Garante per la protezione dei dati personali (Italy) - 9920664

Garante per la protezione dei dati personali - 9920664
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(a) GDPR Article 6 GDPR Article 28 GDPR Art. 29 D.lgs. 30 giugno 2003, n. 196
Type:	Complaint
Outcome:	Upheld
Started:	18.07.2023
Decided:	18.07.2023
Published:
Fine:	10000 EUR
Parties:	Municipality of Modica Cat S.r.l.
National Case Number/Name:	9920664
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor:	Kevin

The Italian DPA fined the municipality of Modica because it has concluded an agreement with a private company without comply with the Article 28 GDPR, Article 5 (1)(a) GDPR and Article 6 GDPR.

English Summary

Facts

The municipality of Modica has concluded an agreement with a private company for providing the installation of camera of surveillance and monitoring the videos related to possible environmental offences. A Modica’s inhabitant appealed to the Italian DPA complaining the possibility of privacy’s infringement. The processing is permitted because, under Article 6 (1)(c)(d), the waste management is part of exercise of official authority vested in the controller. However, the Italian DPA finds that the agreement between the municipality and the company was not conformed as required by Article 28 GDPR because it didn’t specify the role of the processor. In fact, the Italian DPA stated that do not specify the role of the processor infringe the principles of lawfully, fairly and in a transparent provided by Article 5 (1)(a) and Article 6 GDPR. Furthermore, the agreement must always ensure a processing of personal data conformed to the GDPR and national laws.

Holding

The Italians DPA fines the municipality of Modica for 10.000 euro for infringement of Article 28 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9920664]

Provision of 18 July 2023

Register of measures
n. 314 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, “Personal data protection code”, as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the Regulation (hereinafter "Code");

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations of the Office formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

1. Introduction

With a report submitted to the Authority, a citizen of the Municipality of Modica (hereinafter, the Municipality) complained about the violation of the regulations regarding the protection of personal data which occurred through the video surveillance system placed near the bins used for waste collection . From the preliminary information collected, it emerged that the Municipality has appointed Cat s.r.l. (hereinafter, the company), the supply, management and maintenance of the aforementioned video devices.

2. The preliminary investigation activity

In response to a request for information from the Authority (prot. n. XX of the XX), the Municipality, with note prot. n. XX of the XX, declared, in particular, that "in order to combat the widespread phenomenon of waste abandonment and the incorrect disposal of solid urban waste, with its own decisions [...] it has entrusted the task [to] Cat s.r.l.[... ], for the purchase, installation and maintenance of fixed cameras, and collection and analysis of videos relating to environmental violations, both administrative and criminal" and to have "appointed the company as auxiliaries of the Judicial Police" for the collection, analysis and delivery of the aforementioned films [...]".

In response to a further request for information from the Authority (prot. note XX of the XX), the Municipality, with note prot. n. XX of the XX, declared in particular that:

- "Cat srl" in the context of video surveillance activities, played the role of auxiliary of the judicial police [...] appointed by the local police command of this municipality. The company "Cat srl" had the task as per the agreement of carrying out an initial analysis and selection of the videos in which a violation or crime was highlighted. The stipulated agreement is the report of appointment by the local Police Command [... of the XX]";

- “Cat srl” has […] started to provide its services to this Municipality for the purposes of managing video surveillance to combat the illicit/uncontrolled abandonment of waste and the disfigurement of the territory [… on] XX”.

On this point, in response to a request for information from the Authority (prot. note XX of XX), the company (PEC of XX declared:

- “For the first period, after the installation of the cameras (attached determination) (used to combat the abandonment of waste, our company only had the mandate to [...] Move the cameras to the sites indicated by the ecology service manager […] Collection and physical replacement of the memories which were then delivered by the person in charge indicated to me by the ecology service of the municipal police”;

- "In the following period, given the lack of staff, our employee was appointed as PG auxiliary to be able to view and extrapolate the images contained in the Micro SD [...]";

- “The service did not start at the same time as the installation of the cameras because, as reported by the head of the ecology sector, there was no regulation and no person responsible for data processing. After the appointment of PG we started with the viewing service. The images were recorded on optical media and delivered [...] to the PG officer [...]".

