Garante per la protezione dei dati personali (Italy) - 9973749

Garante per la protezione dei dati personali - 9973749
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 58(2)(i) GDPR Article 83 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	16.11.2023
Published:
Fine:	500.00 EUR
Parties:	n/a
National Case Number/Name:	9973749
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor:	Giulia Fantoni

The DPA fined a lawyer €500 for unlawfully processing a data subject's personal data by sending a letter regarding his divorce to the data subject’s company email address, accessible by all employees.

English Summary

Facts

A data subject filed a complaint alleging the unlawful processing of his personal data by a lawyer (the controller), citing an incident that occurred in 2018 when sensitive judicial documents were sent to his company's email address, accessible by employees and his brother (who was also his partner). The latter was the one opening the email addressed to the data subject. The data subject claimed that his brother was, at the time, unaware of his ongoing divorce proceedings, but the email exposed his personal information on the matter.

The controller defended their action stating the email was sent as part of a legal procedure initiated by his client, the data subject's former spouse, to secure funds from the sale of their marital home. The controller argued that the notification was a procedural necessity to prevent account blockage.

The Italian DPA found the justifications set forth by the controller insufficient and initiated proceedings for potential GDPR violations to evaluate the possibility of applying a penalty as per Article 58(2) GDPR and Article 83 GDPR.

In response, the controller emphasised the confidentiality of the communication, which was specifically directed to the data subject, the limited accessibility of the email within the company, and the necessity of the email to protect their client's vital interests. Additionally, they argued that no tangible harm occurred to the data subject nor did the data subject demonstrate it.

Holding

The Italian DPA first held that the disclosure of information regarding the data subject involved the processing of his personal data, as defined in Articles 4(1) and (2) GDPR.

Additionally, the DPA stated that the controller transmitted personal data to the company's email address without a suitable legal basis, thereby contravening Article 6 GDPR and the principle of data minimization outlined in Article 5(1)(c) GDPR. The alleged justifications under Article 6(1)(c) GDPR and Article 6(1)(f) GDPR regarding legal obligations and vital interests, as claimed during the investigation by the controller, were found by the DPA to lack substantiation.

Consequently, pursuant to Article 58(2)(i) GDPR and Article 83 GDPR, the DPA fined the controller €500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9973749]

Provision of 16 November 2023

Register of measures
n. 528 of 16 November 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza and Dr. Agostino Ghiglia, members and Dr. Claudio Filippi, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC (General Data Protection Regulation, hereinafter: “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, referred to in Legislative Decree 30 June 2003, n.196 and subsequent amendments. (hereinafter: “Code”);

HAVING REGARD to regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data (hereinafter: "Regulation 1/2019);

HAVING EXAMINED the complaint presented by Mr. XX relating to an alleged illicit processing of personal data relating to him, carried out by the lawyer. XX;

Examine the information provided by the parties;

Having seen the remaining documentation in the documents;

Having seen the observations of the Office, formulated by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data;

Speaker Dr. Agostino Ghiglia;

1. The story and the investigation activity of the Guarantor

Mr. XX presented to this Authority a complaint relating to an allegedly unlawful processing of his personal data by the lawyer. XX. In particular, Mr. XX reported that "on 5/12/2018, emails with sensitive judicial documents were sent to the company certified mail of which I am a member together with my brother (...), which can also be accessed by employees. In this case, the certified email was received by my brother (...) who forwarded it to me but who was not aware of the latest developments in my private matter relating to the aftermath of the divorce from my ex-spouse.".

The Authority invited the lawyer. XX to provide any useful information regarding what is stated in the complaint, asking to provide, in particular, a copy of the email in question and any other deductions deemed useful for the purposes of evaluating the complaint.

