Garante per la protezione dei dati personali (Italy) - 9900808

From GDPRhub
Garante per la protezione dei dati personali - 9900808
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 28 GDPR
Article 29 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.04.2023
Published:
Fine: 239,000.00 EUR
Parties: Ama S.p.a.
National Case Number/Name: 9900808
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante (in IT)
Initial Contributor: Bernardo Armentano

A company that manages cemeteries was fined €239,000.00 for having identified the graves of fetuses with the names of women who had an abortion.

English Summary[edit | edit source]

Facts[edit | edit source]

After numerous press reports, the Italian DPA learned that some cemeteries in Rome had a specific area for 'products of conception' and 'fetuses' that were buried in small graves over which the names of women who had had abortions were affixed on a cross. Differently from other areas of the cemeteries, where fetuses were buried after a cerimony, in this specific areas the burials were made at the request of the local health agency and did not receive a funeral.

The Italian DPA then opened a wide investigation that was divided in 3 procedures: one against the local health agency (ASL), one against the public company that managed the cemeteries (AMA) and one against the City of Rome (owner of the public company). In the course of the investigations, the DPA found that AMA had signed a service contract with the City of Rome, through which it was identified as the processor, pursuant to Article 28 GDPR.

Holding[edit | edit source]

After the investigations, the Italian DPA concluded that the AMA, originally a processor, acted beyond the instructions of the City of Rome, violating Article 29 GDPR. Therefore, it held that the company determined the purposes and means of that procesing and considered it as the controller.

The DPA then highlighted that information about abortion constitutes health data and that the spontaneous or voluntary interruption of pregnancy for reasons of health risk is considered as a disease, according to Italian law. Moreover, the law establishes a strict regime of confidentiality to protect the woman's right to anonymity, criminalizing the disclosure of the identity of women by health professionals.

The DPA further emphasized that there is no law requiring the names of women who had an abortion to be placed on the graves of the fetuses. According to the DPA, the controller should have implemented sufficient measures to ensure that only an identification code, associated with the name of the parents in the cemetery register, was placed on the graves.

Finally, the DPA noted that upstream processing os these sensitive data, transferred from hospitals to the health agency and from the latter to the cemeteries must be adapted to comply with data protection. For instance, by applying the data minimization principle, health agencies should no longer include women's personal details in the transport and burial authorizations that are sent to the cemetery services. Instead, health agencies can implement technical (e.g. pseudonymisation or data encryption) and/or organizational measures to avoid the direct identification of the women concerned.

For the above reasons, the DPA found violations of Articles 28, 29 and 32 GDPR and issued a fine of €239,000.00

Comment[edit | edit source]

Although the disclosure of information was intentional, the DPA found a violation of Article 32, for lack of adequate security measures, and not of Article 6 (lawfulness of the processing).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of 22 June 2023



[doc. web no. 9900826]

Provision of April 27, 2023

Register of measures
no. 164 of 27 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

CONSIDERING the d. lgs. 30 June 2003, no. 196 containing the "Code regarding the protection of personal data (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. n. 1098801);

Supervisor Prof. Geneva Cerrina Feroni;

1. Premise

Following numerous press reports, it was learned that at the Flaminio cemetery in Rome - managed by the Azienda Municipale Ambiente S.p.a. (hereinafter Ama S.p.a.), a company with sole shareholder Roma Capitale - there were hundreds of white crosses above small burials relating to abortifacient products, on which labels were affixed bearing the personal details of the women who had terminated a pregnancy and a date (cf. XX, https://...; XX ,https://...).

Also on the basis of the information reported on the institutional site of the Capitoline cemeteries, it was learned that "Since 1990, a special field has been available at the Flaminio cemetery for the burial on the ground of children up to 10 years of age, to which AMA-Cimiteri Capitolini also allocates the "fetuses" who had a funeral. Still at the Flaminio, there is another field for the "products of conception" or "fetuses" who have not had funeral honors because they are buried at the simple request of the ASL. They lie in single graves, marked by a funerary sign affixed by AMA-Cimiteri Capitolini, consisting of a wooden cross and a plaque commonly bearing the name of the mother or the registration number of arrival at the cemetery, if expressly requested by family members". At the Laurentino cemetery, however, there is an area called the "Garden of the angels" intended for burials at the request of the parents, within which "the tombstones that distinguish the burial are all the same: recognition is made possible by a code placed on the back of the tombstone. On the front it is possible, if required, to enter names, which can also be "fictitious" (see https://...; https://...).

2. Investigation

On the basis of this information, an official investigation was launched against Roma Capitale and Ama S.p.a. In particular, with the note prot. no. XX of the XX, the Office preliminarily requested elements from AMA S.p.A., which with note prot. no. XX of the XX, stated the following:

- "in the context of the Service Contract in place with Roma Capitale, [AMA S.p.A.] is identified as Data Processor (pursuant to Article 28 of Regulation (EU) 2016/679), limited to the data of citizens, Ta.Ri. customers and users of the Capitoline Cemeteries. AMA S.p.A. has managed the Capitoline Cemetery Services since 1998 (Resolution of the City Council of 29 September 1998, which confers cemetery services to AMA since 1 October 1998; assignment confirmed with Resolution No. 99 of 30 May 2018); the organizational structure of AMA S.p.A. provides for a Capitoline Cemetery Service, within which the Necropsy Services Office is present";

- the matter is governed by the “Royal Decree of 9 July 1939, n. 1238 "Regulation of the civil status", from the d.P.R. 10 September 1990, no. 285 containing the "Approval of the mortuary police regulation" and the "Roma Capitale Cemetery Police Regulation (Municipal Council Resolution n. 3516/1979)";

- with reference to the management of the burials of abortifacient products, "in application of the aforementioned regulatory device (Presidential Decree 285/90), the ASL is responsible for:

- the burden of receiving the burial request presented by the parents;

- the issuance of the transport permit;

- authorization for burial;

The administrative activity carried out by the Capitoline Cemetery Service consists exclusively in the mere receipt of the documentation issued by the competent structures and relating to:

- Request for burial by the health facility;

-  Burial authorization issued by the ASL";

- such documentation "receives the original from the Necroscopic Services Office of the Capitoline Cemeteries, [...] often [...] after several months or even more than a year from the date of the abortion event". The aforementioned Office "verifies that for each burial request there is the corresponding authorization issued by the ASL [...]";

- "The collection and transport service of abortifacient products is carried out exclusively by the personnel assigned to the internal Mortuary Police Service, therefore by AMA S.p.A. employees, without the help of external personnel";

- “The staff of Ama S.p.a. it also provides for the creation of the identification plate with the data reported on the ASL authorization engraved on it. These data consist of the name and surname of the mother”, and the identification plate is affixed to the coffin;

- the personnel of Ama S.p.a. proceeds "to the creation of a deceased file in the Cemetery Register, entering the date of arrival, the origin, the identification data present in the documentation delivered by the Mortuary Police, the type (fetus), the type of burial (burial), the date of burial (which may also be deferred with respect to arrival) and the location of the coffin, communicated after the operation is performed by the Chief of the Cemetery Technical Operators. The latter will place the funerary sign, indicating the position of the coffin, with the burial date, the identification data of the fetus and the location";

- the "Presidential Decree 285/90, in art. 52, second paragraph, provides for a series of obligations attributable to the verification, management and conservation of personal and temporal data. The art. 70 of the same Presidential Decree, in paragraph 2, prescribes for burial pits the affixing of a specific plate indicating the name and surname, date of birth and death of the deceased contained in the pit itself. With regard to this specific element, the legislation in force does not provide for the burial of abortifacient products. At present, therefore, the legislation on the subject appears to be deficient, since, if on the one hand the aforementioned Presidential Decree specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, it nonetheless requires that each "pit" must be identified by a "stone" with indication of the data of the deceased (art. 70) [...]";

- "Therefore, in order to comply with [']art. 70 paragraph 2, in application of a dutiful and necessary "logical" interpretation of the law also pursuant to art. 12 of the pre-laws to the civil code, in cases where the issue of the birth/death certificate by the registrar is not foreseen (as in the case, precisely, of "abortion products"), the data relating to the name and surname of the parent and date of extraction/expulsion, the only data available and provided by health facilities, for the purposes of traceability required by the above standards. It is also added, as evidence of the necessary traceability and data management, that in the past, following investigations by the judiciary, abortion products were exhumed, specifically identified with the names of the mothers".
From the elements in the file, it also emerged that the women's data, as well as being indicated on the plates affixed to the crosses, are subject to further processing by the cemetery services managed by AMA S.p.a. and of the Municipality. These treatments concern, in particular, the obligation to keep cemetery registers and the archiving of the documentation received from the local Health Authorities (transport and burial authorizations and medico-legal certificate). In this regard, Ama S.p.a. he specified that the personnel in charge "create a deceased file in the Cemetery Register, entering the date of arrival, the origin, the identification data present in the documentation delivered by the Mortuary Police, the type (fetus), the type of burial ( burial), the date of the burial”. Considering that "the data relating to the name and surname of the parent and date of extraction/expulsion, (are the) only data available and provided by health facilities, for the purposes of traceability required by the regulations", it is assumed that such data are also reported in the aforesaid registers, a copy of which, on the basis of art. 53 of the Presidential Decree 285/1990 must be sent annually to the Municipality.

The documentation produced in deeds then made it possible to detect the particular delicacy of the documentation sent by the local health authorities to the cemetery services, which consists of:

- a note of transmission of the authorization for transport and burial, usually drawn up cumulatively and showing the unencrypted list of the names of the women, with attached, for each of them:

- the authorization for transportation and burial, stating the woman's name, surname, place and date of birth; sex, weight, week of gestation of the abortion product; presumable cause of the abortion, number and date of the protocol;

- the medico-legal certificate certifying the abortion, showing the date and time of the abortion, name, surname, place and date of birth, residence of the woman, weight, sex and week of gestation of the fetus.

With note prot. no. XX of the XX, considering that the processing of the data subject of the investigation was carried out by AMA S.p.a. as manager of the treatment designated by Roma Capitale, the Office requested further elements from the aforementioned Municipality, data controller, which, with note prot. no. XX of the XX, in confirming everything already deduced by AMA S.p.a., declared that:

- “the R.D. no. 1238/1939 and the Mortuary Police Regulations (Presidential Decree n. 285/1990), do not offer a precise reference discipline with regard to the burial of aborted fetuses aged between 20 and 28 weeks and any indications to be affixed on the epigraph of the burial, noting an evident regulatory gap also given the absence of a Regional Regulation.

- In this context [...] the information provided to AMA S.p.A. they are inherent in compliance, in addition to the national sector legislation, also with the specific indications relating to the regulation and management of cemetery services".

- as regards, however, the processing of personal data carried out in similar cases at the Laurentino cemetery in the area called "Giardino degli Angeli" "the fetuses are expected to be accepted upon explicit request from the parents, always subject to ASL authorization [... ]. In this circumstance, the stone is made on which the names specifically chosen by the parents themselves are placed".

In relation to the above, with note prot. XX of the XX, the Office, on the basis of the elements acquired from the checks carried out and the facts that emerged following the preliminary investigation, notified Ama S.p.A., pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violation of art. 29 of the Regulation, inviting the Company to produce defense writings or documents to the Guarantor, asking, if necessary, to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the law 24 November 1981, n. 689).

With note of the XX, prot. no. XX Ama S.p.a. has sent to the Guarantor, pursuant to art. 166, paragraphs 6 and 7, of the Code and of the art. 18, paragraph 1, of the law of 24 November 1981, n. 689, his own defense writings in relation to the notified violations declaring, in particular, that:

- “The method used by AMA S.p.A. for burial with the inhumation system, dates back to the birth of the Flaminio cemetery dated 1888, when it was called "Cemetery of Casale di Prima Porta" [...].

- the art. 70 of the Presidential Decree 285/90, paragraph 2, prescribes for inhumation pits the affixing of a specific plate indicating the name and surname, date of birth and death of the deceased contained in the pit itself. With regard to this specific element, the legislation in force does not indicate anything for the burial of abortifacient products.

- Ama S.p.A. promptly urged Roma Capitale to intervene for the updating and adaptation of the Cemetery Police Regulations; the new Regulation is in the approval phase, as declared by the Administration itself on November 25th. It follows that in the course of the personal data processing in question, the legislation on the subject was lacking, since, if on the one hand the aforementioned D.P.R. 285/90 specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, however, imposes that each "pit" must be distinguished by a "stone" with indication of the data of the deceased (art 70). […]

- For the above AMA S.p.A., in the context of the management of the Capitoline Cemetery Services, in the face of the demonstrated incompleteness of the regulatory data, which "does not provide for the burial of abortifacient products" and in the absence of specific instructions from the Data Controller, however, it has adopted the procedure for managing burial requests from the Local Health Authorities in the manner currently censored by this Authority, in order to guarantee the continuity of an essential public service for the community.

- AMA S.p.A., within the context of the Service Contract in place with Rome Capital, is identified as Data Processor (pursuant to Article 28 of EU Regulation 2016/679), limited to the data of citizens, Ta.Ri customers . and users of the Capitoline Cemeteries. This role is indicated in the Service Contract. However, the "Deed of designation of the person responsible for the processing of personal data pursuant to and for the purposes of art. 28 of Regulation (EU) 2016/679” was formalized last XX. At the same time, on 22 December 2020, the undersigned AMA S.p.A. received from the Rome Environmental Protection Department the document "Personal data processing for burials of products of conception, abortifacient products and fetuses in the Flaminio cemetery", containing instructions, also on the subject of personal data processing, for the burial of abortifacient products.