While taking into account the circumstances described above in which the company operated, it emerged from the documents that starting from the date on which the company took charge of the management of the video devices in question (XX), until the expiry of the assignment (XX ), the processing of the personal data of the interested parties took place without the role of the company, as data controller, having been appropriately defined in compliance with the provisions of the art. 28 of the Regulation (i.e., for the period prior to 25 May 2018, pursuant to art. 29 of Legislative Decree no. 196 of 30 June 2003, "Code regarding the protection of personal data" - hereinafter, the “Code” -, in the text prior to the amendments referred to in Legislative Decree no. 101/2018 and in force in the month of August 2017).

Therefore, since the company and the Municipality have not stipulated an agreement for the definition of the role assumed for the purposes of processing personal data during this period and since the company has not identified other conditions that could legitimize the processing of the data in question, the The Office, with note dated XX (prot. n. XX), on the basis of the elements acquired, notified the company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, concerning the alleged violations of the articles. 5, par. 1, letter. a), and 6 of the Regulation (in conjunction with art. 2 ter of the Code), for having implemented personal data processing in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a suitable regulatory basis.

With the same note, the company was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l 24 November 1981, n. 689).

In this regard, it is noted that no defensive writings have been received from the company.

3. Outcome of the preliminary investigation

Pursuant to the regulations on the protection of personal data, the processing of personal data carried out by public entities (such as the Municipality of Modica) is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or " for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" [art. 6, par. 1, letter. c) and e)]. The management of urban solid waste is one of the institutional activities entrusted to local authorities.

Even in the presence of a lawful condition, in any case, the data controller is required to respect the principles regarding data protection (art. 5 of the Regulation).

3.1 The processing carried out by the company

Pursuant to art. 28 of the Regulation, the owner (as mentioned by the Municipality of Modica) can also entrust processing to third parties who present sufficient guarantees on the implementation of technical and organizational measures suitable to guarantee that the processing complies with the regulations regarding the protection of data. personal data (“data controllers”).

The relationship between the owner and the manager is regulated by a contract or other legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to give instructions to the manager and provides, in detail, what the subject matter is regulated, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner. The Data Controller is, therefore, entitled to process the data of interested parties "only upon documented instructions from the owner" (art. 28, par. 1 and 3 of the Regulation).

These principles were also applied with regard to the legal framework prior to the Regulation, as specified by the Court of Cassation (see Cassation, Section I Civ., order no. 21234 of 23 July 2021, even in relation to the processing of personal data in a different context). In confirming a provision of the Guarantor, the Court, for the aspects that are relevant in the present case, specified that "the agreement between the "owner" and the "manager" is legislatively foreseen and is not intended only to regulate the relationships inter partes, with purely internal value, from the point of view of possible contractual breach [...], because the regulation therein dictated by the "owner", regarding the purposes and methods of the processing, becomes a necessary element for the qualification of "responsible "in the specific case".

As emerged during the investigation, the processing of the data in question, carried out by the company on behalf of the Municipality, was started without the role being regulated pursuant to art. 28 of the Regulation, as the act of appointment of the company as "auxiliary of PG" does not satisfy the characteristics of the legal act aimed at regulating the relationship between the owner and the manager, not containing the elements provided for by the art. 28 of the Regulation, for profiles concerning the processing of personal data.

Since it was not identified as the data controller and the company did not indicate specific conditions that legitimized the processing of personal data, it must be concluded that the same processing was carried out in the absence of the conditions of lawfulness and therefore in violation of the articles . 5, par. 1, letter. a) and 6 of the Regulation (in conjunction with art. 2 ter of the Code), as previously clarified by the Guarantor with regard to similar cases (see provision no. 161 of 17 September 2020, web doc. 9461321 ; provision no. 281 of 17 December 2020, web doc. 9525315; provision no. 292 of 22 July 2021, web doc. 9698558; provision no. 269 of 21 July 2022, web doc. 9813326; provision no. 293 of the 22 July 2021, web doc. 9698597; provision no. 269 of 21 July 2022, web doc. 9813326; provision no. 293 of 22 July 2021, web doc. 9698597; Guidelines "on the concepts of owner and manager of processing in the GDPR" no. 07/2020, in particular note 35).

4. Conclusions

In light of the assessments mentioned above, it is noted that the declarations made by the company during the investigation are the veracity of which one may be called upon to respond to pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

From the checks carried out on the basis of the elements acquired, also through the documentation sent, as well as from subsequent assessments, the non-compliance of the treatments carried out by the company on behalf of the Municipality of Modica concerning the management of the video surveillance system was ascertained.