The lawyer XX provided the requested feedback, sending a copy of the certified e-mail with which it was notified, pursuant to law no. 53 of 1994, to the certified company email address a judicial document to the complainant - and declaring, as far as is relevant here, that: "the sending of the certified e-mail (...) took place as part of a proceeding pursuant to art. 702 cpc bis with request for the issuance of seizure promoted by (...) my client and former spouse of the XX to obtain the balance of the amount due to her following the sale of the marital home (...) as agreed by the spouses on the occasion of the separation .” (…) After out-of-court requests for half of the proceeds (…) the undersigned took the action mentioned above. With a provision dated 3 December 2018, the Court of Genoa granted the seizure without hearing of the other party (...)  The communication to Mr. XX was made for reasons of procedural economy and costs and also to avoid (while waiting for the notification to be completed via a bailiff) the account to be blocked without his knowledge. Finally, it must be considered that the address of Mr. XX is at his mother's house (...)  where he lives with his son who in the past, when he happened to execute notifications through a Bailiff, had to receive them (...). All the above reasons led the undersigned lawyer to carry out the notification via certified e-mail. (…) If you then look at the header of the certified e-mail, it is clear that the communication was addressed to the attention of Mr. XX. Therefore a confidential communication which, if applicable, was illicitly processed by whoever opened the PEC itself. Without considering that, in any case, XX did not provide proof that it was other third parties before him who opened the PEC." In conclusion, the lawyer considered that there had been no illicit treatment.

Since the justifications provided did not appear to legitimize his conduct, the Authority communicated to the lawyer. XX as data controller and to Mr. XX, as interested party complaining, the initiation of the procedure for the possible adoption - pursuant to articles 77 ss. of the Regulation - the measures referred to in articles 58, paragraph 2 and 83 of the Regulation itself, in article 166 of the Code and in articles 12 ff. of regulation 1/2019 of the Guarantor, for the presumed violation of articles 5 and 6 of the Regulation.

The lawyer XX sent defensive notes, confirming what was previously noted and maintaining that: "it certainly cannot be refuted that the sending took place and that it took place to the certified email address of Mr.'s company. XX. What, however, the undersigned lawyer wishes to draw the attention of the Guarantor to once again is: a) the manner in which the data was processed [with regard to the wording «To the attention of Mr. XX" present in the certified e-mail in question]; b) the subjects who could access the certified e-mail; c) the occurrence of some of the conditions listed in the art. 6 par. 1 GDPR; d) the lack of proof on the part of Mr. XX, of having suffered an injury from data processing".

In particular, regarding the manner in which the communication in question took place, the lawyer represented that: "in any case, what appeared to the employees was the screen with the aforementioned wording and five files which, although named, did not allow them to understand without a shadow the contents were doubtful, unless they were opened. (…) it was personal because it was brought to the attention of Mr. XX but the contents were difficult to identify". As for the subjects who could access, the lawyer produced the company certificate to which the certified e-mail in question was sent, which showed that the company had two employees and four shareholders (Mr. XX, his brother, his father and the mother) and that "Therefore, with the exception of the employees (...) those who normally have knowledge of Mr.'s personal affairs had access to the company certified email. XX". On the alleged recurrence of some of the conditions of lawfulness of the processing pursuant to art. 6 of the Regulation, the party claims that the lawyer the processing would be legitimized by the need to safeguard the interests of the client in the aforementioned judgment, therefore these are "aspects that are relevant for the purposes of the application of the letters. b), c) and f)". Furthermore, he stated that "the rush meant that the undersigned lawyer sent the certified email to the wrong address. But he did this in fulfillment of a procedural obligation, namely to notify the kidnapped person of the seizure. (...) This was also done to safeguard the economic interests and in general to pursue the legitimate interest of the [client], which had become "vital" when opposed to the privacy interest of Mr. XX". Finally, the lawyer represented that no damage would have been caused to Mr.'s personal and financial sphere. XX, asking to be heard personally.

On 4 May 2023, the party's hearing took place electronically, during which it represented that Mr. XX would never have presented any request for compensation in relation to the processing of personal data in question, ultimately requesting the dismissal of the administrative proceedings and, in the alternative, without recognizing the validity of Mr.'s objections. XX, the application of a sanction as small as possible.