- With respect to the relationship between the Data Controller Roma Capitale and the Manager AMA S.p.A. and, in particular, to the precise objections reported in the Notification of violation in question: "(...) in the face of the incompleteness of the overall framework referred to above, it did not deem it necessary to request specific instructions in advance from the data controller, instructions which are extremely necessary for the management of cases with such delicate implications (...)” [...] the writer would like to point out that a meeting has been repeatedly requested from the Data Protection Officer of Rome Capital, without having obtained confirmation. Since the entry into force of EU Regulation 2016/679, the Data Controller Roma Capitale has designated three DPOs/RPDs, making the necessary coordination difficult. The first meeting between the DPOs of the Data Controller and the Manager of AMA S.p.A. was held last July 17 […]. During this meeting, the difficult situation in which AMA S.p.A. is found due to the inability to communicate with the Data Controller and due to the lack of instructions and procedures from the latter".

With reference to these profiles, in the context of the investigation initiated against the data controller, Roma Capitale, with the notes of the XX, prot. no. XX and XX, prot. no. XX, represented, in particular, that:

- "the indication of the women's personal details and the date of the interruption of their pregnancy on the plates [...] occurred only in cases where the burial did not take place at the request of the parents or family members, but at the request of the Local Health Authority. […].

- In the light of the critical issues identified, the Body has given the Data Processor AMA Roma S.p.A. specific operating instructions, aimed, on the one hand, at eliminating the detected dissemination of personal data through the elimination of any reference to the mother and/or fetus present on the funerary signs; on the other, to prevent any analogous violation for future processing [...] by providing both specific indications for the management of personal data from the ASLs, and general requirements also connected to the physical protection of the structures where the aforementioned data will be processed. […] AMA S.p.A. communicated the immediate implementation of the same instructions as well as the launch of an operational plan aimed at ensuring timely alignment with the new methods of burial of fetuses [...];

- in order to eliminate the problems - also of an interpretative nature - subsisting in the present case [...] the Capitoline Council with decision no. 169 of 4 December 2020 approved proposal no. 246 of resolution for the modification of the art. 4 of the Cemetery Police Regulations []. With the approved resolution, the Capitoline Assembly appoints the Environmental Protection Department to issue [AMA S.p.A.] instructions to bring its activity into line with the provisions contained in the Regulation, implementing them uniformly in all the Cemeteries of Rome Capital. Pending the approval of the above resolution, these instructions were given in advance to AMA Roma S.p.A. with note of the XX of the XX [...];

- Having taken note of the []error of interpretation in the application of the principles dictated by the GDPR by the Data Processor, not correctly instructed by the Data Controller, it is nevertheless noted that the treatments that do not comply with the Regulations are undoubtedly due to factors not dependent on the will of Rome Capital. First of all, the disputed operational methods of managing cemetery services depended on an evident discrepancy and lack of legislation [...]. In secundis, it is believed that [...] the disputed procedure must necessarily be evaluated also - if not above all - in the light of the content of the documentation coming from the local health authorities and received by AMA Roma S.p.A. [...] said documentation, from the outset, should not have contained "unencrypted" the personal data of the parents. [...] the problem raised [...] would not have occurred if these communications had taken place in compliance with the principles of proportionality and minimization. Precisely for this reason, in fact, the Guarantor Authority has reserved the right to also evaluate the processing of personal data carried out, upstream, by hospitals and healthcare companies".

3. The inspections.

Following the publication of a press agency and a session of the Equal Opportunities Commission of Rome Capital held on the 20th date (https://...), it was subsequently learned that Ama S.p.a would not have adequately implemented the specific instructions on the processing of the personal data referred to above and to the organizational and technical measures imparted by Roma Capitale as data controller, with the note of the XX, prot. no. XX cited above. As already highlighted, with this note, Ama S.p.a. - as data controller - both general instructions on the processing of personal data and specific instructions for the cases referred to in art. 7 of the Presidential Decree 10 September 1990, no. 285, including the measures to be put in place to stop the practice, not envisaged by any law, of indicating the women's data on the plates affixed to the burials of the fetuses.

In particular, these instructions envisaged that the cemetery registers should contain "only the data relating to transport and burial permits linked to an alphanumeric identification code corresponding to the progressive number of the cemetery register" and that the personal data of the women could not "be disclosed to third parties but exclusively to the parent". In the event of a burial request from the Local Health Authority, the plates to be affixed to the memorial stones should have indicated "the identification code present in the cemetery register" and for those currently bearing personal data, it should have been "associated with the name of the mother present in the cemetery register to an alphanumeric identification code and write it on a new plate to be affixed urgently on the relative funeral sign, in place of the plate bearing the personal data".

According to what was stated in one of the interventions carried out in the session of the aforementioned Commission of the XX century, despite these instructions, the data of the women would still be visible on the burials (because they were not adequately covered/erased) and the cemetery services would still provide information on the location of the burials by telephone on the subject, on the basis of the indication of the data of the same.

Therefore, the Office, in collaboration with the special unit for the protection of privacy and technological fraud of the Guardia di Finanza, deemed it necessary to carry out an urgent inspection visit on the XX date at the Flaminio Cemetery in Prima Porta and at the offices of the Directorate of Capitoline Cemetery Services .

3.1. Management of identification tags on burials.

On the occasion of the inspection visit, a preliminary inspection was carried out, with photographic findings, at field no. 108 of the Flaminio Cemetery from which it emerged that:

- the burials are "marked by the presence of metal crosses and wooden crosses on which metal plates are affixed, bearing the information requested in the instructions issued by Roma Capitale (date of burial, year of the register, register number, box, row and the pit);

- on part of the burials, the pre-existing plates have been replaced with new plates, on which only the aforementioned words appear;

- on some crosses, from about a third to a half, the labels have not been replaced but simply subjected to cancellation (of the previous information) and rewriting of the new wordings; in such cases the data relating to the woman's name and surname (in some cases also the word FETO) are still clearly visible, as documented by the photographic surveys carried out” (see pages 4-5 of the XX minutes).

With regard to the implementation of the instructions given by the owner, Ama S.p.a. declared that, at the time, it had "responded to Roma Capitale with note no. XX of the XX representing, among others, the preparation of an operational and temporal plan for the replacement of existing plates and updates on cemetery registers", and that the new procedures for new burial requests would be "immediately respected" (see page 4 minutes, and attachment 3 to the minutes). The Company also represented that "without prejudice to the inexperience in the practical execution of the measure adopted, and revealed by the inspection response, regarding the elimination of the names on the crosses [...] the Capitoline Cemetery Management had proceeded to cancel them and affixed the alphanumeric codes; the operation was carried out using a covering varnish which later proved to be unsuitable because, over time, in many cases, it let the name shine through".

Following the inspection, the Company with the note dated XX, prot. no. XX, declared to the Guarantor that "new crosses with only the alphanumeric code have been installed, as evidenced by the photographic documentation (attachment 4) and a project is also being studied [...] which plans to replace the metal crosses with stems of white marble, being Ama's will not only to comply with the norm but to do it in the most respectful way of the ethical duty of pietas which profoundly informs all the activity of the Capitoline Cemeteries".

3.2. Implementation of technical and organizational instructions and measures.

In relation to the treatments in question, Roma Capitale with the note of the XX, prot. no. XX requested Ama S.p.a. the identification of the subjects in charge of "all phases of the processing of personal data contained in the documentation that comes from the Local Health Units" (par. B1), the conferment of a "specific written assignment to the aforementioned authorized to process, containing both the indications of general nature" on the processing of personal data (par. A), "and specific indications for the management of the documentation in question" (par. B2), as well as the preparation and implementation "of a personalized training plan for those authorized to process" ( par. B3).

Based on the documentation acquired during the inspection, Ama S.p.a. documented the distribution of the Capitoline note to all the competent departments - including the cemetery services - while it did not provide evidence either in relation to the conferment of a "specific written assignment to the aforementioned authorized to process, containing both general indications [...] and specific indications for the management of the documentation in question" (par. B1 and B2), nor with regard to the preparation and implementation "of a personalized training plan for those authorized to process" (par. B3), specifically focused on the treatments in question ( and not general data protection training, such as that documented during the inspection), as requested by the data controller.

With regard to the management of the cemetery register, on the basis of the declarations and documentation acquired during the inspection visit, it was found that "only the data relating to transport and burial permits are indicated in the cemetery registers, linked to a numerical identification code corresponding to the progressive number of the cemetery register, with the indication of the woman's name and surname". In particular, access to the application used for the management of computerized cemetery registers - carried out during the inspection visit - made it possible to ascertain that the cemetery registry file shows the name and surname of the woman, the date of arrival, the provenance (hospital name), type of body (fetus), date of burial, location (no. box, row, etc.; see Attachment 5 to the report).

Instead, as regards the information that can be provided to users in the cases in question, Roma Capitale has provided that "the personal data contained in the aforementioned documentation cannot be disclosed to third parties but exclusively to the parent, with the consent of the same to those interested". Ama s.p.a. he also declared that "at the offices of the URP (Company's Public Relations Office) and the Call Center, the databases used in carrying out the public information services [include the] management [...], through the which the Cemetery Registers can be accessed”. In order to provide information on the location of the burials "the search is carried out using the name of the deceased and in the case of fetuses [...] it is possible only using the name of the woman. However, this information is provided exclusively to the interested party at [the] offices. In the event of a telephone request, the applicant is invited to formalize the request in writing by attaching a copy of the identity document” (see page 4 of the report).

As proof of compliance with the procedure described above - considering that on the basis of what emerged in the session of the Equal Opportunities Commission, such information would instead have been communicated by telephone on the simple indication of the woman's data - during the inspection it was requested to provide documentary evidence of the instructions provided specifically on this point to the public employees at the Flaminio Cemetery, the URP and the Call Center of the Capitoline cemeteries, as well as to prove that any requests received by telephone were handled, in the manner indicated.

On the first aspect, with the aforementioned note of the XX, Ama S.p.a. he further specified that "the employees in charge of the URP-CALL CENTER office, on verbal instructions from the manager, have no longer released any information about the burial location of fetuses and abortion products and no more requests have been received". With regard, on the other hand, to the methods of handling the requests in question in writing, "documentation relating to some requests and the related written response" was sent and, in particular, some dating back to the months of October and November 2020 (immediately after the news disseminated by the press), which reveal a correct treatment of these requests.

Regarding the new application for the management of cemetery registers, Ama S.p.a. he specified that "with the new computer system, the data necessary to identify the burial of the fetuses will no longer be visible to employees except with an access procedure authorized for a limited and specific number of employees, becoming segregated data".

All this being said, having noted that Ama S.p.a., on the basis of the findings of the inspection visit, had not fully or not entirely adequately implemented the instructions and organizational and technical measures issued by Roma Capitale, the Office, with a note dated XX , prot. no. XX, notified Ama S.p.a., pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violation of articles 5, par. 1, lit. f), 28, 29 and 32 of the Regulation as well as of the art. 2-quaterdecies of the Code.

With note of the XX, prot. no. XX Ama S.p.A. sent to the Guarantor, its written defenses in relation to the notified violation. In particular, the Company stated that:

- With regard to the critical issues and the alleged violations detected [], it is important to reiterate that in the very short time available to us we have adopted all the useful initiatives to eliminate the alleged critical issues [] and our will is firm to complete all the measures aimed at ensuring the protection of personal data of data subjects in implementation of the provisions of Regulation (EU) 2016/679 [];

- with a view to improving the efficiency of the cemetery service and the related fulfilments, also and above all regarding the protection of personal data, with particular reference to the technical and organizational security measures to be adopted, [] AMA S.p.A. has joined a project for the management of personal data processing and related documentation, launched by Roma Capitale with the development of a specific IT platform (MUA)".

With regard to the results of the inspection carried out in field no. 108 the XX during the inspection, the Company further specified that at the time it had "deleted the names on the white crosses, with a special covering paint and affixed the alphanumeric codes. Although the paint conforms to the characteristics useful for fulfilling the task, as reported in the technical data sheet, unexpectedly and unpredictably, over time, in several cases, it has let the name shine through".

With the aforementioned briefs, Ama S.p.a. reiterated that the alleged violations were culpable, as also confirmed by the Court of Rome with order XX, which dismissed the criminal proceedings initiated against two employees of the Company for the crimes referred to in art. 21 of the law n. 194 of 1978 and in art. 167 of the Code due to the lack of the subjective element of intentional fraud and the existence of a purely negligent conduct caused by an incorrect interpretation of the sector regulations and, in particular, of the municipal legislation.

With note of the XX, prot. no. XX Roma Capitale communicated to the Guarantor that following the inspection of the XX, Ama S.p.a. had already notified the execution of the operations to replace the plates on 23 January 2022, and that the "Roma Capitale Offices verified the execution of the intervention with an inspection of the XX".

Finally, it should be noted that with Resolution no. 88 of 3 November 2022, Roma Capitale has definitively approved the amendment of the Cemetery Police Regulations pursuant to City Council Resolution no. 3516 of 10.30.1979, in order to overcome, also for the future, the critical issues identified.

In particular, the art. 4 has been modified and integrated providing that;

- "in the children's boxes [...] the products of conception, abortifacient products and fetuses can be buried at the request of the woman concerned or those entitled (as holders of an acquired right by derivative), pursuant to art. 7 of Presidential Decree 285/1990. The transport and burial permits for products of conception, abortifacient products and fetuses are issued by the Local Health Authority and transmitted to the Necroscopic Services of the Capitoline Cemeteries in compliance with the principles of "integrity and confidentiality of data" protected by Legislative Decree Legislative Decree 196/2003 and by Regulation (EU) 2016/679. The burials of the aforementioned are marked by an alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it. In a specific section of the cemetery register, the code is associated with the relative transport and burial permit; access to such data is reserved to the woman concerned or to those entitled as per the previous paragraph. In these cases, the burial is carried out by affixing an identification plate containing the aforementioned alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it".

4. The regulatory framework

4.1. The legislation on the protection of personal data.

As a preliminary point, it should be noted that the processing of personal data must take place in compliance with the Regulation and the Code.

"Personal data" means "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social" (art. 4, paragraph 1, n. 1 of the Regulation). The "particular" categories of personal data include "data relating to health", i.e. "personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (art. 4, paragraph 1, no. 15, art. 9 and recital no. 35 of the Regulation).

In this context, the processing carried out by public subjects is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task in the public interest or connected to the exercise of public powers vested in the data controller", or, in the case of data belonging to particular categories, when it is "necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the interested party" (Article 6, paragraph 1, letters c) and e), 2 and 3, as well as articles 9, par. 2, lit. g) of the Regulation and 2-ter and 2-sexies of the Code).

The national legislator has defined the public interest for the processing "carried out by subjects who perform tasks of public interest or connected to the exercise of public powers" as "significant" in the matters indicated, albeit not exhaustively, by art. 2-sexies of the Code, establishing that the related treatments "are permitted if they are provided for [...] by provisions of the law or, in the cases provided for by law, regulations that specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party” (in the text in force at the time of the events, prior to the amendments made by decree law 8 October 2021, n. 139).

In this context, the processing of data relating to health, in order to be lawful, must also take place in compliance with "further conditions, including limitations" (Article 9, paragraph 4, of the Regulation), implemented in national law with the art. 2-septies of the Code, which provides for an express "prohibition of dissemination", i.e. the possibility of giving "knowledge [...] to unspecified subjects, in any form, including by making them available or consulting" of "data relating to health" (Article 2-septies, paragraph 8; Article 2-ter, paragraph 4, letter b) of the Code).

The Regulation also provides that the roles and attributions of the subjects who for various reasons intervene in the processing of personal data must be clearly individual, in particular, of the owner and of the manager, as well as of the subjects who operate under the direct responsibility of these subjects (Articles 4, paragraph 1, point 7, 28 and 29 of the Regulation; Article 2-quaterdecies of the Code).

The art. 28, par. 3, of the Regulation, states that "processing by a data controller must be governed by a contract or other legal act pursuant to Union or Member State law, which binds the data controller to the data controller and which stipulates the disciplined matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller" (see also recital no. 81 of the Regulation .

The Data Processor is, therefore, entitled to process the data of the interested parties "only on the documented instruction of the owner" and must adopt "all the measures required pursuant to art. 32" by the owner (Article 28, paragraph 3, letters a) and c) of the Regulation); furthermore, “the data controller, or anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data unless instructed to do so by the data controller, unless requested the law of the Union or of the Member States” (art. 29 of the Regulation).

At the national level, the 2-quaterdecies of the Code provides that "The data controller or processor may provide, under their own responsibility and within the scope of their organizational structure, that specific tasks and functions connected with the processing of personal data are attributed to natural persons, expressly designated , operating under their authority. The data controller or data processor identifies the most appropriate methods to authorize the processing of personal data by persons who operate under their direct authority".

In any case, the data controller is required to comply with the principles regarding the protection of personal data, including the principle of "lawfulness, correctness and transparency", "purpose limitation", "data minimization". ”, of “accuracy” and “integrity and confidentiality” (Article 5, paragraph 1, letter a), b), c), d) and f), of the Regulation).

In particular, according to the principle of "integrity and confidentiality" the data must be "processed in such a way as to ensure adequate security of personal data, including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage" (Article 5, paragraph 1, letter f), of the Regulation).

In this regard, the art. 32 of the Regulation establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, object of the context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk" and that "in assessing the adequate level of security, particular account is taken of the risks presented by the processing which derive in particular [...] from the unauthorized disclosure [... of] personal data transmitted, stored or otherwise processed".

As part of the preparation of the technical and organizational measures that meet the requirements established by the Regulation, also in terms of security (articles 5, paragraph 2, 24 and 32 of the Regulation), as mentioned, the owner can make use of a manager for the performance of certain processing activities, to which it gives specific instructions (see recital no. 81 of the Regulation). The application of technical and organizational measures - without prejudice to a "general responsibility" envisaged for the owner in application of the principles established by art. 5, par. 2, so-called "accountability" and by the art. 24 of the Regulation - the data processor is also called to answer ("the data controller and the data processor implement adequate technical and organizational measures", art. 32 of the Regulation). In fact, although the principle of responsibility directly concerns the data controller, some more specific rules refer to both the controller and the manager and both of these subjects may be subject to sanctions in the event of non-fulfillment of the obligations to which they are subject pursuant to the Regulation.

In this framework, the data controller must comply with the instructions of the owner and cannot treat the data in a different way than the same, although these instructions may leave a certain margin of autonomy to the manager.

4.2. The specific legislation of the relevant sector.

Having said that, personal data relating to the termination of pregnancy are fully included in data relating to health (articles 4, paragraph 1, no. 15, and 9, as well as recital 35 of the Regulation). This, not only in cases in which the collection of information on the physical and mental health of the woman in the context of the termination of pregnancy is made explicit by the regulatory provision (see law 22 May 1978, n. 194, "Regulations for the social protection of maternity and on the voluntary interruption of pregnancy", which provides for the voluntary interruption of pregnancy when "the continuation of the pregnancy, childbirth or maternity would involve a serious danger to your physical or mental health, in relation to or to your state of health" (art. 4), or when "pregnancy or childbirth involve a serious danger for the life of the woman" or "pathological processes are ascertained, including those relating to significant anomalies or malformations of the unborn child, which cause a serious danger for the physical or mental health of women" (art. 6), but also in all other cases (voluntary interruption or miscarriage), since it is an event connected to a "provision of health care services" (art. 4, par. 1, no. 15, of the Regulation). In confirmation of this framework, the art. 19 of Legislative Decree no. 151/2001, provides that “The interruption of pregnancy, spontaneous or voluntary, in the cases provided for by articles 4, 5 and 6 of law 22 May 1978, n. 194, is considered to all intents and purposes as a disease" (see also provision of the Guarantor no. 334 of 4 June 2015, which can be consulted at www.gpdp.it, web doc. no. 4130998).

The law of 22 May 1978, n. 194 mentioned above, with reference to the processing of personal data, has established a strict regime of confidentiality to protect the woman's right to anonymity. In addition to the penal sanction, envisaged for those who "having become aware of it for professional or office reasons, reveal the identity - or in any case divulge information suitable for revealing it - of those who have resorted to the procedures or interventions envisaged by this law" ( art. 21), the identity of the woman is also protected in relation to the fulfillment of information obligations within the same healthcare context ("The hospital, nursing home or polyclinic [...] are required to send the provincial doctor responsible for the territory a declaration [...] of the intervention itself and of the documentation on the basis of which it took place, without mentioning the identity of the woman", art. 11) and the "respect for the dignity and privacy of the woman" (cf. art. 5 of the aforementioned law n. 194).

The aforesaid confidentiality regime was, moreover, repeatedly reaffirmed by the Guarantor in the context of various interventions, qualifying such data among those subject to "greater protection of anonymity" (opinion on a draft decree on the matter of assistance certificate to the childbirth, of 1 March 2000, web doc. n. 1085431; opinion on draft decree on electronic health records, of 22 May 2014, web doc. n. 3230826; Guidelines on health dossiers, of 4 June 2015, web doc. n. 4084632; see, also, provision 5 March 2008, web doc. n. 1523741, on the ban on disclosing the personal details of the woman who has voluntarily terminated her pregnancy). The regulatory provisions, which provide for enhanced protection for the processing of data relating to women who have undergone an abortion, fall within the specific provisions of the sector without prejudice to art. 75 of the Code.

With regard to the burial of fetuses and abortifacient products, the matter is mainly governed by the Presidential Decree 10 September 1990, no. 285, approving the Mortuary Police Regulations. In particular, the art. 7 provides that "for the burial of abortifacient products with a presumed age of gestation between 20 and 28 complete weeks and of fetuses that have presumably completed 28 weeks of intrauterine age [...], the transport and burial permits are issued by the health unit local. At the request of the parents, products of conception presumed to be less than 20 weeks old can also be collected in the cemetery with the same procedure". In the aforementioned cases "the relatives or whoever represents them are required to present, within 24 hours of the expulsion or extraction of the fetus, a request for burial to the local health unit accompanied by a medical certificate indicating the presumed age of gestation and the weight of the fetus" . The art. 50, also provides that “The following must be received in cemeteries when no other destination is requested: […] d) stillborns and products of conception pursuant to art. 7".

The art. 52, paragraph 2, then establishes that the following are entered in a register on a daily basis: "a) the burials that are performed, specifying the name, surname, age, place and date of birth of the deceased, according to what results from the authorization deed referred to to art. 6, the year, day and time of burial, the Arabic numeral on the memorial stone and the order number of the burial bill; b) the personal details, as above, of the persons whose corpses are buried, with an indication of the site where they were deposited”. Based on the art. 53, paragraph 2, "One copy of the registers must be delivered, at the end of each year, to the municipal archive, while another remains with the custody service".

Finally, as regards the methods of identification of the burial, the art. 70 provides that "Each grave in the burial fields must be distinguished, by the municipality, by a memorial stone [...] bearing a progressive number. On the memorial stone, by the municipality, a plate of unalterable material will be applied with indication of the name and surname and date of birth and death of the deceased.

The municipal regulation approved with resolution no. 3516 of 23 October 1979 - in force at the time of the events - provides that "In municipal cemeteries, stillbirths and products of conception after the fourth month have the right to be buried [...] (art. 1); “Burials are carried out in different boxes, depending on whether they are the bodies of adults or children up to the age of ten. The stillborn, with a uterine life of no less than six months, are buried in the children's boxes; similarly, abortions can be buried in the squares themselves” (art. 4).

Finally, it should be noted that in the light of the changes made by Roma Capitale to the aforementioned Regulation, art. 4, currently provides that the burials of the fetuses are "marked by an alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it. In a specific section of the cemetery register, the code is associated with the relative transport and burial permit; access to such data is reserved to the woman concerned or to those entitled as per the previous paragraph. In these cases, the burial is carried out by affixing an identification plate containing the aforementioned alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it".

Finally, it should be remembered that the provisions of the national legal system are interpreted and applied in the light of the European legislation on the protection of personal data (Article 22, paragraph 1, of Legislative Decree No. 101 of 10 August 2018) .

5. Outcome of the preliminary investigation.

5.1. The investigation against the data controller Roma Capitale.

Based on the elements acquired following the complex preliminary activity that involved both Ama S.p.a. that Roma Capitale - which as data controller has general responsibility also for the processing carried out through the person in charge - has been ascertained that the dissemination of the women's data indicated on the plates affixed to the burials of the fetuses was carried out in violation of the regulation on the protection of personal data.

The preliminary investigation ascertained that the illicit diffusion, however, does not concern all the cases governed by art. 7 of the Presidential Decree 285 of 1990.

Stillbirths and products of abortion or conception (of a gestational age between 20 and 28 weeks, or less than 20 weeks), for which the parents or relatives have requested burial (art. 7, paragraphs 2 and 3 ) are buried, at the Flaminio cemetery, in "a special field for the burial on the ground of children up to 10 years of age, to which AMA-Cimiteri Capitolini also allocates fetuses who have had a funeral" and, at the Laurentino cemetery, in the area intended for burials at the request of the parents. In these cases, the women's data is not reported and “recognition is made possible by a code placed on the back of the tombstone. On the front it is possible, if required, to enter names, which can also be "fictitious" (https://...).

The illicit dissemination of women's data, as also highlighted by Roma Capitale with the notes of the XX, prot. no. XX and XX, prot. no. XX, concerns only the cases in which the burial did not take place at the request of the women themselves or of their family members, but at the request of the Local Health Authority. In such cases the burial was carried out "in single pits, marked [...] by a wooden cross and a plaque commonly bearing the name of the mother or the registration number of arrival at the cemetery, if expressly requested by family members ” (https://...).

As evidenced by the personal events reported and/or reported in the press, these are precisely the cases in which - probably also due to a lack of information on the part of the health structures - the women concerned were not made aware of the fact that, even if one chooses not to carry out the burial, this takes place, in any case, at the instigation of the Local Health Authority. Paradoxically, the possibility of indicating "the registration number of the arrival at the cemetery", instead of the personal details of the woman, is provided only "if expressly requested by family members", a request which, however, can hardly be presented in the absence of adequate information.

On the merits, with regard to the indications that must be given on the burials, Roma Capitale and Ama S.p.a. have highlighted that "the legislation on the subject appears to be lacking, since, if on the one hand the aforementioned Presidential Decree specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, however, requires that each "pit" must be distinguished by a "stone" with indication of the data of the deceased (art. 70) and that "in cases where the birth/death certificate is not expected to be issued by the Civil Status Officer (as in the case, precisely, of "abortion products"), the data relating to the name and surname of the parent and date of extraction/expulsion, the only data available and provided by health facilities, for the purposes of traceability required by the above standards" (see note by Ama Spa of the XX, prot. XX).

Given that the art. 70 of the Presidential Decree 285/1990 requires that the "data of the deceased" be indicated on the memorial stone, in the cases provided for by art. 7, except for the cases of "still births" - for which the burial authorization is issued by the registrar after registration in the relevant registers - in the documentation sent by the local health authority, since it concerns abortifacient or conception products, there are data similar to "data of the deceased". Based on the practice found in the Health Trusts, the authorization for transport and burial, in order to identify the abortifacient products, refers to the woman's personal details. The art. 70, paragraph 2, of the Presidential Decree no. 285 of 1990, in indicating the elements to be reported on the plate of the funeral stone, does not provide for the processing of personal data of living people; their indication in this context - this having to be considered the datum of the woman - as well as not inferable from the aforesaid provision, appears incongruous and incorrect.

Furthermore, the data contained in the documentation sent by the Local Health Authorities, as mentioned, fall within the particular categories of data which are assisted by a regime of greater guarantee. As data relating to health, as a result of the provisions of art. 9, par. 4, of the Regulation, and of the art. 2-septies, paragraph 8, of the Code, are subject to a specific ban on dissemination. Furthermore, the particular confidentiality regime provided for by law no. 194 of 1978 for the data of women who resorted to voluntary termination of pregnancy.

The lamented regulatory gap, therefore, far from legitimizing the treatments in question, precludes the possibility of carrying them out upstream, since the treatment of particular categories of data - given the general prohibition of treatment pursuant to art. 9 of the Regulation - must be expressly provided for "by legal provisions or, in the cases provided for by law, by regulations which specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate measures and specifications to protect the fundamental rights and interests of the data subject" (Article 2-sexies of the Code). Furthermore, as mentioned, the dissemination of data relating to health is, in any case, prohibited (Article 2-septies, paragraph 8, of the Code).

It is also noted that in the face of the proposed need to comply with the provisions of art. 70 of the aforementioned d.P.R. 285 of 1990 and the complained incompleteness of the normative datum, the choice to indicate on the plates the complete personal details of the women also highlights the absence of any assessment regarding the compliance of the treatment with the regulations on the protection of personal data, and in particular of the principles of "lawfulness, transparency and fairness" and "minimization" provided by art. 5, par. 1, lit. a) and c) of the Regulation. This evaluation would have led, with a prudential approach, to use for example only the initials - a choice which would have been in any case not compliant with the regulatory framework which does not provide for the processing of such data - but which would have, in any case, reduced the impact of the processing on rights and fundamental freedoms of the women concerned. On the other hand, the possibility of marking the burial with "a code placed on the back of the tombstone", or with "the registration number of the arrival at the cemetery", renders unfounded what is asserted in the memoirs regarding the need to report the data of the woman "for the purposes of traceability required by the above rules" (see https://...), considering that this purpose would in any case have been pursued through the connection with the registration of the data transmitted by the Health Trusts in the cemetery registers ( also with the methods indicated by the amendments made to the Municipal Cemetery Regulations of Rome Capital).

For these reasons, considering that the indication of the women's data on the plates affixed above the burials appears to have been carried out in the absence of a legal basis (articles 5, paragraph 1, letter a) and 9 of the Regulation; art. 2-sexties of the Code) and in violation of the specific ban on the dissemination of health data (art. 2-septies, paragraph 8, of the Code), that the processing of such data was carried out in an inexact and incongruous way to mark a burial that does not concern the woman (art. 5, paragraph 1, letter d) and, in any case, devoid of a legitimate purpose, given that the need to identify the burial of a fetus could also be pursued by reporting simple codes ( Article 5, paragraph 1, letter b), a corrective measure has been adopted against Roma Capitale, in its capacity as data controller, for the violation of the aforementioned provisions.

5.2. Processing carried out in the absence of specific instructions from the owner.

From the investigation carried out, it emerged that the data controller, while noting that the regulations in force "do not offer a precise reference discipline", until the start of the investigation by the Guarantor, had not given Ama S.p.a. no specific instructions for the cases under consideration. In this context, "the information provided to AMA S.p.A. are inherent [only] to compliance, in addition to the national sector legislation, also with the specific indications concerning the regulation and management of cemetery services" (note XX, prot. XX) which, as ascertained by the preliminary investigation, did not provide specific indications on the processing of personal data in the cases in question.

In this context, Ama S.p.a., in the face of the alleged incompleteness of the regulatory data, which "does not provide for the burial of abortifacient products" and even in the absence of precise instructions from the owner, has in any case managed the burial requests coming from the ASL with the disputed methods, thus contributing to the violations committed by the controller (articles 5, part 1, letter a), b), c) and d), and 9 of the Regulation; articles 2-sexties and 2-septies of the Code).

More specifically, taking into account that the art. art. 29 of the Regulation provides that "The data controller, or anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data unless instructed to do so by the data controller", Ama S.p.a., in its position as data processor, responds, however, directly for the violation of this provision as it has not requested specific instructions from the data controller; in fact, precisely in the face of the complained incompleteness of the regulatory framework, these instructions would have been more necessary than ever for the management of cases with such delicate implications.

In this context, while acknowledging the difficulties represented by the Company in dialogue with the data controller's personal data protection officer - due to the fact that since the entry into force of EU Regulation 2016/679 the same "has designated three DPO/RPD , making the necessary coordination difficult” – the circumstance that Ama S,p.a. has requested specific instructions from Rome Capital in relation to the treatments object of the investigation does not appear to have been documented.

Furthermore, it should be noted that given the characteristics of the treatments highlighted in the documents - registration in the cemetery registers and dissemination to identify the burials of the data reported in the burial authorizations and in the medico-legal certificates of abortion from local health authorities and hospitals - it is documented that the Company, before starting the investigation, consulted its personal Data Protection Officer, nor that this person, in carrying out his duties, has detected any critical issues in relation to the methods of treatment.
For the above, it is ascertained that Ama S.p.A. was thus made responsible for the violation of the art. 29 of the Regulation.

5.3. The implementation of the instructions given by the owner following the start of the investigation.

As is known, following the press reports and the start of the investigation by the Guarantor, Roma Capitale promptly took steps to overcome the critical issues that emerged, immediately starting the process for amending the cemetery police Regulations (decision no. XX of the XX of the Capitoline Council, with which the proposed resolution n. 246 was approved) and, pending approval, provided Ama S.p.a. detailed instructions on the treatments in question and identifying multiple organizational and technical measures (note of the XX, prot. XX).

With regard to these instructions, the inspection activity of the Authority ascertained that Ama S.p.a., at the date of the on-site visit, had partially, incompletely and partially, inadequately implemented the instructions and organizational measures and techniques requested by the data controller. This, in particular, with reference to the identification of authorized subjects for all stages of processing of personal data transmitted by the Health Authorities, to the conferral of a specific written assignment to them containing both general and specific indications for the management of cases in examination, as well as the preparation and implementation of a personalized and specific training plan for the management of the procedures in question.

As regards the management of the identification plates, the inspection results showed that Ama S.p.a. had, at the time, actually taken steps to "replace" most of the plates in field no. 108, reporting only the correct wordings in the new ones; a number of metal plates - from about a third to half of the total - had not, on the other hand, been replaced but simply "erased" with a covering paint - based on the indications in the technical data sheet, suitable for the purpose - with methods that subsequently proved to be ineffective or not lasting, making, after some time, the data relating to the name and surname of the women and the dates (in some cases, also the wording "Fetus") present under the erasure visible again. However, it was ascertained that in all the metal labels, both in the "replaced" and in the "cancelled" ones, Ama S.p.A. had taken steps to report the new wording indicated in the instructions of Roma Capitale. Therefore, it is ascertained that in relation to the management of the plates, the implementation of the measures and instructions given by the owner was carried out in an incomplete way (failed to replace part of the plates), or subsequently revealed to be inadequate in relation to the coverage of the data on the plates do not replace. This has, in fact, made the underlying personal data visible to anyone again - albeit limited to these cases.

Considering, however, that the paint used proved to be ineffective only after some time and that in the months following the intervention, Roma Capitale declared that no reports were received, the duration of the violation can be considered limited in time.
Therefore, with regard to the implementation of the instructions and the organizational and technical measures imparted by the owner after the start of the investigation, in part, incomplete and, in part, not adequate, Ama S.p.a., was made responsible for the violation of the articles . 28, 29 and 32 of the Regulation and of the art. 2-quaterdecies of the Code.

5.4. Management of cemetery records.

As regards the methods of keeping cemetery registers and archiving the documentation transmitted by the Health Trusts, the investigation highlighted the particular delicacy of the information processed. The circumstance that the data sheets of the cemetery registers have been, as a practice consolidated over time, compiled indicating the name and surname of the woman, implies, in fact, the possibility of extracting from these registers, kept with computerized methods, the list of women who have terminated their pregnancy over the years. Furthermore, considering that the fetuses from all the health facilities located in the territory of Rome are buried in the Capitoline cemeteries, the list that can be extracted from these registers is the one resulting from the sum of the data communicated by all the Local Health Authorities territory of Rome Capital.

The Office had, therefore, reserved the right to examine these further critical profiles in the context of a broader investigation, which concerned the treatments carried out, upstream, by hospital structures and by Health Trusts, in order to assess the compatibility of the methods of transmission of the documentation ascertained - and the concentration of the data described above at the municipal cemetery services - with the regulations on the protection of personal data and with the regime of particular protection pursuant to law no. 194 of 1978.

As a result of this investigation, it was considered that, in application of the minimization principle pursuant to art. 5, par. 1, lit. c), of the Regulation, the Health Authorities will no longer have to report the personal details of the women "in clear text" on the transport and burial authorizations and on the medico-legal certificates that are sent to the cemetery services. In order to reduce the risk of a significant prejudice to the rights of the women concerned, the use by the Health Trusts of specific technical (such as pseudonymisation or data encryption) and/or organizational (obscuring of identifying information of women) would avoid the direct identification of the women concerned without precluding - exclusively in cases where this becomes necessary at the request of those entitled or on the basis of a provision of the law - the possibility of identifying with certainty the product of conception and the place of his burial.

Considering that Roma Capitale has established, as a measure to limit processing, that in the new IT system of cemetery registers, "the woman's personal data [...] will no longer be visible to employees, except with an authorized access procedure to a limited and specific number of employees, becoming a segregated datum", also providing that such information can only be communicated to the woman concerned. Considering also that with Resolution no. 88 of 3 November 2022, the amendments were made to art. 4 of the Municipal Cemetery Police Regulations suitable for overcoming the critical issues identified during the investigation by the Guarantor, in conclusion, it is deemed not necessary to raise findings regarding the keeping of the cemetery registers of Rome Capital, as the aforementioned critical issues are deemed to have been overcome from the actions undertaken and the new ways of acquiring data from the Healthcare Trusts.

6. Conclusions.

In the light of the assessments reported above, it should be noted that the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ do not allow to completely overcome the findings notified with deeds of XXX, prot. no. XX, and of the XX, prot. no. XX

For all of the above, the circumstances highlighted in the written defence, examined as a whole, certainly worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the filing of the present proceeding, as none of the cases envisaged by art. . 11 of the Regulation of the Guarantor n. 1/2019.

In this context, the preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by Ama S.p.a. is noted, as the processing was carried out in violation of art. 29 of the Code, for not having requested specific instructions from the data controller, despite the alleged incompleteness of the regulatory framework and, after the start of the investigation, of the articles 28, 29 and 32 of the Regulation and 2-quaterdecies, in relation to the partly incomplete and partly inadequate implementation of the instructions and technical organizational measures given by the controller in order to overcome the disputed critical issues.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 4, of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation, as referred to by art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, as Ama S.p.a., it has implemented the instructions and measures given by the owner to overcome the critical issues identified - in particular, it has provided for the complete replacement of the plates on burials, which no longer report the personal details of the women, has transmitted to the authorized the instructions given by the owner, providing for a further specific training initiative for the treatments in question, has foreseen in the new application for the management of cemetery registers measures for the segregation of data of women already recorded - and Roma Capitale has approved the amendments to the municipal cemetery police Regulations aimed at overcoming the disputed critical issues, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

7. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the College [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation, in relation to which the following is observed.

In relation to the aforementioned elements, the particular nature, seriousness and duration of the violation was considered, in relation to the type of data and the method of treatment, which involved the dissemination of data relating to health, for which a strict regime of confidentiality to protect women's right to anonymity for the voluntary interruption of pregnancy provided for by law 194 of 1978, the high number of subjects involved and the level of damage suffered by them.

On the other hand, since the start of the investigation, Ama S.p.a. has provided the maximum collaboration with the Authority, providing all the information and elements requested with the urgency of the case, as well as in order to remedy the violations and mitigate the possible effects, promptly implemented - albeit with the limits identified during the investigation - the instructions and organizational and technical measures to remedy the critical issues identified. Furthermore, the non-malicious nature of the violation has been ascertained and there are no previous pertinent violations committed by the Company or previous measures pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of 239,000.00 (two hundred and thirty-nine thousand) euros for the violation of articles 28, 29 and 32 of the Regulation, as well as art. 2-quaterdecies of the Code as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Bearing in mind that the investigation concerned the unlawful processing of personal data, and in particular the dissemination of data relating to the health of women who have terminated their pregnancies, in consideration of the delicacy of the data subject to the violation, it is also believed that apply the ancillary sanction of publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the conduct held by Ama S.p.a. unlawful, described, in the terms set out in the justification, consisting in the violation of articles of the articles 28, 29 and 32 of the Regulation, as well as art. 2-quaterdecies of the Code;

ORDER

to Ama S.p.a., with headquarters in Via Calderon de la Barca n. 87, Rome (RM), Fiscal Code 05445891004, pursuant to articles 58, par. 2, lit. i), and 83, par. 4, of the Regulation and of the art. 166, paragraph 2, of the Code, to pay the sum of Euro 239,000.00 (two hundred and thirty nine thousand) as an administrative fine for the violations indicated in the justification;

ENJOYS

to Ama S.p.a. to pay the sum of Euro 239,000.00 (two hundred and thirty-nine thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. In this regard, it is recalled that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code;

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation.

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 27 April 2023

PRESIDENT
Station

THE SPEAKER
Cerrina Feroni

THE SECRETARY GENERAL
Matthew







SEE ALSO Newsletter of 22 June 2023



[doc. web no. 9900826]

Provision of April 27, 2023

Register of measures
no. 164 of 27 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE, "General Data Protection Regulation" (hereinafter "Regulation");

CONSIDERING the d. lgs. 30 June 2003, no. 196 containing the "Code regarding the protection of personal data (hereinafter the "Code");

CONSIDERING the Regulation n. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette no. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter "Regulation of the Guarantor n. 1/2019");

HAVING REGARD to the documentation in the deeds;

GIVEN the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (web doc. n. 1098801);

Supervisor Prof. Geneva Cerrina Feroni;

1. Premise

Following numerous press reports, it was learned that at the Flaminio cemetery in Rome - managed by the Azienda Municipale Ambiente S.p.a. (hereinafter Ama S.p.a.), a company with sole shareholder Roma Capitale - there were hundreds of white crosses above small burials relating to abortifacient products, on which labels were affixed bearing the personal details of the women who had terminated a pregnancy and a date (cf. XX, https://...; XX ,https://...).

Also on the basis of the information reported on the institutional site of the Capitoline cemeteries, it was learned that "Since 1990, a special field has been available at the Flaminio cemetery for the burial on the ground of children up to 10 years of age, to which AMA-Cimiteri Capitolini also allocates the "fetuses" who had a funeral. Still at the Flaminio, there is another field for the "products of conception" or "fetuses" who have not had funeral honors because they are buried at the simple request of the ASL. They lie in single graves, marked by a funerary sign affixed by AMA-Cimiteri Capitolini, consisting of a wooden cross and a plaque commonly bearing the name of the mother or the registration number of arrival at the cemetery, if expressly requested by family members". At the Laurentino cemetery, however, there is an area called the "Garden of the angels" intended for burials at the request of the parents, within which "the tombstones that distinguish the burial are all the same: recognition is made possible by a code placed on the back of the tombstone. On the front it is possible, if required, to enter names, which can also be "fictitious" (see https://...; https://...).

2. Investigation

On the basis of this information, an official investigation was launched against Roma Capitale and Ama S.p.a. In particular, with the note prot. no. XX of the XX, the Office preliminarily requested elements from AMA S.p.A., which with note prot. no. XX of the XX, stated the following:

- "in the context of the Service Contract in place with Roma Capitale, [AMA S.p.A.] is identified as Data Processor (pursuant to Article 28 of Regulation (EU) 2016/679), limited to the data of citizens, Ta.Ri. customers and users of the Capitoline Cemeteries. AMA S.p.A. has managed the Capitoline Cemetery Services since 1998 (Resolution of the City Council of 29 September 1998, which confers cemetery services to AMA since 1 October 1998; assignment confirmed with Resolution No. 99 of 30 May 2018); the organizational structure of AMA S.p.A. provides for a Capitoline Cemetery Service, within which the Necropsy Services Office is present";

- the matter is governed by the “Royal Decree of 9 July 1939, n. 1238 "Regulation of the civil status", from the d.P.R. 10 September 1990, no. 285 containing the "Approval of the mortuary police regulation" and the "Roma Capitale Cemetery Police Regulation (Municipal Council Resolution n. 3516/1979)";

- with reference to the management of the burials of abortifacient products, "in application of the aforementioned regulatory device (Presidential Decree 285/90), the ASL is responsible for:

- the burden of receiving the burial request presented by the parents;

- the issuance of the transport permit;

- authorization for burial;

The administrative activity carried out by the Capitoline Cemetery Service consists exclusively in the mere receipt of the documentation issued by the competent structures and relating to:

- Request for burial by the health facility;

-  Burial authorization issued by the ASL";

- such documentation "receives the original from the Necroscopic Services Office of the Capitoline Cemeteries, [...] often [...] after several months or even more than a year from the date of the abortion event". The aforementioned Office "verifies that for each burial request there is the corresponding authorization issued by the ASL [...]";

- "The collection and transport service of abortifacient products is carried out exclusively by the personnel assigned to the internal Mortuary Police Service, therefore by AMA S.p.A. employees, without the help of external personnel";

- “The staff of Ama S.p.a. it also provides for the creation of the identification plate with the data reported on the ASL authorization engraved on it. These data consist of the name and surname of the mother”, and the identification plate is affixed to the coffin;

- the personnel of Ama S.p.a. proceeds "to the creation of a deceased file in the Cemetery Register, entering the date of arrival, the origin, the identification data present in the documentation delivered by the Mortuary Police, the type (fetus), the type of burial (burial), the date of burial (which may also be deferred with respect to arrival) and the location of the coffin, communicated after the operation is performed by the Chief of the Cemetery Technical Operators. The latter will place the funerary sign, indicating the position of the coffin, with the burial date, the identification data of the fetus and the location";

- the "Presidential Decree 285/90, in art. 52, second paragraph, provides for a series of obligations attributable to the verification, management and conservation of personal and temporal data. The art. 70 of the same Presidential Decree, in paragraph 2, prescribes for burial pits the affixing of a specific plate indicating the name and surname, date of birth and death of the deceased contained in the pit itself. With regard to this specific element, the legislation in force does not provide for the burial of abortifacient products. At present, therefore, the legislation on the subject appears to be deficient, since, if on the one hand the aforementioned Presidential Decree specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, it nonetheless requires that each "pit" must be identified by a "stone" with indication of the data of the deceased (art. 70) [...]";

- "Therefore, in order to comply with [']art. 70 paragraph 2, in application of a dutiful and necessary "logical" interpretation of the law also pursuant to art. 12 of the pre-laws to the civil code, in cases where the issue of the birth/death certificate by the registrar is not foreseen (as in the case, precisely, of "abortion products"), the data relating to the name and surname of the parent and date of extraction/expulsion, the only data available and provided by health facilities, for the purposes of traceability required by the above standards. It is also added, as evidence of the necessary traceability and data management, that in the past, following investigations by the judiciary, abortion products were exhumed, specifically identified with the names of the mothers".
From the elements in the file, it also emerged that the women's data, as well as being indicated on the plates affixed to the crosses, are subject to further processing by the cemetery services managed by AMA S.p.a. and of the Municipality. These treatments concern, in particular, the obligation to keep cemetery registers and the archiving of the documentation received from the local Health Authorities (transport and burial authorizations and medico-legal certificate). In this regard, Ama S.p.a. he specified that the personnel in charge "create a deceased file in the Cemetery Register, entering the date of arrival, the origin, the identification data present in the documentation delivered by the Mortuary Police, the type (fetus), the type of burial ( burial), the date of the burial”. Considering that "the data relating to the name and surname of the parent and date of extraction/expulsion, (are the) only data available and provided by health facilities, for the purposes of traceability required by the regulations", it is assumed that such data are also reported in the aforesaid registers, a copy of which, on the basis of art. 53 of the Presidential Decree 285/1990 must be sent annually to the Municipality.

The documentation produced in deeds then made it possible to detect the particular delicacy of the documentation sent by the local health authorities to the cemetery services, which consists of:

- a note of transmission of the authorization for transport and burial, usually drawn up cumulatively and showing the unencrypted list of the names of the women, with attached, for each of them:

- the authorization for transportation and burial, stating the woman's name, surname, place and date of birth; sex, weight, week of gestation of the abortion product; presumable cause of the abortion, number and date of the protocol;

- the medico-legal certificate certifying the abortion, showing the date and time of the abortion, name, surname, place and date of birth, residence of the woman, weight, sex and week of gestation of the fetus.

With note prot. no. XX of the XX, considering that the processing of the data subject of the investigation was carried out by AMA S.p.a. as manager of the treatment designated by Roma Capitale, the Office requested further elements from the aforementioned Municipality, data controller, which, with note prot. no. XX of the XX, in confirming everything already deduced by AMA S.p.a., declared that:

- “the R.D. no. 1238/1939 and the Mortuary Police Regulations (Presidential Decree n. 285/1990), do not offer a precise reference discipline with regard to the burial of aborted fetuses aged between 20 and 28 weeks and any indications to be affixed on the epigraph of the burial, noting an evident regulatory gap also given the absence of a Regional Regulation.

- In this context [...] the information provided to AMA S.p.A. they are inherent in compliance, in addition to the national sector legislation, also with the specific indications relating to the regulation and management of cemetery services".

- as regards, however, the processing of personal data carried out in similar cases at the Laurentino cemetery in the area called "Giardino degli Angeli" "the fetuses are expected to be accepted upon explicit request from the parents, always subject to ASL authorization [... ]. In this circumstance, the stone is made on which the names specifically chosen by the parents themselves are placed".

In relation to the above, with note prot. XX of the XX, the Office, on the basis of the elements acquired from the checks carried out and the facts that emerged following the preliminary investigation, notified Ama S.p.A., pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violation of art. 29 of the Regulation, inviting the Company to produce defense writings or documents to the Guarantor, asking, if necessary, to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the law 24 November 1981, n. 689).

With note of the XX, prot. no. XX Ama S.p.a. has sent to the Guarantor, pursuant to art. 166, paragraphs 6 and 7, of the Code and of the art. 18, paragraph 1, of the law of 24 November 1981, n. 689, his own defense writings in relation to the notified violations declaring, in particular, that:

- “The method used by AMA S.p.A. for burial with the inhumation system, dates back to the birth of the Flaminio cemetery dated 1888, when it was called "Cemetery of Casale di Prima Porta" [...].

- the art. 70 of the Presidential Decree 285/90, paragraph 2, prescribes for inhumation pits the affixing of a specific plate indicating the name and surname, date of birth and death of the deceased contained in the pit itself. With regard to this specific element, the legislation in force does not indicate anything for the burial of abortifacient products.

- Ama S.p.A. promptly urged Roma Capitale to intervene for the updating and adaptation of the Cemetery Police Regulations; the new Regulation is in the approval phase, as declared by the Administration itself on November 25th. It follows that in the course of the personal data processing in question, the legislation on the subject was lacking, since, if on the one hand the aforementioned D.P.R. 285/90 specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, however, imposes that each "pit" must be distinguished by a "stone" with indication of the data of the deceased (art 70). […]

- For the above AMA S.p.A., in the context of the management of the Capitoline Cemetery Services, in the face of the demonstrated incompleteness of the regulatory data, which "does not provide for the burial of abortifacient products" and in the absence of specific instructions from the Data Controller, however, it has adopted the procedure for managing burial requests from the Local Health Authorities in the manner currently censored by this Authority, in order to guarantee the continuity of an essential public service for the community.

- AMA S.p.A., within the context of the Service Contract in place with Rome Capital, is identified as Data Processor (pursuant to Article 28 of EU Regulation 2016/679), limited to the data of citizens, Ta.Ri customers . and users of the Capitoline Cemeteries. This role is indicated in the Service Contract. However, the "Deed of designation of the person responsible for the processing of personal data pursuant to and for the purposes of art. 28 of Regulation (EU) 2016/679” was formalized last XX. At the same time, on 22 December 2020, the undersigned AMA S.p.A. received from the Rome Environmental Protection Department the document "Personal data processing for burials of products of conception, abortifacient products and fetuses in the Flaminio cemetery", containing instructions, also on the subject of personal data processing, for the burial of abortifacient products.

- With respect to the relationship between the Data Controller Roma Capitale and the Manager AMA S.p.A. and, in particular, to the precise objections reported in the Notification of violation in question: "(...) in the face of the incompleteness of the overall framework referred to above, it did not deem it necessary to request specific instructions in advance from the data controller, instructions which are extremely necessary for the management of cases with such delicate implications (...)” [...] the writer would like to point out that a meeting has been repeatedly requested from the Data Protection Officer of Rome Capital, without having obtained confirmation. Since the entry into force of EU Regulation 2016/679, the Data Controller Roma Capitale has designated three DPOs/RPDs, making the necessary coordination difficult. The first meeting between the DPOs of the Data Controller and the Manager of AMA S.p.A. was held last July 17 […]. During this meeting, the difficult situation in which AMA S.p.A. is found due to the inability to communicate with the Data Controller and due to the lack of instructions and procedures from the latter".

With reference to these profiles, in the context of the investigation initiated against the data controller, Roma Capitale, with the notes of the XX, prot. no. XX and XX, prot. no. XX, represented, in particular, that:

- "the indication of the women's personal details and the date of the interruption of their pregnancy on the plates [...] occurred only in cases where the burial did not take place at the request of the parents or family members, but at the request of the Local Health Authority. […].

- In the light of the critical issues identified, the Body has given the Data Processor AMA Roma S.p.A. specific operating instructions, aimed, on the one hand, at eliminating the detected dissemination of personal data through the elimination of any reference to the mother and/or fetus present on the funerary signs; on the other, to prevent any analogous violation for future processing [...] by providing both specific indications for the management of personal data from the ASLs, and general requirements also connected to the physical protection of the structures where the aforementioned data will be processed. […] AMA S.p.A. communicated the immediate implementation of the same instructions as well as the launch of an operational plan aimed at ensuring timely alignment with the new methods of burial of fetuses [...];

- in order to eliminate the problems - also of an interpretative nature - subsisting in the present case [...] the Capitoline Council with decision no. 169 of 4 December 2020 approved proposal no. 246 of resolution for the modification of the art. 4 of the Cemetery Police Regulations []. With the approved resolution, the Capitoline Assembly appoints the Environmental Protection Department to issue [AMA S.p.A.] instructions to bring its activity into line with the provisions contained in the Regulation, implementing them uniformly in all the Cemeteries of Rome Capital. Pending the approval of the above resolution, these instructions were given in advance to AMA Roma S.p.A. with note of the XX of the XX […];

- Having taken note of the []error of interpretation in the application of the principles dictated by the GDPR by the Data Processor, not correctly instructed by the Data Controller, it is nevertheless noted that the treatments that do not comply with the Regulations are undoubtedly due to factors not dependent on the will of Rome Capital. First of all, the disputed operational methods of managing cemetery services depended on an evident discrepancy and lack of legislation [...]. In secundis, it is believed that [...] the disputed procedure must necessarily be evaluated also - if not above all - in the light of the content of the documentation coming from the local health authorities and received by AMA Roma S.p.A. [...] said documentation, from the outset, should not have contained "unencrypted" the personal data of the parents. [...] the problem raised [...] would not have occurred if these communications had taken place in compliance with the principles of proportionality and minimization. Precisely for this reason, in fact, the Guarantor Authority has reserved the right to also evaluate the processing of personal data carried out, upstream, by hospitals and healthcare companies".

3. The inspections.

Following the publication of a press agency and a session of the Equal Opportunities Commission of Rome Capital held on the 20th date (https://...), it was subsequently learned that Ama S.p.a would not have adequately implemented the specific instructions on the processing of the personal data referred to above and to the organizational and technical measures imparted by Roma Capitale as data controller, with the note of the XX, prot. no. XX cited above. As already highlighted, with this note, Ama S.p.a. - as data controller - both general instructions on the processing of personal data and specific instructions for the cases referred to in art. 7 of the Presidential Decree 10 September 1990, no. 285, including the measures to be put in place to stop the practice, not envisaged by any law, of indicating the women's data on the plates affixed to the burials of the fetuses.

In particular, these instructions envisaged that the cemetery registers should contain "only the data relating to transport and burial permits linked to an alphanumeric identification code corresponding to the progressive number of the cemetery register" and that the personal data of the women could not "be disclosed to third parties but exclusively to the parent". In the event of a burial request from the Local Health Authority, the plates to be affixed to the memorial stones should have indicated "the identification code present in the cemetery register" and for those currently bearing personal data, it should have been "associated with the name of the parent present in the cemetery register to an alphanumeric identification code and write it on a new plate to be affixed urgently on the relative funeral sign, in place of the plate bearing the personal data".

According to what was stated in one of the interventions carried out in the session of the aforementioned Commission of the XX century, despite these instructions, the data of the women would still be visible on the burials (because they were not adequately covered/erased) and the cemetery services would still provide information on the location of the burials by telephone on the subject, on the basis of the indication of the data of the same.

Therefore, the Office, in collaboration with the special unit for the protection of privacy and technological fraud of the Guardia di Finanza, deemed it necessary to carry out an urgent inspection visit on the XX date at the Flaminio Cemetery in Prima Porta and at the offices of the Directorate of Capitoline Cemetery Services .

3.1. Management of identification tags on burials.

On the occasion of the inspection visit, a preliminary inspection was carried out, with photographic findings, at field no. 108 of the Flaminio Cemetery from which it emerged that:

- the burials are "marked by the presence of metal crosses and wooden crosses on which metal plates are affixed, bearing the information requested in the instructions issued by Roma Capitale (date of burial, year of the register, register number, box, row and the pit);

- on part of the burials, the pre-existing plates have been replaced with new plates, on which only the aforementioned words appear;

- on some crosses, from about a third to a half, the labels have not been replaced but simply subjected to cancellation (of the previous information) and rewriting of the new wordings; in such cases the data relating to the woman's name and surname (in some cases also the word FETO) are still clearly visible, as documented by the photographic surveys carried out” (see pages 4-5 of the XX minutes).

With regard to the implementation of the instructions given by the owner, Ama S.p.a. declared that, at the time, it had "responded to Roma Capitale with note no. XX of the XX representing, among others, the preparation of an operational and temporal plan for the replacement of existing plates and updates on cemetery registers", and that the new procedures for new burial requests would be "immediately respected" (see page 4 minutes, and attachment 3 to the minutes). The Company also represented that "without prejudice to the inexperience in the practical execution of the measure adopted, and revealed by the inspection response, regarding the elimination of the names on the crosses [...] the Capitoline Cemetery Management had proceeded to cancel them and affixed the alphanumeric codes; the operation was carried out using a covering varnish which later proved to be unsuitable because, over time, in many cases, it let the name shine through".

Following the inspection, the Company with the note dated XX, prot. no. XX, declared to the Guarantor that "new crosses with only the alphanumeric code have been installed, as evidenced by the photographic documentation (attachment 4) and a project is also being studied [...] which plans to replace the metal crosses with stems of white marble, being Ama's will not only to comply with the norm but to do it in the most respectful way of the ethical duty of pietas which profoundly informs all the activity of the Capitoline Cemeteries".

3.2. Implementation of technical and organizational instructions and measures.

In relation to the treatments in question, Roma Capitale with the note of the XX, prot. no. XX requested Ama S.p.a. the identification of the subjects in charge of "all phases of the processing of personal data contained in the documentation that comes from the Local Health Units" (par. B1), the conferment of a "specific written assignment to the aforementioned authorized to process, containing both the indications of general nature" on the processing of personal data (par. A), "and specific indications for the management of the documentation in question" (par. B2), as well as the preparation and implementation "of a personalized training plan for those authorized to process" ( par. B3).

Based on the documentation acquired during the inspection, Ama S.p.a. documented the distribution of the Capitoline note to all the competent departments - including the cemetery services - while it did not provide evidence either in relation to the conferment of a "specific written assignment to the aforementioned authorized to process, containing both general indications [...] and specific indications for the management of the documentation in question" (par. B1 and B2), nor with regard to the preparation and implementation "of a personalized training plan for those authorized to process" (par. B3), specifically focused on the treatments in question ( and not general data protection training, such as that documented during the inspection), as requested by the data controller.

With regard to the management of the cemetery register, on the basis of the declarations and documentation acquired during the inspection visit, it was found that "only the data relating to transport and burial permits are indicated in the cemetery registers, linked to a numerical identification code corresponding to the progressive number of the cemetery register, with the indication of the woman's name and surname". In particular, access to the application used for the management of computerized cemetery registers - carried out during the inspection visit - made it possible to ascertain that the cemetery registry file shows the name and surname of the woman, the date of arrival, the provenance (hospital name), type of body (fetus), date of burial, location (no. box, row, etc.; see Attachment 5 to the report).

Instead, as regards the information that can be provided to users in the cases in question, Roma Capitale has provided that "the personal data contained in the aforementioned documentation cannot be disclosed to third parties but exclusively to the parent, with the consent of the same to those interested". Ama s.p.a. he also declared that "at the offices of the URP (Company's Public Relations Office) and the Call Center, the databases used in carrying out the public information services [include the] management [...], through the which the Cemetery Registers can be accessed”. In order to provide information on the location of the burials "the search is carried out using the name of the deceased and in the case of fetuses [...] it is possible only using the name of the woman. However, this information is provided exclusively to the interested party at [the] offices. In the event of a telephone request, the applicant is invited to formalize the request in writing by attaching a copy of the identity document” (see page 4 of the report).

As proof of compliance with the procedure described above - considering that on the basis of what emerged in the session of the Equal Opportunities Commission, such information would instead have been communicated by telephone on the simple indication of the woman's data - during the inspection it was requested to provide documentary evidence of the instructions provided specifically on this point to the public employees at the Flaminio Cemetery, the URP and the Call Center of the Capitoline cemeteries, as well as to prove that any requests received by telephone were handled, in the manner indicated.

On the first aspect, with the aforementioned note of the XX, Ama S.p.a. he further specified that "the employees in charge of the URP-CALL CENTER office, on verbal instructions from the manager, have no longer released any information about the burial location of fetuses and abortion products and no more requests have been received". With regard, on the other hand, to the methods of handling the requests in question in writing, "documentation relating to some requests and the related written response" was sent and, in particular, some dating back to the months of October and November 2020 (immediately after the news disseminated by the press), which reveal a correct treatment of these requests.

Regarding the new application for the management of cemetery registers, Ama S.p.a. he specified that "with the new computer system, the data necessary to identify the burial of the fetuses will no longer be visible to employees except with an access procedure authorized for a limited and specific number of employees, becoming segregated data".

Having said that, having noted that Ama S.p.a., on the basis of the findings of the inspection visit, had not fully or not entirely adequately implemented the instructions and organizational and technical measures issued by Roma Capitale, the Office, with a note dated XX , prot. no. XX, notified Ama S.p.a., pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions pursuant to art. 58, par. 2, of the Regulation, concerning the alleged violation of articles 5, par. 1, lit. f), 28, 29 and 32 of the Regulation as well as of the art. 2-quaterdecies of the Code.

With note of the XX, prot. no. XX Ama S.p.A. sent to the Guarantor, its written defenses in relation to the notified violation. In particular, the Company stated that:

- With regard to the critical issues and the alleged violations detected [], it is important to reiterate that in the very short time available to us we have adopted all the useful initiatives to eliminate the alleged critical issues [] and our will is firm to complete all the measures aimed at ensuring the protection of personal data of data subjects in implementation of the provisions of Regulation (EU) 2016/679 [];

- with a view to improving the efficiency of the cemetery service and the related fulfilments, also and above all regarding the protection of personal data, with particular reference to the technical and organizational security measures to be adopted, [] AMA S.p.A. has joined a project for the management of personal data processing and related documentation, launched by Roma Capitale with the development of a specific IT platform (MUA)".

With regard to the results of the inspection carried out in field no. 108 the XX during the inspection, the Company further specified that at the time it had "deleted the names on the white crosses, with a special covering paint and affixed the alphanumeric codes. Although the paint conforms to the characteristics useful for fulfilling the task, as reported in the technical data sheet, unexpectedly and unpredictably, over time, in several cases, it has let the name shine through".

With the aforementioned briefs, Ama S.p.a. reiterated that the alleged violations were culpable, as also confirmed by the Court of Rome with order XX, which dismissed the criminal proceedings initiated against two employees of the Company for the crimes referred to in art. 21 of the law n. 194 of 1978 and in art. 167 of the Code due to the lack of the subjective element of intentional fraud and the existence of a purely negligent conduct caused by an incorrect interpretation of the sector regulations and, in particular, of the municipal legislation.

With note of the XX, prot. no. XX Roma Capitale communicated to the Guarantor that following the inspection of the XX, Ama S.p.a. had already notified the execution of the operations to replace the plates on 23 January 2022, and that the "Roma Capitale Offices verified the execution of the intervention with an inspection of the XX".

Finally, it should be noted that with Resolution no. 88 of 3 November 2022, Roma Capitale has definitively approved the amendment of the Cemetery Police Regulations pursuant to City Council Resolution no. 3516 of 10.30.1979, in order to overcome, also for the future, the critical issues identified.

In particular, the art. 4 has been modified and integrated providing that;

- "in the children's boxes [...] the products of conception, abortifacient products and fetuses can be buried at the request of the woman concerned or those entitled (as holders of an acquired right by way of derivative), pursuant to art. 7 of Presidential Decree 285/1990. The transport and burial permits for products of conception, abortifacient products and fetuses are issued by the Local Health Authority and transmitted to the Necroscopic Services of the Capitoline Cemeteries in compliance with the principles of "integrity and confidentiality of data" protected by Legislative Decree Legislative Decree 196/2003 and by Regulation (EU) 2016/679. The burials of the aforementioned are marked by an alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it. In a specific section of the cemetery register, the code is associated with the relative transport and burial permit; access to such data is reserved to the woman concerned or to those entitled as per the previous paragraph. In these cases, the burial is carried out by affixing an identification plate containing the aforementioned alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it".

4. The regulatory framework

4.1. The legislation on the protection of personal data.

As a preliminary point, it should be noted that the processing of personal data must take place in compliance with the Regulation and the Code.

"Personal data" means "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social" (art. 4, paragraph 1, n. 1 of the Regulation). The "particular" categories of personal data include "data relating to health", i.e. "personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (art. 4, paragraph 1, no. 15, art. 9 and recital no. 35 of the Regulation).

In this context, the processing carried out by public subjects is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or "for the execution of a task in the public interest or connected to the exercise of public powers vested in the data controller", or, in the case of data belonging to particular categories, when it is "necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the interested party" (Article 6, paragraph 1, letters c) and e), 2 and 3, as well as articles 9, par. 2, lit. g) of the Regulation and 2-ter and 2-sexies of the Code).

The national legislator has defined the public interest for the processing "carried out by subjects who perform tasks of public interest or connected to the exercise of public powers" as "significant" in the matters indicated, albeit not exhaustively, by art. 2-sexies of the Code, establishing that the related treatments "are permitted if they are provided for [...] by provisions of the law or, in the cases provided for by law, regulations that specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the interested party” (in the text in force at the time of the events, prior to the amendments made by decree law no. 139 of 8 October 2021).

In this context, in order for the processing of data relating to health to be lawful, it must also take place in compliance with "further conditions, including limitations" (Article 9, paragraph 4, of the Regulation), implemented in national law with the art. 2-septies of the Code, which provides for an express "prohibition of dissemination", i.e. the possibility of giving "knowledge [...] to unspecified subjects, in any form, including by making them available or consulting" of "data relating to health" (Article 2-septies, paragraph 8; Article 2-ter, paragraph 4, letter b) of the Code).

The Regulation also provides that the roles and attributions of the subjects who for various reasons intervene in the processing of personal data must be clearly individual, in particular, of the owner and of the manager, as well as of the subjects who operate under the direct responsibility of these subjects (Articles 4, paragraph 1, point 7, 28 and 29 of the Regulation; Article 2-quaterdecies of the Code).

The art. 28, par. 3, of the Regulation, states that "processing by a data controller must be governed by a contract or other legal act pursuant to Union or Member State law, which binds the data controller to the data controller and which stipulates the disciplined matter and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller" (see also recital no. 81 of the Regulation .

The Data Processor is, therefore, entitled to process the data of the interested parties "only on the documented instruction of the owner" and must adopt "all the measures required pursuant to art. 32" by the owner (Article 28, paragraph 3, letters a) and c) of the Regulation); furthermore, “the data controller, or anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data unless instructed to do so by the data controller, unless requested the law of the Union or of the Member States” (art. 29 of the Regulation).

At the national level, the 2-quaterdecies of the Code provides that "The data controller or processor may provide, under their own responsibility and within the scope of their organizational structure, that specific tasks and functions connected with the processing of personal data are attributed to natural persons, expressly designated , operating under their authority. The data controller or data processor identifies the most appropriate methods to authorize the processing of personal data by persons who operate under their direct authority".

In any case, the data controller is required to comply with the principles regarding the protection of personal data, including the principle of "lawfulness, correctness and transparency", "purpose limitation", "data minimization". ”, of “accuracy” and “integrity and confidentiality” (Article 5, paragraph 1, letter a), b), c), d) and f), of the Regulation).

In particular, according to the principle of "integrity and confidentiality" the data must be "processed in such a way as to ensure adequate security of personal data, including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage" (Article 5, paragraph 1, letter f), of the Regulation).

In this regard, the art. 32 of the Regulation establishes that "taking into account the state of the art and the costs of implementation, as well as the nature, object of the context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk" and that "in assessing the adequate level of security, particular account is taken of the risks presented by the processing which derive in particular [...] from the unauthorized disclosure [... of] personal data transmitted, stored or otherwise processed".

As part of the preparation of the technical and organizational measures that meet the requirements established by the Regulation, also in terms of security (articles 5, paragraph 2, 24 and 32 of the Regulation), as mentioned, the owner can make use of a manager for the performance of certain processing activities, to which it gives specific instructions (see recital no. 81 of the Regulation). The application of technical and organizational measures - without prejudice to a "general responsibility" envisaged for the owner in application of the principles established by art. 5, par. 2, so-called "accountability" and by the art. 24 of the Regulation - the data processor is also called to answer ("the data controller and the data processor implement adequate technical and organizational measures", art. 32 of the Regulation). In fact, although the principle of responsibility directly concerns the data controller, some more specific rules refer to both the controller and the manager and both of these subjects may be subject to sanctions in the event of non-fulfillment of the obligations to which they are subject pursuant to the Regulation.

In this framework, the data controller must comply with the instructions of the owner and cannot treat the data in a different way than the same, although these instructions may leave a certain margin of autonomy to the manager.

4.2. The specific legislation of the relevant sector.

Having said that, personal data relating to the termination of pregnancy are fully included in data relating to health (articles 4, paragraph 1, no. 15, and 9, as well as recital 35 of the Regulation). This, not only in cases in which the collection of information on the physical and mental health of the woman in the context of the termination of pregnancy is made explicit by the regulatory provision (see law 22 May 1978, n. 194, "Regulations for the social protection of maternity and on the voluntary interruption of pregnancy", which provides for the voluntary interruption of pregnancy when "the continuation of the pregnancy, childbirth or maternity would involve a serious danger to your physical or mental health, in relation to or to your state of health" (art. 4), or when "pregnancy or childbirth involve a serious danger for the life of the woman" or "pathological processes are ascertained, including those relating to significant anomalies or malformations of the unborn child, which cause a serious danger for the physical or mental health of women" (art. 6), but also in all other cases (voluntary interruption or miscarriage), since it is an event connected to a "provision of health care services" (art. 4, par. 1, no. 15, of the Regulation). In confirmation of this framework, the art. 19 of Legislative Decree no. 151/2001, provides that “The termination of pregnancy, spontaneous or voluntary, in the cases provided for by articles 4, 5 and 6 of law 22 May 1978, n. 194, is considered to all intents and purposes as a disease" (see also provision of the Guarantor no. 334 of 4 June 2015, which can be consulted at www.gpdp.it, web doc. no. 4130998).

The law of 22 May 1978, n. 194 mentioned above, with reference to the processing of personal data, has established a strict regime of confidentiality to protect the woman's right to anonymity. In addition to the penal sanction, envisaged for those who "having become aware of it for professional or office reasons, reveal the identity - or in any case divulge information suitable for revealing it - of those who have resorted to the procedures or interventions envisaged by this law" ( art. 21), the identity of the woman is also protected in relation to the fulfillment of information obligations within the same healthcare context ("The hospital, nursing home or polyclinic [...] are required to send the provincial doctor responsible for the territory a declaration [...] of the intervention itself and of the documentation on the basis of which it took place, without mentioning the identity of the woman", art. 11) and the "respect for the dignity and privacy of the woman" (cf. art. 5 of the aforementioned law n. 194).

The aforesaid confidentiality regime was, moreover, repeatedly reaffirmed by the Guarantor in the context of various interventions, qualifying such data among those subject to "greater protection of anonymity" (opinion on a draft decree on the matter of assistance certificate to the childbirth, of 1 March 2000, web doc. n. 1085431; opinion on draft decree on electronic health records, of 22 May 2014, web doc. n. 3230826; Guidelines on health dossiers, of 4 June 2015, web doc. n. 4084632; see, also, provision 5 March 2008, web doc. n. 1523741, on the ban on disclosing the personal details of the woman who has voluntarily terminated her pregnancy). The regulatory provisions, which provide for enhanced protection for the processing of data relating to women who have undergone an abortion, fall within the specific provisions of the sector without prejudice to art. 75 of the Code.

With regard to the burial of fetuses and abortifacient products, the matter is mainly governed by the Presidential Decree 10 September 1990, no. 285, approving the Mortuary Police Regulations. In particular, the art. 7 provides that "for the burial of abortifacient products with a presumed age of gestation between 20 and 28 complete weeks and of fetuses that have presumably completed 28 weeks of intrauterine age [...], the transport and burial permits are issued by the health unit local. At the request of the parents, products of conception presumed to be less than 20 weeks old can also be collected in the cemetery with the same procedure". In the aforementioned cases "the relatives or whoever represents them are required to present, within 24 hours of the expulsion or extraction of the fetus, a request for burial to the local health unit accompanied by a medical certificate indicating the presumed age of gestation and the weight of the fetus" . The art. 50, also provides that “The following must be received in cemeteries when no other destination is requested: […] d) stillborns and products of conception pursuant to art. 7”.

The art. 52, paragraph 2, then establishes that the following are entered in a register on a daily basis: "a) the burials that are performed, specifying the name, surname, age, place and date of birth of the deceased, according to what results from the authorization deed referred to to art. 6, the year, day and time of burial, the Arabic numeral on the memorial stone and the order number of the burial bill; b) the personal details, as above, of the persons whose corpses are buried, with an indication of the site where they were deposited”. Based on the art. 53, paragraph 2, "One copy of the registers must be delivered, at the end of each year, to the municipal archive, while another remains with the custody service".

Finally, as regards the methods of identification of the burial, the art. 70 provides that "Each grave in the burial fields must be distinguished, by the municipality, by a memorial stone [...] bearing a progressive number. On the memorial stone, by the municipality, a plate of unalterable material will be applied with indication of the name and surname and date of birth and death of the deceased.

The municipal regulation approved with resolution no. 3516 of 23 October 1979 - in force at the time of the events - provides that "In municipal cemeteries, stillbirths and products of conception after the fourth month have the right to be buried [...] (art. 1); “Burials are carried out in different boxes, depending on whether they are the bodies of adults or children up to the age of ten. The stillborn, with a uterine life of no less than six months, are buried in the children's boxes; similarly, abortions can be buried in the squares themselves” (art. 4).

Finally, it should be noted that in the light of the changes made by Roma Capitale to the aforementioned Regulation, art. 4, currently provides that the burials of the fetuses are "marked by an alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it. In a specific section of the cemetery register, the code is associated with the relative transport and burial permit; access to such data is reserved to the woman concerned or to those entitled as per the previous paragraph. In these cases, the burial is carried out by affixing an identification plate containing the aforementioned alphanumeric code or a name, or a pet name, or a symbol, or a date, or other, where the woman concerned explicitly requests it".

Finally, it should be remembered that the provisions of the national legal system are interpreted and applied in the light of the European legislation on the protection of personal data (Article 22, paragraph 1, of Legislative Decree No. 101 of 10 August 2018) .

5. Outcome of the preliminary investigation.

5.1. The investigation against the data controller Roma Capitale.

Based on the elements acquired following the complex preliminary activity that involved both Ama S.p.a. that Roma Capitale - which as data controller has general responsibility also for the processing carried out through the person in charge - has been ascertained that the dissemination of the women's data indicated on the plates affixed to the burials of the fetuses was carried out in violation of the regulation on the protection of personal data.

The preliminary investigation ascertained that the illicit diffusion, however, does not concern all the cases governed by art. 7 of the Presidential Decree 285 of 1990.

Stillbirths and products of abortion or conception (of a gestational age between 20 and 28 weeks, or less than 20 weeks), for which the parents or relatives have requested burial (art. 7, paragraphs 2 and 3 ) are buried, at the Flaminio cemetery, in "a special field for the burial on the ground of children up to 10 years of age, to which AMA-Cimiteri Capitolini also allocates fetuses who have had a funeral" and, at the Laurentino cemetery, in the area intended for burials at the request of the parents. In these cases, the women's data is not reported and “recognition is made possible by a code placed on the back of the tombstone. On the front it is possible, if required, to enter names, which can also be "fictitious" (https://...).

The illicit dissemination of women's data, as also highlighted by Roma Capitale with the notes of the XX, prot. no. XX and XX, prot. no. XX, concerns only the cases in which the burial did not take place at the request of the women themselves or of their family members, but at the request of the Local Health Authority. In such cases the burial was carried out "in single pits, marked [...] by a wooden cross and a plaque commonly bearing the name of the mother or the registration number of arrival at the cemetery, if expressly requested by family members ” (https://...).

As evidenced by the personal events reported and/or reported in the press, these are precisely the cases in which - probably also due to a lack of information on the part of the health structures - the women concerned were not made aware of the fact that, even if one chooses not to carry out the burial, this takes place, in any case, at the instigation of the Local Health Authority. Paradoxically, the possibility of indicating "the registration number of the arrival at the cemetery", instead of the personal details of the woman, is provided only "if expressly requested by family members", a request which, however, can hardly be presented in the absence of adequate information.

On the merits, with regard to the indications that must be given on the burials, Roma Capitale and Ama S.p.a. have highlighted that "the legislation on the subject appears to be lacking, since, if on the one hand the aforementioned Presidential Decree specifically provides for the possibility of proceeding with the burial of "abortifacient products" (art. 7), on the other hand, however, requires that each "pit" must be distinguished by a "stone" with indication of the data of the deceased (art. 70) and that "in cases where the birth/death certificate is not expected to be issued by the Civil Status Officer (as in the case, precisely, of "abortion products"), the data relating to the name and surname of the parent and date of extraction/expulsion, the only data available and provided by health facilities, for the purposes of traceability required by the above standards" (see note by Ama Spa of the XX, prot. XX).

Given that the art. 70 of the Presidential Decree 285/1990 requires that the "data of the deceased" be indicated on the memorial stone, in the cases provided for by art. 7, except for the cases of "still births" - for which the burial authorization is issued by the registrar after registration in the relevant registers - in the documentation sent by the local health authority, since it concerns abortifacient or conception products, there are data similar to "data of the deceased". Based on the practice found in the Health Trusts, the authorization for transport and burial, in order to identify the abortifacient products, refers to the woman's personal details. The art. 70, paragraph 2, of the Presidential Decree no. 285 of 1990, in indicating the elements to be reported on the plate of the funeral stone, does not provide for the processing of personal data of living people; their indication in this context - this having to be considered the datum of the woman - as well as not inferable from the aforesaid provision, appears incongruous and incorrect.

Furthermore, the data contained in the documentation sent by the Local Health Authorities, as mentioned, fall within the particular categories of data which are assisted by a regime of greater guarantee. As data relating to health, as a result of the provisions of art. 9, par. 4, of the Regulation, and of the art. 2-septies, paragraph 8, of the Code, are subject to a specific ban on dissemination. Furthermore, the particular confidentiality regime provided for by law no. 194 of 1978 for the data of women who resorted to voluntary termination of pregnancy.

The lamented regulatory gap, therefore, far from legitimizing the treatments in question, precludes the possibility of carrying them out upstream, since the treatment of particular categories of data - given the general prohibition of treatment pursuant to art. 9 of the Regulation - must be expressly provided for "by legal provisions or, in the cases provided for by law, by regulations which specify the types of data that can be processed, the operations that can be performed and the reason of significant public interest, as well as the appropriate measures and specifications to protect the fundamental rights and interests of the data subject" (Article 2-sexies of the Code). Furthermore, as mentioned, the dissemination of data relating to health is, in any case, prohibited (Article 2-septies, paragraph 8, of the Code).