Although the processing was undertaken by the company in the period prior to the entry into force of the Regulation for the purposes of identifying the applicable legislation, from a temporal point of view, it must be kept in mind that, based on the principle of legality referred to in art. 1, paragraph 2, of the law. n. 689/1981, “Laws that provide for administrative sanctions apply only in the cases and times considered therein”. From this follows the need to take into consideration the provisions in force at the time of the violation; in the case in question, given the permanent nature of the contested offence, this moment must be identified at the time of the cessation of the illicit conduct, determined in the XX and therefore in full force of the provisions of the Regulation and of the Code (as amended by the Legislative Decree 101/2018).

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the company is noted, as it took place in the absence of a condition of lawfulness and, therefore, in a manner that does not comply with the principle of "lawfulness, correctness and transparency”, in violation of the art. 5, par. 1, letter. a) of the Regulation and of the art. 6 of the Regulation (in conjunction with art. 2-ter of the Code).

Violation of the aforementioned provisions makes the administrative sanction applicable pursuant to the articles. 58, par. 2, lit. i), and 83, pars. 4 and 5 of the Regulation itself, as also referred to in the art. 166, paragraph 3, of the Code.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, in this case the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

For the purposes of applying the sanction, it was considered that the processing concerned the data of potentially all residents of the Municipality of Modica (approximately 53,000 interested) and non-residents (the extent of which cannot be quantified), in violation of the principle of “lawfulness, correctness and transparency” referred to in art. 5, par. 1 letter a) of the Regulation and in the absence of a condition of lawfulness in violation of the art. 6 of the Regulation (in conjunction with art. 2 ter of the Code).

On the other hand, the non-intentional behavior of the violation is considered as well as the absence of previous violations against the company.

Due to the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, par. 2 and 3 of the Regulation the amount of the pecuniary sanction, provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of 10,000 euros for the violation of the articles. 5 and 6 of the Regulation (in conjunction with art. 2 ter of the Code) as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same Regulation.

It is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, letter. a) and f) of the Regulation, notes the illegality of the processing carried out by Cat s.r.l. for the violation of the articles. 5 and 6 of the Regulation, in conjunction with art. 2 ter of the Code, in the terms set out in the justification

ORDER

Alla Cat s.r.l., with registered office in Ragusa, via dott. Corrado di Quattro – 97100 – VAT number 01406720886 - to pay the sum of 10,000 euros as a pecuniary administrative sanction for the violations referred to in the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

At Cat s.r.l. to pay the sum of 10,000 euros - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law. n. 689/1981;

HAS

the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019;

the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

[doc. web no. 9920664]

Provision of 18 July 2023

Register of measures
n. 314 of 18 July 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, “Personal data protection code”, as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the Regulation (hereinafter "Code");

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations of the Office formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;

1. Introduction

With a report submitted to the Authority, a citizen of the Municipality of Modica (hereinafter, the Municipality) complained about the violation of the regulations regarding the protection of personal data which occurred through the video surveillance system placed near the bins used for waste collection . From the preliminary information collected, it emerged that the Municipality has appointed Cat s.r.l. (hereinafter, the company), the supply, management and maintenance of the aforementioned video devices.

2. The preliminary investigation activity

In response to a request for information from the Authority (prot. n. XX of the XX), the Municipality, with note prot. n. XX of the XX, declared, in particular, that "in order to combat the widespread phenomenon of waste abandonment and the incorrect disposal of solid urban waste, with its own decisions [...] it has entrusted the task [to] Cat s.r.l.[... ], for the purchase, installation and maintenance of fixed cameras, and collection and analysis of videos relating to environmental violations, both administrative and criminal" and to have "appointed the company as auxiliaries of the Judicial Police" for the collection, analysis and delivery of the aforementioned films [...]".

In response to a further request for information from the Authority (prot. note XX of the XX), the Municipality, with note prot. n. XX of the XX, declared in particular that:

- "Cat srl" in the context of video surveillance activities, played the role of auxiliary of the judicial police [...] appointed by the local police command of this municipality. The company "Cat srl" had the task as per the agreement of carrying out an initial analysis and selection of the videos in which a violation or crime was highlighted. The stipulated agreement is the report of appointment by the local Police Command [... of the XX]";

- “Cat srl” has […] started to provide its services to this Municipality for the purposes of managing video surveillance to combat the illicit/uncontrolled abandonment of waste and the disfigurement of the territory [… on] XX”.