2. Applicable legislation and outcome of the preliminary investigation.

Pursuant to art. 4, paragraph 1, n. 1), of the Regulation, "any information relating to an identified or identifiable natural person" constitutes personal data. Pursuant to number 2) of the same article, processing constitutes "any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation , cancellation or destruction".
Therefore, the communication of information relating to the complainant constitutes processing of personal data.

From the documents of the preliminary investigation and from those subsequently acquired following this proceeding, it is confirmed that the lawyer. XX has transmitted personal data relating to the interested party (the complainant) to the certified email address of the company, of which the complainant is a shareholder, in the absence of a suitable legal basis (art. 6 of the Regulation) and of the principle of "data minimization » (art. 5, par. 1, letter c) GDPR).

Lawyer XX's defense is based on the preliminary assumption that the personality of the data in question had faded, as "it was personal because it was brought to the attention of Mr. XX but the content was difficult to identify" (see defense briefs cited). In this regard, however, it has been ascertained that "personal" data relating to the complainant was processed by the lawyer, who recognized and documented the communication to the company mailbox, also accessible by subjects other than the complainant, of judicial documents to he related. The object of the certified e-mail in question (called: "notification pursuant to law 53/1994") was, moreover, associated with the text of the same, containing the name of the interested party (with the wording: "for the attention of Mr. XX").

With regard to the alleged occurrence of the conditions referred to in the art. 6, par. 1 letter c) and f), of the Regulation, the party has not provided any evidence regarding the existence of the need to fulfill a legal obligation in relation to the procedural obligation to notify the seizure to the interested party, rather demonstrating the contrary and representing, in the course of the investigation, who knew the address of Mr. XX, where in the past he had had the opportunity to "carry out notifications via a bailiff" and that the judicial document "could have been served the following day at the residence and/or domicile of Mr. XX” (see response and defense briefs cited).

Furthermore, the need for the treatment to safeguard the vital (albeit financial) interests of the lawyer's client has not been demonstrated, taking into account that, as reported during the preliminary investigation, once ordered by the Court, the unheard party the seizure on the complainant's bank account, the lawyer immediately notified the seizing company to protect the interests of her client, therefore there was no need or urgency to proceed as was considered.

Finally, the lack of proof on the part of Mr. XX of having suffered an injury from the processing of data nor the circumstance that he never presented, as represented by the lawyer. XX during the hearing, no request for compensation. In fact, it does not constitute in any way a condition of prosecution with respect to the exercise of the Authority's corrective and sanctioning powers, nor a typical element of the contested administrative offenses.

3. Conclusions.

On the basis of the above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs and in the hearing do not allow the findings notified by the Office to be overcome with the act of initiating the procedure, since none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, we note the illicit nature of the processing of personal data underlying the contested communication, carried out by the lawyer. XX in violation of articles. 5, par. 1, letter. c) and 6 of the Regulation.

Considering that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures referred to in the art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the administrative sanction

pecuniary (articles 58, par. 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).
The ascertained offense is subject to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The intra-law commensuration of the sanction to be imposed, depending on the circumstances of each individual case, must be determined taking into account the principles of effectiveness, proportionality and dissuasiveness (art. 83, paragraph 1, of the Regulation), on the basis of the criteria referred to in the paragraph 2 of the same article, in relation to which it is noted that:

- the Authority became aware of the event following a complaint by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the data processing carried out by the lawyer concerned judicial documents relating to the interested party (art. 83, par. 2, letter g) of the Regulation);

- from the point of view of the subjective element, no intentional attitude emerges on the part of the data controller (art. 83, par. 2, letter b) of the Regulation);

- the party has demonstrated a good degree of cooperation with the Authority (art. 83, par. 2, letter f) of the Regulation);

- there are no previous measures issued by the Guarantor for relevant violations against the party (art. 83, par. 2, letter e) of the Regulation);

- the number of people entitled to access the certified company email inbox was small (art. 83, par. 2, letter k) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 500.00 (five hundred) euros for the proven offence, as a pecuniary administrative sanction deemed to be, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the lawyer. XX for the violation of articles 5, p.1, letter c) and 6 of the Regulation.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the RGDP to the lawyer. XX to pay the sum of 500.00 (five hundred) euros as a pecuniary administrative sanction for the offenses indicated in this provision, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days of notification of this document, an amount equal to half of the fine imposed.

