|
|
| Line 10: |
Line 10: |
| |ECLI= | | |ECLI= |
|
| |
|
| |Original_Source_Name_1=Garante per la protezione dei dati personali | | |Original_Source_Name_1=Garante per la Protezione dei Dati Personali |
| |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9917900 | | |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9909715%20 |
| |Original_Source_Language_1=Italian | | |Original_Source_Language_1=Italian |
| |Original_Source_Language__Code_1=IT | | |Original_Source_Language__Code_1=IT |
| Line 19: |
Line 19: |
| |Original_Source_Language__Code_2= | | |Original_Source_Language__Code_2= |
|
| |
|
| |Type=Investigation | | |Type=Complaint |
| |Outcome=Violation Found | | |Outcome=Upheld |
| |Date_Started=15.02.2019 | | |Date_Started=29.12.2021 |
| |Date_Decided=08.06.2023 | | |Date_Decided=08.06.2023 |
| |Date_Published=02.08.2023 | | |Date_Published=18.07.2023 |
| |Year=2023 | | |Year=2023 |
| |Fine=5000 | | |Fine=30,000 |
| |Currency=EUR | | |Currency=EUR |
|
| |
|
| |GDPR_Article_1=Article 5(1)(a) GDPR | | |GDPR_Article_1=Article 5(1)(a) GDPR |
| |GDPR_Article_Link_1=Article 5 GDPR#1a | | |GDPR_Article_Link_1=Article 5 GDPR#1a |
| |GDPR_Article_2=Article 58(2)(i) GDPR | | |GDPR_Article_2=Article 5(1)(c) GDPR |
| |GDPR_Article_Link_2=Article 58 GDPR#2i | | |GDPR_Article_Link_2=Article 5 GDPR#1c |
| |GDPR_Article_3=Article 83 GDPR | | |GDPR_Article_3=Article 5(1)(d) GDPR |
| |GDPR_Article_Link_3=Article 83 GDPR | | |GDPR_Article_Link_3=Article 5 GDPR#1d |
| |GDPR_Article_4= | | |GDPR_Article_4=Article 9 GDPR |
| |GDPR_Article_Link_4= | | |GDPR_Article_Link_4=Article 9 GDPR |
| |GDPR_Article_5= | | |GDPR_Article_5=Article 83 GDPR |
| |GDPR_Article_Link_5= | | |GDPR_Article_Link_5=Article 83 GDPR |
| | |GDPR_Article_6=Article 85 GDPR |
| | |GDPR_Article_Link_6=Article 85 GDPR |
| | |GDPR_Article_7= |
| | |GDPR_Article_Link_7= |
| | |GDPR_Article_8= |
| | |GDPR_Article_Link_8= |
|
| |
|
| |EU_Law_Name_1= | | |EU_Law_Name_1= |
| Line 44: |
Line 50: |
| |EU_Law_Link_2= | | |EU_Law_Link_2= |
|
| |
|
| |National_Law_Name_1=Section 157 Legislative Decree No. 196/2003 | | |National_Law_Name_1=Section 10 of the Deontological Rules - Official Gazette of 4 January 2019, No. 3 |
| |National_Law_Link_1=http://www.privacy.it/archivio/privacycode-en.html#sect157%20 | | |National_Law_Link_1= |
| |National_Law_Name_2= | | |National_Law_Name_2=Section 137(1) of the Legislative Decree No. 196 of 30 June 2003 |
| |National_Law_Link_2= | | |National_Law_Link_2=http://www.privacy.it/archivio/privacycode-en.html#sect137 |
| |National_Law_Name_3= | | |National_Law_Name_3=Section 137(3) of the Legislative Decree No. 196 of 30 June 2003 |
| |National_Law_Link_3= | | |National_Law_Link_3=http://www.privacy.it/archivio/privacycode-en.html#sect137 |
| | |National_Law_Name_4=Section 7 of the Codes of Conduct accompanying the Legislative Decree No. 196 of 30 June 2003, Governing the Processing of Personal Data in the Exercise of Journalistic Activities |
| | |National_Law_Link_4=http://www.privacy.it/archivio/privacycode-en.html#annexa1 |
| | |National_Law_Name_5= |
| | |National_Law_Link_5= |
| | |National_Law_Name_6= |
| | |National_Law_Link_6= |
|
| |
|
| |Party_Name_1=Mirva S.R.L | | |Party_Name_1= |
| |Party_Link_1= | | |Party_Link_1= |
| |Party_Name_2= | | |Party_Name_2= |
| |Party_Link_2= | | |Party_Link_2= |
| |Party_Name_3=
| |
| |Party_Link_3=
| |
|
| |
|
| |Appeal_To_Body= | | |Appeal_To_Body= |
| |Appeal_To_Case_Number_Name= | | |Appeal_To_Case_Number_Name= |
| |Appeal_To_Status=Not appealed | | |Appeal_To_Status= |
| |Appeal_To_Link= | | |Appeal_To_Link= |
|
| |
|
| Line 67: |
Line 77: |
| }} | | }} |
|
| |
|
| The installation of video surveillance system by a company in their premises without sufficient notification of the filming was found to be in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] by the Italian DPA. The company was fined €5000. | | The Italian DPA issued a fine of €30,000 to a local newspaper for publishing a minor’s data. |
|
| |
|
| == English Summary == | | == English Summary == |
|
| |
|
| === Facts === | | === Facts === |
| The Company had installed a video surveillance system in its registered office. The surveillance extended to both inside the facility and outside of the facility. The cameras inside of the facility filmed employees working, while those outside monitored the external areas. These external areas included an area shared with another company and a section of the road in-front of the premises. There was only one sign notifying people of the filming. The sign was only visible to those about to enter the work premises.