On this point, in response to a request for information from the Authority (prot. note XX of XX), the company (PEC of XX declared:

- “For the first period, after the installation of the cameras (attached determination) (used to combat the abandonment of waste, our company only had the mandate to [...] Move the cameras to the sites indicated by the ecology service manager […] Collection and physical replacement of the memories which were then delivered by the person in charge indicated to me by the ecology service of the municipal police”;

- "In the following period, given the lack of staff, our employee was appointed as PG auxiliary to be able to view and extrapolate the images contained in the Micro SD [...]";

- “The service did not start at the same time as the installation of the cameras because, as reported by the head of the ecology sector, there was no regulation and no person responsible for data processing. After the appointment of PG we started with the viewing service. The images were recorded on optical media and delivered [...] to the PG officer [...]".

While taking into account the circumstances described above in which the company operated, it emerged from the documents that starting from the date on which the company took charge of the management of the video devices in question (XX), until the expiry of the assignment (XX ), the processing of the personal data of the interested parties took place without the role of the company, as data controller, having been appropriately defined in compliance with the provisions of the art. 28 of the Regulation (i.e., for the period prior to 25 May 2018, pursuant to art. 29 of Legislative Decree no. 196 of 30 June 2003, "Code regarding the protection of personal data" - hereinafter, the “Code” -, in the text prior to the amendments referred to in Legislative Decree no. 101/2018 and in force in the month of August 2017).

Therefore, since the company and the Municipality have not stipulated an agreement for the definition of the role assumed for the purposes of processing personal data during this period and since the company has not identified other conditions that could legitimize the processing of the data in question, the The Office, with note dated XX (prot. n. XX), on the basis of the elements acquired, notified the company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, concerning the alleged violations of the articles. 5, par. 1, letter. a), and 6 of the Regulation (in conjunction with art. 2 ter of the Code), for having implemented personal data processing in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a suitable regulatory basis.

With the same note, the company was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l 24 November 1981, n. 689).

In this regard, it is noted that no defensive writings have been received from the company.

3. Outcome of the preliminary investigation

Pursuant to the regulations on the protection of personal data, the processing of personal data carried out by public entities (such as the Municipality of Modica) is lawful only if necessary "to fulfill a legal obligation to which the data controller is subject" or " for the execution of a task of public interest or connected to the exercise of public powers vested in the data controller" [art. 6, par. 1, letter. c) and e)]. The management of urban solid waste is one of the institutional activities entrusted to local authorities.

Even in the presence of a lawful condition, in any case, the data controller is required to respect the principles regarding data protection (art. 5 of the Regulation).

3.1 The processing carried out by the company

Pursuant to art. 28 of the Regulation, the owner (as mentioned by the Municipality of Modica) can also entrust processing to third parties who present sufficient guarantees on the implementation of technical and organizational measures suitable to guarantee that the processing complies with the regulations regarding the protection of data. personal data (“data controllers”).

The relationship between the owner and the manager is regulated by a contract or other legal act, stipulated in writing which, in addition to mutually binding the two figures, allows the owner to give instructions to the manager and provides, in detail, what the subject matter is regulated, the duration, nature and purposes of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the owner. The Data Controller is, therefore, entitled to process the data of interested parties "only upon documented instructions from the owner" (art. 28, par. 1 and 3 of the Regulation).

These principles were also applied with regard to the legal framework prior to the Regulation, as specified by the Court of Cassation (see Cassation, Section I Civ., order no. 21234 of 23 July 2021, even in relation to the processing of personal data in a different context). In confirming a provision of the Guarantor, the Court, for the aspects that are relevant in the present case, specified that "the agreement between the "owner" and the "manager" is legislatively foreseen and is not intended only to regulate the relationships inter partes, with purely internal value, from the point of view of possible contractual breach [...], because the regulation therein dictated by the "owner", regarding the purposes and methods of the processing, becomes a necessary element for the qualification of "responsible "in the specific case".

As emerged during the investigation, the processing of the data in question, carried out by the company on behalf of the Municipality, was started without the role being regulated pursuant to art. 28 of the Regulation, as the act of appointment of the company as "auxiliary of PG" does not satisfy the characteristics of the legal act aimed at regulating the relationship between the owner and the manager, not containing the elements provided for by the art. 28 of the Regulation, for profiles concerning the processing of personal data.