It is also noted that in the face of the proposed need to comply with the provisions of art. 70 of the aforementioned d.P.R. 285 of 1990 and the complained incompleteness of the normative datum, the choice to indicate on the plates the complete personal details of the women also highlights the absence of any assessment regarding the compliance of the treatment with the regulations on the protection of personal data, and in particular of the principles of "lawfulness, transparency and fairness" and "minimization" provided by art. 5, par. 1, lit. a) and c) of the Regulation. This evaluation would have led, with a prudential approach, to use for example only the initials - a choice which would have been in any case not compliant with the regulatory framework which does not provide for the processing of such data - but which would have, in any case, reduced the impact of the processing on rights and fundamental freedoms of the women concerned. On the other hand, the possibility of marking the burial with "a code placed on the back of the tombstone", or with "the registration number of the arrival at the cemetery", renders unfounded what is asserted in the memoirs regarding the need to report the data of the woman "for the purposes of traceability required by the above rules" (see https://...), considering that this purpose would in any case have been pursued through the connection with the registration of the data transmitted by the Health Trusts in the cemetery registers ( also with the methods indicated by the amendments made to the Municipal Cemetery Regulations of Rome Capital).

For these reasons, considering that the indication of the women's data on the plates affixed above the burials appears to have been carried out in the absence of a legal basis (articles 5, paragraph 1, letter a) and 9 of the Regulation; art. 2-sexties of the Code) and in violation of the specific ban on the dissemination of health data (art. 2-septies, paragraph 8, of the Code), that the processing of such data was carried out in an inexact and incongruous way to mark a burial that does not concern the woman (art. 5, paragraph 1, letter d) and, in any case, devoid of a legitimate purpose, given that the need to identify the burial of a fetus could also be pursued by reporting simple codes ( Article 5, paragraph 1, letter b), a corrective measure has been adopted against Roma Capitale, in its capacity as data controller, for the violation of the aforementioned provisions.

5.2. Processing carried out in the absence of specific instructions from the owner.

From the investigation carried out, it emerged that the data controller, while noting that the regulations in force "do not offer a precise reference discipline", until the start of the investigation by the Guarantor, had not given Ama S.p.a. no specific instructions for the cases under consideration. In this context, "the information provided to AMA S.p.A. are inherent [only] to compliance, in addition to the national sector legislation, also with the specific indications concerning the regulation and management of cemetery services" (note XX, prot. XX) which, as ascertained by the preliminary investigation, did not provide specific indications on the processing of personal data in the cases in question.

In this context, Ama S.p.a., in the face of the alleged incompleteness of the regulatory data, which "does not provide for the burial of abortifacient products" and even in the absence of precise instructions from the owner, has in any case managed the burial requests coming from the ASL with the disputed methods, thus contributing to the violations committed by the controller (articles 5, part 1, letter a), b), c) and d), and 9 of the Regulation; articles 2-sexties and 2-septies of the Code).

More specifically, taking into account that the art. art. 29 of the Regulation provides that "The data controller, or anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data unless instructed to do so by the data controller", Ama S.p.a., in its position as data processor, responds, however, directly for the violation of this provision as it has not requested specific instructions from the data controller; in fact, precisely in the face of the complained incompleteness of the regulatory framework, these instructions would have been more necessary than ever for the management of cases with such delicate implications.

In this context, while acknowledging the difficulties represented by the Company in dialogue with the data controller's personal data protection officer - due to the fact that since the entry into force of EU Regulation 2016/679 the same "has designated three DPO/RPD , making the necessary coordination difficult” – the circumstance that Ama S,p.a. has requested specific instructions from Rome Capital in relation to the treatments object of the investigation does not appear to have been documented.

Furthermore, it should be noted that given the characteristics of the treatments highlighted in the documents - registration in the cemetery registers and dissemination to identify the burials of the data reported in the burial authorizations and in the medico-legal certificates of abortion from local health authorities and hospitals - it is documented that the Company, before starting the investigation, consulted its personal Data Protection Officer, nor that this person, in carrying out his duties, has detected any critical issues in relation to the methods of treatment.
For the above, it is ascertained that Ama S.p.A. was thus made responsible for the violation of the art. 29 of the Regulation.

5.3. The implementation of the instructions given by the owner following the start of the investigation.

As is known, following the press reports and the start of the investigation by the Guarantor, Roma Capitale promptly took steps to overcome the critical issues that emerged, immediately starting the process for amending the cemetery police Regulations (decision no. XX of the XX of the Capitoline Council, with which the proposed resolution n. 246 was approved) and, pending approval, provided Ama S.p.a. detailed instructions on the treatments in question and identifying multiple organizational and technical measures (note of the XX, prot. XX).

With regard to these instructions, the inspection activity of the Authority ascertained that Ama S.p.a., at the date of the on-site visit, had partially, incompletely and partially, inadequately implemented the instructions and organizational measures and techniques requested by the data controller. This, in particular, with reference to the identification of authorized subjects for all stages of processing of personal data transmitted by the Health Authorities, to the conferral of a specific written assignment to them containing both general and specific indications for the management of cases in examination, as well as the preparation and implementation of a personalized and specific training plan for the management of the procedures in question.

As regards the management of the identification plates, the inspection results showed that Ama S.p.a. had, at the time, actually taken steps to "replace" most of the plates in field no. 108, reporting only the correct wordings in the new ones; a number of metal plates - from about a third to half of the total - had not, on the other hand, been replaced but simply "erased" with a covering paint - based on the indications in the technical data sheet, suitable for the purpose - with methods that subsequently proved to be ineffective or not lasting, making, after some time, the data relating to the name and surname of the women and the dates (in some cases, also the wording "Fetus") present under the erasure visible again. However, it was ascertained that in all the metal labels, both in the "replaced" and in the "cancelled" ones, Ama S.p.A. had taken steps to report the new wording indicated in the instructions of Roma Capitale. Therefore, it is ascertained that in relation to the management of the plates, the implementation of the measures and instructions given by the owner was carried out in an incomplete way (failed to replace part of the plates), or subsequently revealed to be inadequate in relation to the coverage of the data on the plates do not replace. This has, in fact, made the underlying personal data visible to anyone again - albeit limited to these cases.

Considering, however, that the paint used proved to be ineffective only after some time and that in the months following the intervention, Roma Capitale declared that no reports were received, the duration of the violation can be considered limited in time.
Therefore, with regard to the implementation of the instructions and the organizational and technical measures imparted by the owner after the start of the investigation, in part, incomplete and, in part, not adequate, Ama S.p.a., was made responsible for the violation of the articles . 28, 29 and 32 of the Regulation and of the art. 2-quaterdecies of the Code.

5.4. Management of cemetery records.

As regards the methods of keeping cemetery registers and archiving the documentation transmitted by the Health Trusts, the investigation highlighted the particular delicacy of the information processed. The circumstance that the data sheets of the cemetery registers have been, as a practice consolidated over time, compiled indicating the name and surname of the woman, implies, in fact, the possibility of extracting from these registers, kept with computerized methods, the list of women who have terminated their pregnancy over the years. Furthermore, considering that the fetuses from all the health facilities located in the territory of Rome are buried in the Capitoline cemeteries, the list that can be extracted from these registers is the one resulting from the sum of the data communicated by all the Local Health Authorities territory of Rome Capital.

The Office had, therefore, reserved the right to examine these further critical profiles in the context of a broader investigation, which concerned the treatments carried out, upstream, by hospital structures and by Health Trusts, in order to assess the compatibility of the methods of transmission of the documentation ascertained - and the concentration of the data described above at the municipal cemetery services - with the regulations on the protection of personal data and with the regime of particular protection pursuant to law no. 194 of 1978.

As a result of this investigation, it was considered that, in application of the minimization principle pursuant to art. 5, par. 1, lit. c), of the Regulation, the Health Authorities will no longer have to report the personal details of the women "in clear text" on the transport and burial authorizations and on the medico-legal certificates that are sent to the cemetery services. In order to reduce the risk of a significant prejudice to the rights of the women concerned, the use by the Health Trusts of specific technical (such as pseudonymisation or data encryption) and/or organizational (obscuring of identifying information of women) would avoid the direct identification of the women concerned without precluding - exclusively in cases where this becomes necessary at the request of those entitled or on the basis of a provision of the law - the possibility of identifying with certainty the product of conception and the place of his burial.

Considering that Roma Capitale has established, as a measure to limit processing, that in the new IT system of cemetery registers, "the woman's personal data [...] will no longer be visible to employees, except with an authorized access procedure to a limited and specific number of employees, becoming a segregated datum", also providing that such information can only be communicated to the woman concerned. Considering also that with Resolution no. 88 of 3 November 2022, the amendments were made to art. 4 of the Municipal Cemetery Police Regulations suitable for overcoming the critical issues identified during the investigation by the Guarantor, in conclusion, it is deemed not necessary to raise findings regarding the keeping of the cemetery registers of Rome Capital, as the aforementioned critical issues are deemed to have been overcome from the actions undertaken and the new ways of acquiring data from the Healthcare Trusts.

6. Conclusions.

In the light of the assessments reported above, it should be noted that the statements made by the data controller during the preliminary investigation ˗ the truthfulness of which may be called upon to answer pursuant to art. 168 of the Code ˗ do not allow to completely overcome the findings notified with deeds of XXX, prot. no. XX, and of the XX, prot. no. XX

For all of the above, the circumstances highlighted in the written defence, examined as a whole, certainly worthy of consideration for the purpose of assessing the conduct, are not sufficient to allow the filing of the present proceeding, as none of the cases envisaged by art. . 11 of the Regulation of the Guarantor n. 1/2019.

In this context, the preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by Ama S.p.a. is noted, as the processing was carried out in violation of art. 29 of the Code, for not having requested specific instructions from the data controller, despite the alleged incompleteness of the regulatory framework and, after the start of the investigation, of the articles 28, 29 and 32 of the Regulation and 2-quaterdecies, in relation to the partly incomplete and partly inadequate implementation of the instructions and technical organizational measures given by the controller in order to overcome the disputed critical issues.

The violation of the aforementioned provisions makes the administrative sanction envisaged by art. 83, par. 4, of the Regulation, pursuant to articles 58, par. 2, lit. i), and 83, par. 3, of the same Regulation, as referred to by art. 166, paragraph 2, of the Code.

In this context, considering, in any case, that the conduct has exhausted its effects, as Ama S.p.a., it has implemented the instructions and measures given by the owner to overcome the critical issues identified - in particular, it has provided for the complete replacement of the plates on burials, which no longer report the personal details of the women, has transmitted to the authorized the instructions given by the owner, providing for a further specific training initiative for the treatments in question, has foreseen in the new application for the management of cemetery registers measures for the segregation of data of women already recorded - and Roma Capitale has approved the amendments to the municipal cemetery police Regulations aimed at overcoming the disputed critical issues, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

7. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, according to the circumstances of each single case" and, in this context, "the Board [of the Guarantor] adopts the injunction order, with which it also orders the application of the ancillary administrative sanction of its publication, in whole or in part, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by art. 83, par. 2, of the Regulation, in relation to which the following is observed.

In relation to the aforementioned elements, the particular nature, seriousness and duration of the violation was considered, in relation to the type of data and the method of treatment, which involved the dissemination of data relating to health, for which a strict regime of confidentiality to protect women's right to anonymity for the voluntary interruption of pregnancy provided for by law 194 of 1978, the high number of subjects involved and the level of damage suffered by them.

On the other hand, since the start of the investigation, Ama S.p.a. has provided the maximum collaboration with the Authority, providing all the information and elements requested with the urgency of the case, as well as in order to remedy the violations and mitigate the possible effects, promptly implemented - albeit with the limits identified during the investigation - the instructions and organizational and technical measures to remedy the critical issues identified. Furthermore, the non-malicious nature of the violation has been ascertained and there are no previous pertinent violations committed by the Company or previous measures pursuant to art. 58 of the Regulation.

Based on the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction, in the amount of Euro 239,000.00 (two hundred and thirty nine thousand) for the violation of articles 28, 29 and 32 of the Regulation, as well as art. 2-quaterdecies of the Code as a pecuniary administrative sanction, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

Bearing in mind that the investigation concerned the unlawful processing of personal data, and in particular the dissemination of data relating to the health of women who have terminated their pregnancies, in consideration of the delicacy of the data subject to the violation, it is also believed that apply the ancillary sanction of publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7, of the Code and by art. 16 of the Regulation of the Guarantor n. 1/2019.

Finally, it is believed that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, lit. f), of the Regulation, declares the conduct held by Ama S.p.a. unlawful, described, in the terms set out in the justification, consisting in the violation of articles of the articles 28, 29 and 32 of the Regulation, as well as art. 2-quaterdecies of the Code;

ORDER

to Ama S.p.a., with headquarters in Via Calderon de la Barca n. 87, Rome (RM), Fiscal Code 05445891004, pursuant to articles 58, par. 2, lit. i), and 83, par. 4, of the Regulation and of the art. 166, paragraph 2, of the Code, to pay the sum of Euro 239,000.00 (two hundred and thirty nine thousand) as an administrative fine for the violations indicated in the justification;

ENJOYS

to Ama S.p.a. to pay the sum of Euro 239,000.00 (two hundred and thirty-nine thousand) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981. In this regard, it is recalled that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the annex - an amount equal to half of the fine imposed, within 30 days from the date of notification of this provision, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011);

HAS

the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code;

the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lit. u), of the Regulation, of the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation.

Pursuant to articles 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 27 April 2023

PRESIDENT
Station

THE SPEAKER
Cerrina Feroni

THE SECRETARY GENERAL
Matthew