| | On 29 December 2021 and 28 Jan 2022, two complaints were filed by two data subjects against a newspaper company (the controller), for having published the news of their child’s death and images of his funeral without their consent. In addition to publishing the news of their child’s death, the newspaper also published the alleged illness that the child had been suffering from, his age and date of birth, as well as the name and surname of his one-year old sibling. To add to this, the newspaper also published the data subjects’ names, place of residence and occupation. This information had been published on the newspaper’s front page, their promotional posters and on their online website. |
|
| |
|
| In addition, throughout the proceedings, the DPA had requested further information from the company. The company on multiple occasions had failed to respond to the DPA’s requests. Under Section 157 Legislative Decree No. 196/2003 (Italian national law), a supervisory authority may request that a data controller or processor provide information relating to an investigation. A request by a supervisory authority for information imposes a legal obligation upon a processor or controller to respond to such a request. | | In response to the data subject’s complaints, the controller made submissions arguing that the “veil of confidentiality” had been lifted, as the news of the child’s death was well-known in the local community. They argued that the death had been disseminated to the community by the local parish priest at a church service, and thus, given that the information was in the public domain, they were not in violation of the GDPR. [[Article 85 GDPR|Article 85 GDPR]] governs the reconciliation of journalistic freedom with data protection. However, the GDPR leaves this task to the legislatures of each Member State, consequently the laws governing this area are domestic laws. |
| | |
| | The applicable Italian domestic laws referenced by the DPA in this case are as follows: |
| | i. Section 137(3) of the Legislative Decree No. 196 of 30 June 2003, and Sections 5 and 6 of the Deontological Rules (Official Gazette of 4 January 2019, No. 3). These provisions restrict the dissemination of personal data by the press, by establishing a test which asks that the information published must be of “an essential nature (…) to the public interest.” |
| | ii. Section 7 of the Codes of Conduct accompanying the Legislative Decree No. 196 of 30 June 2003, which govern the processing of personal data in the exercise of journalistic activities. Section 7 provides that in order to protect a minor’s personality, journalists shall not publish the names of minors involved in news events, nor shall they provide details capable of leading to their identification. Section 7 is supplemented by the Treviso Charter. |
| | iii. Section 8 of the Charter of Treviso states that “(…) in the case of minors (…) who have died due to illness, their memory must be protected by avoiding the diffusion of their personal details, images and any other identifying elements unless the persons entitled to them give their consent.” |
| | iv. Section 10 of the Deontological Rules (Official Gazette of 4 January 2019, No. 3), which provides that in relation to “serious or terminal illness referable to an identified or identifiable person, a journalist must respect the dignity, confidentiality and personal decency of that person and to refrain from publishing analytical data of strictly clinical interest.” |
|
| |
|
| === Holding === | | === Holding === |
| The Italian DPA held that the company had (1) breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and (2) Section 157 Legislative Decree No. 196/2003. | | The Italian DPA held that the controller’s processing was unlawful for the purposes of Articles 5(1)(a), 5(1)(c), 5(1)(d) GDPR, [[Article 9 GDPR|Article 9 GDPR]], and [[Article 85 GDPR|Article 85 GDPR]] when read in line with domestic legislation. This was decided on the following grounds: |
| | |
| | 1. The nature of the controller’s processing violated Article 5(1)(a), 5(1)(c) and 5(1)(d) GDPR. The publication of the late child’s personal details, as well as the name and age of the younger sibling and the data subjects’ personal information was in breach of the principle of data minimisation. The Italian DPA found that the publication of this information was not essential to the public interest, and in actuality was excessive and irrelevant. |
| | |
| | 2. The publication of the deceased minor’s health data was a violation of [[Article 9 GDPR|Article 9 GDPR]]. To clarify, the scope of the GDPR extends only to living natural persons (Article 2 GDPR). However, the data subjects in this case were the parents of the deceased minor, who made a claim in their own right as parents exercising parental authority over the minor and his data. Consequently, the DPA accepted the data subjects’ submission that the publication of the health data was in breach of [[Article 9 GDPR|Article 9 GDPR]]. |
|
| |
|
| # The Italian DPA held that the company had breached the principle of lawfulness under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. It came to this conclusion on two grounds. The first was that there was insufficient notice of the surveillance system. The second was that the surveillance system filmed areas in which the company was not operating in.
| | 3. The controller’s processing was in violation of [[Article 85 GDPR|Article 85 GDPR]] and the aforementioned domestic laws governing journalistic freedom in the context of data protection. The Italian DPA concluded that the disclosure of a minor’s details did not fall within the scope of the test of essentiality. Noting that “the protection of the dignity of sick and deceased persons is to be considered further strengthened in the case of a minor, in this case, a five-year old child, also, in order to protect his family unit and his memory and that, therefore, the public interest parameter of the alleged illness from which he was suffering cannot be considered essential.” |
| # In addition, the Italian DPA found that the company had violated its obligations under Section 157 Legislative Decree No. 196/2003, by failing to respond to the DPA´s request for further information.
| |
|
| |
|
| Consequently, pursuant to Article 58(2)(i) and Article 83 GDPR, the Italian DPA fined the company €5000. | | Consequently, the Italian DPA made an order under [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]], prohibiting further processing. In addition, the DPA issued a fine of €30,000. The maximum applicable fine in this case was €20 million on the basis of the controller’s annual turnover. However, given that the controller had not previously committed any similar infringements, the Italian DPA decided to fine them 0.15% of the maximum fineable amount, at €30,000. |
|
| |
|
| == Comment == | | == Comment == |
| Line 94: |
Line 113: |
|
| |
|
| <pre> | | <pre> |
| [doc. web no. 9917900]
| |
|
| |
| Provision of 8 June 2023
| |
|
| |
| Register of measures
| |
| no. 244 of 8 June 2023
| |
|
| |
| THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
| |
|
| |
| IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;
| |
|
| |
| HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");
| |
|
| |
| HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";
| |
|
| |
| HAVING REGARD to the inspection report drawn up by the Guardia di Finanza - Special unit for the protection of privacy and technological fraud with which the presence of a video surveillance system was detected at the registered office of Mirva s.r.l. does not comply with the provisions of articles 5, par. 1, lit. a), 114 and 157 of Legislative Decree 196/2003 (Personal Data Protection Code);
| |
|
| |
| HAVING EXAMINED the documentation in the deeds;
| |
|
| |
| HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
| |
|
| |
| SPEAKER Prof. Pasquale Stanzione;
| |
|
| |
| WHEREAS
| |
|
| |
| 1. The assessment documents and the initiation of the proceeding.
| |
|
| |
| With a note dated 2.15.2019, the illegal installation of a video surveillance system by the company Mirva s.r.l. was reported to the Authority. (hereinafter, the Company), located at the registered office of the Company, located in Settimo Milanese (MI), via Keplero 21, as it operates in the absence of information signs and is suitable for also covering areas not pertaining to the Company.
| |
|
| |
| The Office has launched a preliminary investigation into the facts reported by sending two requests for information to the Company (note dated 20.5.2019 and note dated 5.9.2019).
| |
|
| |
| Not having received a reply to the aforementioned requests for information, the collaboration of the special unit for the protection of privacy and technological fraud of the Guardia di Finanza was requested for the collection of information relating to the reported incident and a proceeding was simultaneously initiated, pursuant to art. . 166, paragraph 5, of Legislative Decree 196/2003 (prot. 39735 of 18.1.2019), regarding the failure to respond to the preliminary requests of the Guarantor.
| |
|
| |
| On the occasion of the inspection it was found that, at the company premises, there were "six video cameras, two of which inside the shed and four placed for surveillance of the external areas" capable of also filming the work activities of the employees (especially the two installed inside the structure).
| |
|
| |
| The system was found to work and it was ascertained that, at the facility, there was only one information sign relating to the video surveillance system, visible to anyone about to enter the shed (see documents of the Unit - report of operations carried out on 12 December 2019).
| |
|
| |
| During the inspections, the following was represented:
| |
|
| |
| - that "The plant is not owned by the Company [but was] given on loan by the Supervisory Institute";
| |
|
| |
| - that the system, installed to ensure the safety of goods and people, consists of 6 video cameras of which, two placed to monitor the entrance with a viewing angle that includes "in addition to the pertinent area in front of the shed, an area shared with another company”, as well as “a short section of the road in front”; two that include only areas pertaining to the Company; two others located inside the structure with a shot facing some limited parts of the work area, but - as specified by the auditors - able to "resume the work of the employees";
| |
|
| |
| - not to be in possession of a specific authorization from the Territorial Labor Inspectorate;
| |
|
| |
| - that "the images, as well as [by the legal representative], can also be viewed via the internet, also by the Supervisory Authority, but only in the event of an alarm".
| |
|
| |
| Based on the results of the aforementioned assessment, the Office, with note no. 4348 of 02.03.2020, has initiated a second proceeding for the adoption of corrective measures in relation to the violation of the principle of lawfulness of the processing pursuant to art. 5, par. 1, lit. a), of the art. 4 of Law no. 300/1970, referred to by art. 114 of the Code as well as art. 37 of the Regulation.
| |
|
| |
| The notification of the violations relating to this procedure was sent by registered mail with acknowledgment of receipt addressed to the registered office in Settimio Milanese (MI), via Keplero 21.
| |
|
| |
| With reference to this communication, it should be noted that, despite the verified correspondence of the address indicated with that resulting from the company's chamber of commerce registration, the relative envelope was returned due to the recipient's "unavailability", as shown by the annotation dated 10.2.2020 affixed to it.
| |
|
| |
| We then proceeded to make, on 31.3.2020 and 7.4.2020, two further attempts at notification by PEC, to the digital domicile of the Company resulting from the chamber of commerce registration (mirvasrl@pec.ambs.it), both unsuccessful end, as the relative message for "invalid address" has not been delivered.
| |
|
| |
| Only on 11.11.2021, the Guardia di Finanza - Compagnia Rho, at the request of the Authority, proceeded to notify the party of the note containing the act of initiation of the sanctioning procedure pursuant to art. 166, paragraph 5 of Legislative Decree 196/2003 (prot. n. 4348 of 02/03/2020).
| |
|
| |
| In this regard, however, it is necessary to take into account the peaceful orientation of the jurisprudence of legitimacy which has extended to the notification in the administrative sanctioning procedure, the application of the principle established by the Joint Sections for the acts of the civil trial, according to which in case of notification [...] successful for reasons not attributable to the notifier, the latter, having learned of the negative outcome, must reactivate the notification process immediately and promptly carry out the actions necessary for its completion, i.e. without exceeding the limit, in order to preserve the effects connected to the original request of time equal to half of the terms indicated by art. 325 c.p.c., except in exceptional circumstances of which rigorous proof is given (Civ. of the Supreme Court sentence n. 14594/2016; previously, Civ. of the Supreme Court n. 17352/2009), specifying how this last reference must be understood as a reference to the half of the term assigned by law for each notification activity (Civ. ord. Cassation n. 36463/2022; Civ. ord. Cassation n. 28136/2022; Civ. ord. Cassation n. 28388/2017; Civ. . order no. 28618/2017).
| |
|
| |
| In the light of this principle, it should be noted that the first attempt to renew the notification, carried out on 31.3.2021, more than a year after the Authority learned of the negative outcome of the attempted notification by registered letter, is late, as it was certainly completed after the 60-day deadline (corresponding to half of the peremptory deadline of 120 days, set out in table B), attached to the Guarantor's Regulation no. 2/2019, for the notification of alleged violations ascertained), identified by applying the criterion elaborated by the jurisprudence of legitimacy referred to.