Since it was not identified as the data controller and the company did not indicate specific conditions that legitimized the processing of personal data, it must be concluded that the same processing was carried out in the absence of the conditions of lawfulness and therefore in violation of the articles . 5, par. 1, letter. a) and 6 of the Regulation (in conjunction with art. 2 ter of the Code), as previously clarified by the Guarantor with regard to similar cases (see provision no. 161 of 17 September 2020, web doc. 9461321 ; provision no. 281 of 17 December 2020, web doc. 9525315; provision no. 292 of 22 July 2021, web doc. 9698558; provision no. 269 of 21 July 2022, web doc. 9813326; provision no. 293 of the 22 July 2021, web doc. 9698597; provision no. 269 of 21 July 2022, web doc. 9813326; provision no. 293 of 22 July 2021, web doc. 9698597; Guidelines "on the concepts of owner and manager of processing in the GDPR" no. 07/2020, in particular note 35).

4. Conclusions

In light of the assessments mentioned above, it is noted that the declarations made by the company during the investigation are the veracity of which one may be called upon to respond to pursuant to art. 168 of the Code ˗ although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceedings and are insufficient to allow the dismissal of the present proceedings, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

From the checks carried out on the basis of the elements acquired, also through the documentation sent, as well as from subsequent assessments, the non-compliance of the treatments carried out by the company on behalf of the Municipality of Modica concerning the management of the video surveillance system was ascertained.

Although the processing was undertaken by the company in the period prior to the entry into force of the Regulation for the purposes of identifying the applicable legislation, from a temporal point of view, it must be kept in mind that, based on the principle of legality referred to in art. 1, paragraph 2, of the law. n. 689/1981, “Laws that provide for administrative sanctions apply only in the cases and times considered therein”. From this follows the need to take into consideration the provisions in force at the time of the violation; in the case in question, given the permanent nature of the contested offence, this moment must be identified at the time of the cessation of the illicit conduct, determined in the XX and therefore in full force of the provisions of the Regulation and of the Code (as amended by the Legislative Decree 101/2018).

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the company is noted, as it took place in the absence of a condition of lawfulness and, therefore, in a manner that does not comply with the principle of "lawfulness, correctness and transparency”, in violation of the art. 5, par. 1, letter. a) of the Regulation and of the art. 6 of the Regulation (in conjunction with art. 2-ter of the Code).

Violation of the aforementioned provisions makes the administrative sanction applicable pursuant to the articles. 58, par. 2, lit. i), and 83, pars. 4 and 5 of the Regulation itself, as also referred to in the art. 166, paragraph 3, of the Code.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, lit. i), and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this regard, in this case the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by the art. 83, par. 5, of the Regulation.
The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in amount, taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

For the purposes of applying the sanction, it was considered that the processing concerned the data of potentially all residents of the Municipality of Modica (approximately 53,000 interested) and non-residents (the extent of which cannot be quantified), in violation of the principle of “lawfulness, correctness and transparency” referred to in art. 5, par. 1 letter a) of the Regulation and in the absence of a condition of lawfulness in violation of the art. 6 of the Regulation (in conjunction with art. 2 ter of the Code).

On the other hand, the non-intentional behavior of the violation is considered as well as the absence of previous violations against the company.

Due to the aforementioned elements, evaluated as a whole, it is deemed necessary to determine pursuant to art. 83, par. 2 and 3 of the Regulation the amount of the pecuniary sanction, provided for by the art. 83, par. 5, letter. a) of the Regulation, in the amount of 10,000 euros for the violation of the articles. 5 and 6 of the Regulation (in conjunction with art. 2 ter of the Code) as a pecuniary administrative sanction deemed effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same Regulation.

It is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is believed that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

pursuant to art. 57, par. 1, letter. a) and f) of the Regulation, notes the illegality of the processing carried out by Cat s.r.l. for the violation of the articles. 5 and 6 of the Regulation, in conjunction with art. 2 ter of the Code, in the terms set out in the justification

ORDER

Alla Cat s.r.l., with registered office in Ragusa, via dott. Corrado di Quattro – 97100 – VAT number 01406720886 - to pay the sum of 10,000 euros as a pecuniary administrative sanction for the violations referred to in the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

At Cat s.r.l. to pay the sum of 10,000 euros - in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law. n. 689/1981;

HAS

the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019;

the annotation of this provision in the internal register of the Authority, provided for by the art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 18 July 2023

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei