the face image of the visitors to the museum, albeit for a small fraction of the time. 3.2 The co-ownership relationship between the Municipality and Enea Pursuant to art. 4, par. 1, no. 7), of the Regulation, the data controller is “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data; when the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria applicable to his designation may be established by Union or Member State law". When two or more controllers jointly determine the purposes and means of processing, "they are joint controllers" and must "determine [in a transparent manner, through an internal agreement, their respective responsibilities for compliance with the obligations arising by this Regulation, in particular with regard to the exercise of the rights of the data subject, and the respective functions of communication of the information referred to in Articles 13 and 14, unless and insofar as the respective responsibilities are determined by Union law or of the Member State to which the controllers are subject. This agreement may designate a contact point for data subjects” (Article 26, paragraph 1, of the Regulation). The agreement between the joint controllers "adequately reflects the respective roles and relationships of the joint controllers with the data subjects" and the "essential content of the agreement [must be] made available to the data subject" (art. 26, paragraph 2, of the Regulation ). In this case, by stipulating the aforementioned collaboration agreement and implementing the "ShareArt" project at the Municipal Art Collections of Palazzo D'Accursio in Bologna, in order to obtain aggregate information on the subjective characteristics of the visitors and on the the ways in which they interacted with some works of art, the Municipality and Enea jointly determined the purposes and means of the processing. Indeed, as clarified by the European Data Protection Board, "the general criterion for the existence of joint controllership of processing is the joint participation of two or more subjects in defining the purposes and means of a processing operation. Joint participation can take the form of a joint decision, taken by two or more subjects [...]” (“Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted on 7 July 2021, paragraph 53). To this end, "an important criterion is that the treatment would not be possible without the participation of both subjects, in the sense that the treatments carried out by each subject are inseparable from each other, i.e. inextricably linked". With this agreement, the parties mutually acknowledged the fact that "it is in the interest of ENEA and the Bologna Museums institution to experiment with new systems based on the application of IoT/BigData methods in order to be able to quantify quantities useful for defining the degree of use of works of art exhibited in museums" and that "a collaboration in this sense between the Bologna Museums Institution and Enea constitutes a concrete opportunity to develop innovative solutions and technologies for the use of cultural heritage and the enhancement of their territorial realities". To this end, the Parties have "made their technical and scientific skills and resources available and in support of the project, according to [the aforementioned] objectives" and have agreed in detail "the description of the activities, the program and the resources employed” (see the technical attachment to the agreement), agreeing to bear the costs of the project, each to the extent of its own competence. The results of the project, in terms of aggregated data on the methods of use of the works of art, bring benefits both to the Municipality and to Enea, given that, as declared by Enea, "the data, already anonymised, are studied only by ENEA and ISTBO for the respective purposes of the project" and that the parties have expressly agreed, with the aforementioned agreement, to become co-owners of any results, or intellectual property rights, achieved as a result of the execution of the project, as well as to the right to "publish and/or disclose the results of the activities" (see the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cited above, paragraph 60, where it is stated that "[...] the co-ownership of the treatment can also occur if the subjects pursue strictly connected or complementary purposes. This can occur, for example, when there is a mutual advantage deriving from the same treatment operation [...]"). Therefore, the circumstance that the Municipality limited itself to making available to ENEA the environments "where it could pursue the institutional mission referred to in Law 221/2015, i.e. the testing activities of the system, is not reflected in the contractual agreements “ShareArt””. In any case, even if only by making these environments available to ENEA, authorizing the installation and use of video devices for the purposes of the project and allowing the acquisition of images of visitors to one of its museums, the Municipality has made it possible processing of personal data in question, which, in the absence of your collaboration with Enea, could not have taken place. In this regard, it should be noted that, as clarified by the Court of Justice of the European Union, the existence of a joint responsibility does not necessarily imply an equivalent responsibility, for the same processing of personal data, of the various subjects involved in it. On the contrary, these subjects can be involved in different phases of this treatment and at different levels, so that the degree of responsibility of each of them must be assessed taking into account all the relevant circumstances in the specific context (judgment C-40/17, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, of 29 July 2019: see also judgment C-210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018; see the "Guidelines 07/2020 on concepts of treatment and data controller pursuant to the GDPR”, cit., par. 58). Furthermore, it is not necessary that the determination of the purposes and means of the processing should be carried out by means of written instructions or assignments by the data controller. Therefore, a natural or legal person can be considered the data controller who, for purposes that are specific to him, influences the processing of personal data and therefore participates in the determination of the purposes and means of such processing (see Court of Justice of the European Union, judgment C-25/17, Jehovan todistajat, of 10 July 2018; see the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cit., paragraphs 57 and 58). The circumstance that the Municipality did not have access to the images collected through video devices is, in this regard, irrelevant. This is because, always recalling the jurisprudence of the Court of Justice of the European Union, "the joint responsibility of various subjects for the same treatment, pursuant to this provision, does not presuppose that each of them has access to the personal data in question" (judgment C-40/17, cited above; see also judgment C-25/17, Jehovan todistajat, of 10 July 2018 and C-210/16, Wirtschaftsakademie Schleswig-Holstein, of 5 June 2018; see also the "Guidelines 07/2020 on the concepts of data controller and data processor pursuant to the GDPR", cited above, paragraph 56). In the light of the foregoing considerations, the processing of personal data, consisting of images of museum visitors, using video devices, was carried out by the Municipality and Enea as co-owners of the treatment, not having, however, the same previously stipulated an agreement of co-ownership of the treatment, in violation of the art. 26 of the Regulation. 3.3 The lack of a legal basis for the treatment Public entities may, as a rule, process personal data using video devices if the processing is necessary for compliance with a legal obligation to which the data controller is subject or for the performance of a task in the public interest or connected with the exercise of public powers vested in the data controller (art. 6, paragraph 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code; see the "Guidelines 3/2019 on the processing of personal data through video devices" of the European Data Protection Board, adopted on 29 January 2020, par. 41). In any case, the data controller is required to respect the principles of data protection, including that of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be "processed in a lawful, correct and transparent manner in relation to the interested party", as well as "adequate, pertinent and limited to what is necessary with respect to the purposes for which they are processed" (Article 5, paragraph 1, letter a) and c ), of the Regulation). Having clarified that the use of the ShareArt system involves the processing of personal data (see previous par. 3.1), it should be noted that, during the investigation, the Municipality has not demonstrated that the processing in question could be considered based on a suitable legal basis, since the Municipality limited itself to claiming that no processing of personal data resulted from the use of this system. In this regard, in general, it must be remembered that, pursuant to articles 6, par. 3, of the Regulation and 2-ter, paragraph 1, of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021, in force at the time of the facts object of the investigation), the legal basis consisting in the need to carry out a processing of personal data "for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" (Article 6, paragraph 1, letter e), of the Regulation) could be "exclusively constituted by a rule of law or, in the cases provided for by law, a regulation", it being understood, in any case, that the legal basis on which the treatment is based must pursue an objective of public interest, must be proportionate to the legitimate objective pursued and must meet the quality requirements in terms of precise regulation of the envisaged processing (see article 6, paragraph 3, last sentence, of the Regulation). Taking into account that these requirements "constitute an expression of those deriving from Article 52, paragraph 1, of the Charter [of fundamental rights of the European Union], they must be interpreted in the light of this provision" and, therefore, limitations on the fundamental rights to the respect for private life and the protection of personal data (see articles 8 of the European Convention on Human Rights and 7 and 8 of the Charter of Fundamental Rights of the European Union) "may [...] be made, provided that, in accordance with Article 52(1) of the Charter, they are provided for by law and respect the essence of fundamental rights as well as the principle of proportionality. By virtue of this principle, limitations may be made only where they are necessary and effectively meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others. They must operate within the limits of what is strictly necessary and the legislation involving the interference must lay down clear and precise rules governing the scope and application of the measure in question" (judgment of 1 August 2022, C-184/20, Vyriausioji tarnybinės etikos komisija, paragraph 64). In particular, "in order to satisfy the requirement of proportionality, which finds expression in Article 5, paragraph 1, letter c), of the regulation [...] the legislation on which the processing is based must provide for clear and precise rules governing the scope and the application of the [envisaged] measure and impose minimum requirements so that the persons whose personal data are concerned have sufficient guarantees to effectively protect [the] data against the risk of misuse. Such legislation must be legally binding under national law and, in particular, indicate under which circumstances and under which conditions a measure providing for the processing of such data may be taken, thus ensuring that the interference is limited to what is strictly necessary ” (judgment of February 24, 2022, C-175/20, Valsts ieņēmumu dienests, para. 83). In the present case, the Municipality has not proved the existence of any legal provision or, in the cases provided for by law, any regulation which expressly provides for the processing of personal data such as that carried out in the context of the ShareArt project. It must therefore be concluded that the same was carried out in a manner that does not comply with the principle of lawfulness, correctness and transparency, and in the absence of a legal basis, in violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), of the Regulation and 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021). 3.4 The insufficient transparency of the treatment It has been ascertained, and it is not controversial, that the Municipality and Enea have not provided museum visitors with complete information on the processing of personal data, despite having posted a notice to inform users of the use of the ShareArt system, in which was specified, in particular that “for the purpose of protecting the privacy of visitors, a detection algorithm has been implemented which does not imply face recognition. Furthermore, the system acquires data without recording the images: the useful information, in fact, is the number of people who are watching the work and not who is doing it". This notice does not contain all the elements required by art. 13 of the Regulation, with particular regard to the contact details of the joint data controllers, the contact details of the respective data protection officers, the legal basis of the processing, the data retention period (or the criteria for determining this period) and to the rights of the interested parties pursuant to articles 15-22 of the Regulation. The processing of the personal data in question therefore took place in a manner that did not comply with the principle of lawfulness, correctness and transparency, in violation of articles 5, par. 1, lit. a), 12 and 13 of the Regulation. 3.5 The alleged discriminatory effects of the system With regard, however, to what was stated in the report regarding the fact that "classification based on gender risks confusing biological sex with gender, producing wrong classifications and discriminating against all transgender subjects or those who do not identify with the gender binary ”, it is noted that, on the basis of what emerged during the investigation, the ShareArt system cannot materialize this risk, given that no type of decision, based on gender, which could have a direct impact on the interested parties, has been taken through this system. 4. Conclusions. In the light of the assessments referred to above, it should be noted that the statements made by the Municipality during the investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow overcoming the findings notified by the Office with the act of initiation of the procedure and are insufficient to allow the closure of the present procedure, since none of the cases provided for by the 'art. 11 of the Regulation of the Guarantor n. 1/2019. Therefore, the preliminary assessments of the Office are confirmed and the illegality of the processing of personal data carried out by the Municipality through the ShareArt system is noted, for having processed the personal data of museum visitors in the absence of a legal basis, providing them with a unsuitable information on the processing of personal data and by failing to enter into an agreement of co-ownership of the processing with Enea, in violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021). That said, taking into account that: the processing did not concern biometric data or other data belonging to particular categories (see Article 9 of the Regulation); the images of the visitors' faces were stored in the ShareArt system for a few thousandths of a second; the overall treatment took place for a not too long period of time and in the context of the pandemic emergency from SARS-CoV-2, in which the number of visitors to the museum was in any case limited, having been, moreover, employed, for the most part of that period, only two devices (see the defensive brief of the Municipality in the connected proceeding, in the documents, where it is stated that "the project took place in a pandemic period with a reduced number of opening days of the museums and a low number of visitors per day also due to the quotas and of the various obligations and limitations for access. From the XX - only 4 days a week with reduced hours for a total of 52 days. opening; from XX to XX total closure; from XX to XX, open for a total of 12 days, with reduced hours; from the 20th the museums were closed again until the 20th; from XX to XX opening for 60 days. part-time [...] For most of the period (100 days) there were two cameras, for 18 days there were 9 and for 6 days there were 14. Especially in the XX - late XX period, the 2 cameras were not always active as installation tests with ENEA personnel were in progress”); the devices were used on a limited number of works of art (about 10 out of 24,000 works in the 11 civic museums managed by the Municipality); the violation is culpable, as the Municipality acted in good faith, in the erroneous belief, also gained on the basis of specific investigations (carried out by Enea before proceeding with the treatment and, therefore, in any case worthy) that the use of the ShareArt system does not involve the processing of personal data; this also taking into account that the assessments that the Body was called to carry out in the context of the ShareArt project were characterized by a high degree of technical and legal complexity; although museum visitors could have been influenced in the context of the use of the works of art (considering the particular level of technological sophistication of the devices used, their location in close proximity to the works and the impossibility of opposing the treatment), the however, the processing took place in a public place, such as a museum, in which the interested parties cannot claim complete confidentiality, also given the possible use of traditional video surveillance devices, even if for the pursuit of the different purpose of protecting the artistic heritage ( see Article 1 of Decree Law No. 433 of 14 November 1992); although suitable information on the processing of personal data was not provided, visitors were nonetheless warned of the use of the ShareArt system by means of special signs, placed before the exhibition area; the Municipality cooperated satisfactorily with the Authority during the investigation; there are no previous relevant violations committed by the data controller or previous measures pursuant to art. 58 of the Regulation; the circumstances of the specific case lead to qualifying the same as a "minor violation", pursuant to cons. 148 of the Regulation and the “Guidelines concerning the application and provision of administrative fines for the purposes of regulation (EU) no. 2016/679”, adopted by the Art. 29 Working Group on 3 October 2017, WP 253, and endorsed by the European Data Protection Board with the “Endorsement 1/2018” of 25 May 2018. In the light of all of the above, and of the overall terms of the matter in question, it is therefore considered sufficient to admonish the data controller for the violation of the aforementioned provisions, pursuant to art. 58, par. 2, lit. b), of the Regulation (see also cons. 148 of the Regulation). In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation. Finally, it should be noted that the conditions pursuant to art. 17 of regulation no. 1/2019. ALL THIS CONSIDERING THE GUARANTOR a) declares, pursuant to art. 57, par. 1, lit. f), of the Regulation, the unlawfulness of the processing of personal data carried out by the Municipality of Bologna, in the person of its pro-tempore legal representative, with registered office in Piazza Maggiore 6 - 40121 Bologna (BO), C.F. 01232710374, for violation of articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), in the terms set out in the justification; b) pursuant to art. 58, par. 2, lit. b) of the Regulation, admonishes the Municipality of Bologna, as data controller in question, for having violated the articles 5, par. 1, lit. a), 6, para. 1, lit. e), 12, 13 and 26 of the Regulation, as well as 2-ter of the Code (in the text prior to the amendments made by Legislative Decree No. 139 of 8 October 2021), as described above; c) believes that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. Rome, 13 April 2023 PRESIDENT Station THE SPEAKER Station THE SECRETARY GENERAL Matthew