| |
|
| |
| And this conclusion must also be confirmed taking into account the suspension of the 83-day terms, from 23 February 2020 to 15 May 2020, linked to the epidemiological emergency from COVID-19 (pursuant to article 103, paragraphs 1 and 1-bis, Legislative Decree no. 18/2020 and art. 37, paragraph 1, Legislative Decree no. 23/2020).
| |
|
| |
| Having considered all of the above, it is therefore deemed necessary to order the filing of the second proceeding, initiated by the deed prot. no. 4348 of 3.2.2020.
| |
|
| |
| 2. The outcome of the preliminary investigation and the sanctioning procedure.
| |
|
| |
| Based on the documents, it is noted that the Company, having failed to respond to the Guarantor's request within the established deadlines, has violated the obligation set forth in art. 157 of the Code regarding the protection of personal data.
| |
|
| |
| 3. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
| |
|
| |
| Pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166, paragraphs 3 and 7 of the Code, the Guarantor orders the application of the pecuniary administrative sanction provided for by art. 83, par. 5, letter. a) of the Regulations, by adopting an injunction order (pursuant to Article 18 of Law No. 689 of 24.11.1981), in relation to the processing of personal data carried out by the Company, of which the illicitness, in the terms set out above, of the art. 157 of the Code.
| |
|
| |
| With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that In the present case, the following circumstances were considered:
| |
|
| |
| in relation to the nature, gravity and duration of the violation, the nature of the violation was considered, which concerned the duty of loyal collaboration with the Authority;
| |
|
| |
| with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, it is noted that the violation is negligent in nature;
| |
|
| |
| the absence of specific precedents against the Company.
| |
|
| |
| In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 5,000 (five thousand) euros against Mirva s.r.l..
| |
|
| |
| It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
| |
|
| |
| It should be remembered that, if the conditions are met, the sanction referred to in art. 83, par. 5, letter. e) of the Regulation.
| |
|
| |
| ALL THAT BEING CONSIDERED, THE GUARANTOR
| |
|
| |
| detects the unlawfulness of the processing carried out by Mirva s.r.l., in the terms set out in the justification, for the violation of the art. 157 of Legislative Decree 196/2003;
| |
|
| |
| DETERMINE
| |
|
| |
| to archive, for the reasons specifically indicated above, the proceeding initiated against Mirva s.r.l., with note prot. no. 4348 of 02/03/2020;
| |
|
| |
| ORDER
| |
|
| |
| pursuant to art. 58, par. 2, lit. i) of the Regulation, to Mirva s.r.l., with registered office in Settimo Milanese (MI) Via Keplero 21, P.I. 10226240967, to pay the sum of 5,000 (five thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision;
| |
|
| |
| ENJOYS
| |
|
| |
| then to Mirva s.r.l. to pay the aforementioned sum of 5,000 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.
| |
|
| |
| It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below;
| |
|
| |
| HAS
| |
|
| |
| pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.
| |
|
| |
| Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.
| |
|
| |
| Rome, 8 June 2023
| |
|
| |
| PRESIDENT
| |
| Station
| |
|
| |
| THE SPEAKER
| |
| Station
| |
|
| |
| THE SECRETARY GENERAL
| |
| Matthew
| |
|
| |
|
| |
|
| |
| [doc. web no. 9917900]
| |
|
| |
| Provision of 8 June 2023
| |
|
| |
| Register of measures
| |
| no. 244 of 8 June 2023
| |
|
| |
| THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
| |
|
| |
| IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components, and the cons. Fabio Mattei general secretary;
| |
|
| |
| HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation");
| |
|
| |
| HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 (Code regarding the protection of personal data, hereinafter the "Code") as amended by Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679";
| |
|
| |
| HAVING REGARD to the inspection report drawn up by the Guardia di Finanza - Special unit for the protection of privacy and technological fraud with which the presence of a video surveillance system was detected at the registered office of Mirva s.r.l. does not comply with the provisions of articles 5, par. 1, lit. a), 114 and 157 of Legislative Decree 196/2003 (Personal Data Protection Code);
| |
|
| |
| HAVING EXAMINED the documentation in the deeds;
| |
|
| |
| HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
| |
|
| |
| SPEAKER Prof. Pasquale Stanzione;
| |
|
| |
| WHEREAS
| |
|
| |
| 1. The assessment documents and the initiation of the proceeding.
| |
|
| |
| With a note dated 2.15.2019, the illegal installation of a video surveillance system by the company Mirva s.r.l. was reported to the Authority. (hereinafter, the Company), located at the registered office of the Company, located in Settimo Milanese (MI), via Keplero 21, as it operates in the absence of information signs and is suitable for also covering areas not pertaining to the Company.
| |
|
| |
| The Office has launched a preliminary investigation into the facts reported by sending two requests for information to the Company (note dated 20.5.2019 and note dated 5.9.2019).
| |
|
| |
| Not having received a reply to the aforementioned requests for information, the collaboration of the special unit for the protection of privacy and technological fraud of the Guardia di Finanza was requested for the collection of information relating to the reported incident and a proceeding was simultaneously initiated, pursuant to art. . 166, paragraph 5, of Legislative Decree 196/2003 (prot. 39735 of 18.1.2019), regarding the failure to respond to the preliminary requests of the Guarantor.
| |
|
| |
| On the occasion of the inspection it was found that, at the company premises, there were "six video cameras, two of which inside the shed and four placed for surveillance of the external areas" capable of also filming the work activities of the employees (especially the two installed inside the structure).
| |
|
| |
| The system was found to work and it was ascertained that, at the facility, there was only one information sign relating to the video surveillance system, visible to anyone about to enter the shed (see documents of the Unit - report of operations carried out on 12 December 2019).
| |
|
| |
| During the inspections, the following was represented:
| |
|
| |
| - that "The plant is not owned by the Company [but was] given on loan by the Supervisory Institute";
| |
|
| |
| - that the system, installed to ensure the safety of goods and people, consists of 6 video cameras of which, two placed to monitor the entrance with a viewing angle that includes "in addition to the pertinent area in front of the shed, an area shared with another company”, as well as “a short section of the road in front”; two that include only areas pertaining to the Company; two others located inside the structure with a shot facing some limited parts of the work area, but - as specified by the auditors - able to "resume the work of the employees";
| |
|
| |
| - not to be in possession of a specific authorization from the Territorial Labor Inspectorate;
| |
|
| |
| - that "the images, as well as [by the legal representative], can also be viewed via the internet, also by the Supervisory Institute, but only in the event of an alarm".
| |
|
| |
| Based on the results of the aforementioned assessment, the Office, with note no. 4348 of 02.03.2020, has initiated a second proceeding for the adoption of corrective measures in relation to the violation of the principle of lawfulness of the processing pursuant to art. 5, par. 1, lit. a), of the art. 4 of Law no. 300/1970, referred to by art. 114 of the Code as well as art. 37 of the Regulation.
| |
|
| |
| The notification of the violations relating to this procedure was sent by registered mail with acknowledgment of receipt addressed to the registered office in Settimio Milanese (MI), via Keplero 21.
| |
|
| |
| With reference to this communication, it should be noted that, despite the verified correspondence of the address indicated with that resulting from the company's chamber of commerce registration, the relative envelope was returned due to the recipient's "unavailability", as shown by the annotation dated 10.2.2020 affixed to it.
| |
|
| |
| We then proceeded to make, on 31.3.2020 and 7.4.2020, two further attempts at notification by PEC, to the digital domicile of the Company resulting from the chamber of commerce registration (mirvasrl@pec.ambs.it), both unsuccessful end, as the relative message for "invalid address" has not been delivered.
| |
|
| |
| Only on 11.11.2021, the Guardia di Finanza - Compagnia Rho, at the request of the Authority, proceeded to notify the party of the note containing the act of initiation of the sanctioning procedure pursuant to art. 166, paragraph 5 of Legislative Decree 196/2003 (prot. n. 4348 of 02/03/2020).
| |
|
| |
| In this regard, however, it is necessary to take into account the peaceful orientation of the jurisprudence of legitimacy which has extended to the notification in the administrative sanctioning procedure, the application of the principle established by the Joint Sections for the acts of the civil trial, according to which in case of notification [...] successful for reasons not attributable to the notifier, the latter, having learned of the negative outcome, must reactivate the notification process immediately and promptly carry out the actions necessary for its completion, i.e. without exceeding the limit, in order to preserve the effects connected to the original request of time equal to half of the terms indicated by art. 325 c.p.c., except in exceptional circumstances of which rigorous proof is given (Civ. of the Supreme Court sentence n. 14594/2016; previously, Civ. of the Supreme Court n. 17352/2009), specifying how this last reference must be understood as a reference to the half of the term assigned by law for each notification activity (Civ. ord. Cassation n. 36463/2022; Civ. ord. Cassation n. 28136/2022; Civ. ord. Cassation n. 28388/2017; Civ. . order no. 28618/2017).
| |
|
| |
| In the light of this principle, it should be noted that the first attempt to renew the notification, carried out on 31.3.2021, more than a year after the Authority learned of the negative outcome of the attempted notification by registered letter, is late, as it was certainly completed after the 60-day deadline (corresponding to half of the peremptory deadline of 120 days, set out in table B), attached to the Guarantor's Regulation no. 2/2019, for the notification of alleged violations ascertained), identified by applying the criterion elaborated by the jurisprudence of legitimacy referred to.
| |
|
| |
| And this conclusion must also be confirmed taking into account the suspension of the 83-day terms, from 23 February 2020 to 15 May 2020, linked to the epidemiological emergency from COVID-19 (pursuant to article 103, paragraphs 1 and 1-bis, Legislative Decree no. 18/2020 and art. 37, paragraph 1, Legislative Decree no. 23/2020).
| |
|
| |
| Having considered all of the above, it is therefore deemed necessary to order the filing of the second proceeding, initiated by the deed prot. no. 4348 of 3.2.2020.
| |
|
| |
| 2. The outcome of the preliminary investigation and the sanctioning procedure.
| |
|
| |
| Based on the documents, it is noted that the Company, having failed to respond to the Guarantor's request within the established deadlines, has violated the obligation set forth in art. 157 of the Code regarding the protection of personal data.
| |
|
| |
| 3. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
| |
|
| |
| Pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166, paragraphs 3 and 7 of the Code, the Guarantor orders the application of the pecuniary administrative sanction provided for by art. 83, par. 5, letter. a) of the Regulations, by adopting an injunction order (pursuant to Article 18 of Law No. 689 of 24.11.1981), in relation to the processing of personal data carried out by the Company, of which the illicitness, in the terms set out above, of the art. 157 of the Code.
| |
|
| |
| With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is represented that In the present case, the following circumstances were considered:
| |
|
| |
| in relation to the nature, gravity and duration of the violation, the nature of the violation was considered, which concerned the duty of loyal collaboration with the Authority;
| |
|
| |
| with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, it is noted that the violation is negligent in nature;
| |
|
| |
| the absence of specific precedents against the Company.
| |
|
| |
| In the light of the elements indicated above and the assessments made, it is believed, in the present case, to apply the administrative sanction of payment of a sum equal to 5,000 (five thousand) euros against Mirva s.r.l..
| |
|
| |
| It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
| |
|
| |
| It should be remembered that, if the conditions are met, the sanction referred to in art. 83, par. 5, letter. e) of the Regulation.
| |
|
| |
| ALL THAT BEING CONSIDERED, THE GUARANTOR
| |
|
| |
| detects the unlawfulness of the processing carried out by Mirva s.r.l., in the terms set out in the justification, for the violation of the art. 157 of Legislative Decree 196/2003;
| |
|
| |
| DETERMINE
| |
|
| |
| to archive, for the reasons specifically indicated above, the proceeding initiated against Mirva s.r.l., with note prot. no. 4348 of 02/03/2020;
| |
|
| |
| ORDER
| |
|
| |
| pursuant to art. 58, par. 2, lit. i) of the Regulation, to Mirva s.r.l., with registered office in Settimo Milanese (MI) Via Keplero 21, P.I. 10226240967, to pay the sum of 5,000 (five thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision;
| |
|
| |
| ENJOYS
| |
|
| |
| then to Mirva s.r.l. to pay the aforementioned sum of 5,000 (five thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.
| |
|
| |
| It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below;
| |
|
| |
| HAS
| |
|
| |
| pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set forth in art. 17 of regulation no. 1/2019.
| |
|
| |
| Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.
| |
|
| |
| Rome, 8 June 2023
| |
|
| |
| PRESIDENT
| |
| Station
| |
|
| |
| THE SPEAKER
| |
| Station
| |
|
| |
|
| THE SECRETARY GENERAL
| |
| Matthew
| |
| </pre> | | </pre> |