ORDERS

to the lawyer XX, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 500.00 (five hundred) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

Pursuant to article 78 of the Regulation, articles 152 of the Code and 10 of Legislative Decree no. 150 of 2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 16 November 2023

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE DEPUTY SECRETARY GENERAL
Philippi

[doc. web no. 9973749]

Provision of 16 November 2023

Register of measures
n. 528 of 16 November 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza and Dr. Agostino Ghiglia, members and Dr. Claudio Filippi, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC (General Data Protection Regulation, hereinafter: “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, referred to in Legislative Decree 30 June 2003, n.196 and subsequent amendments. (hereinafter: “Code”);

HAVING REGARD to regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data (hereinafter: "Regulation 1/2019);

HAVING EXAMINED the complaint presented by Mr. XX relating to an alleged illicit processing of personal data relating to him, carried out by the lawyer. XX;

Examine the information provided by the parties;

Having seen the remaining documentation in the documents;

Having seen the observations of the Office, formulated by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data;

Speaker Dr. Agostino Ghiglia;

1. The story and the investigation activity of the Guarantor

Mr. XX presented to this Authority a complaint relating to an allegedly unlawful processing of his personal data by the lawyer. XX. In particular, Mr. XX reported that "on 5/12/2018, emails with sensitive judicial documents were sent to the company certified mail of which I am a member together with my brother (...), which can also be accessed by employees. In this case, the certified email was received by my brother (...) who forwarded it to me but who was not aware of the latest developments in my private matter relating to the aftermath of the divorce from my ex-spouse.".

The Authority invited the lawyer. XX to provide any useful information regarding what is stated in the complaint, asking to provide, in particular, a copy of the email in question and any other deductions deemed useful for the purposes of evaluating the complaint.

The lawyer XX provided the requested feedback, sending a copy of the certified e-mail with which it was notified, pursuant to law no. 53 of 1994, to the certified company email address a judicial document to the complainant - and declaring, as far as is relevant here, that: "the sending of the certified e-mail (...) took place as part of a proceeding pursuant to art. 702 cpc bis with request for the issuance of seizure promoted by (...) my client and former spouse of the XX to obtain the balance of the amount due to her following the sale of the marital home (...) as agreed by the spouses on the occasion of the separation .” (…) After out-of-court requests for half of the proceeds (…) the undersigned took the action mentioned above. With a provision dated 3 December 2018, the Court of Genoa granted the seizure without hearing of the other party (...)  The communication to Mr. XX was made for reasons of procedural economy and costs and also to avoid (while waiting for the notification to be completed via a bailiff) the account to be blocked without his knowledge. Finally, it must be considered that the address of Mr. XX is at his mother's house (...)  where he lives with his son who in the past, when he happened to execute notifications through a Bailiff, had to receive them (...). All the above reasons led the undersigned lawyer to carry out the notification via certified e-mail. (…) If you then look at the header of the certified e-mail, it is clear that the communication was addressed to the attention of Mr. XX. Therefore a confidential communication which, if applicable, was illicitly processed by whoever opened the PEC itself. Without considering that, in any case, XX did not provide proof that it was other third parties before him who opened the PEC." In conclusion, the lawyer considered that there had been no illicit treatment.

Since the justifications provided did not appear to legitimize his conduct, the Authority communicated to the lawyer. XX as data controller and to Mr. XX, as interested party complaining, the initiation of the procedure for the possible adoption - pursuant to articles 77 ss. of the Regulation - of the measures referred to in articles 58, paragraph 2 and 83 of the Regulation itself, in article 166 of the Code and in articles 12 ff. of regulation 1/2019 of the Guarantor, for the presumed violation of articles 5 and 6 of the Regulation.

The lawyer XX sent defensive notes, confirming what was previously noted and maintaining that: "it certainly cannot be refuted that the sending took place and that it took place to the certified email address of Mr.'s company. XX. What, however, the undersigned lawyer wishes to draw the attention of the Guarantor to once again is: a) the manner in which the data was processed [with regard to the wording «To the attention of Mr. XX" present in the certified e-mail in question]; b) the subjects who could access the certified e-mail; c) the occurrence of some of the conditions listed in the art. 6 par. 1 GDPR; d) the lack of proof on the part of Mr. XX, of having suffered an injury from data processing".

In particular, regarding the manner in which the communication in question took place, the lawyer represented that: "in any case, what appeared to the employees was the screen with the aforementioned wording and five files which, although named, did not allow them to understand without a shadow the contents were doubtful, unless they were opened. (…) it was personal because it was brought to the attention of Mr. XX but the contents were difficult to identify." As for the subjects who could access, the lawyer produced the company certificate to which the certified e-mail in question was sent, which showed that the company had two employees and four shareholders (Mr. XX, his brother, his father and the mother) and that "Therefore, with the exception of the employees (...) those who normally have knowledge of Mr.'s personal affairs had access to the company certified email. XX". On the alleged recurrence of some of the conditions of lawfulness of the processing pursuant to art. 6 of the Regulation, the party claims that the lawyer the processing would be legitimized by the need to safeguard the client's interests in the aforementioned judgment, therefore these are "aspects that are relevant for the purposes of the application of the letters. b), c) and f)". Furthermore, he stated that "the rush meant that the undersigned lawyer sent the certified email to the wrong address. But he did this in fulfillment of a procedural obligation, namely to notify the kidnapped person of the seizure. (...) This was also done to safeguard the economic interests and in general to pursue the legitimate interest of the [client], which had become "vital" when opposed to the privacy interest of Mr. XX". Finally, the lawyer represented that no damage would have been caused to Mr.'s personal and financial sphere. XX, asking to be heard personally.

On 4 May 2023, the party's hearing took place electronically, during which it represented that Mr. XX would never have presented any request for compensation in relation to the processing of personal data in question, ultimately requesting the dismissal of the administrative proceedings and, in the alternative, without recognizing the validity of Mr.'s objections. XX, the application of a sanction as small as possible.

2. Applicable legislation and outcome of the preliminary investigation.

Pursuant to art. 4, paragraph 1, n. 1), of the Regulation, "any information relating to an identified or identifiable natural person" constitutes personal data. Pursuant to number 2) of the same article, processing constitutes "any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation , cancellation or destruction".
Therefore, the communication of information relating to the complainant constitutes processing of personal data.

From the documents of the preliminary investigation and those subsequently acquired following this proceeding, it is confirmed that the lawyer. XX transmitted personal data relating to the interested party (the complainant) to the certified email address of the company, of which the complainant is a shareholder, in the absence of a suitable legal basis (art. 6 of the Regulation) and of the principle of "data minimization » (art. 5, par. 1, letter c) GDPR).

Lawyer XX's defense is based on the preliminary assumption that the personality of the data in question had faded, as "it was personal because it was brought to the attention of Mr. XX but the content was difficult to identify" (see defense briefs cited). In this regard, however, it has been ascertained that "personal" data relating to the complainant was processed by the lawyer, who recognized and documented the communication to the company mailbox, also accessible by subjects other than the complainant, of judicial documents to he related. The object of the certified e-mail in question (called: "notification pursuant to law 53/1994") was, moreover, associated with the text of the same, containing the name of the interested party (with the wording: "for the attention of Mr. XX").

With regard to the alleged occurrence of the conditions referred to in the art. 6, par. 1 letter c) and f), of the Regulation, the party has not provided any evidence regarding the existence of the need to fulfill a legal obligation in relation to the procedural obligation to notify the seizure to the interested party, rather demonstrating the contrary and representing, in the course of the investigation, who knew the address of Mr. XX, where in the past he had had the opportunity to "carry out notifications via a bailiff" and that the judicial document "could have been served the following day at the residence and/or domicile of Mr. XX” (see response and defense briefs cited).

Furthermore, the need for the treatment to safeguard the vital (albeit financial) interests of the lawyer's client has not been demonstrated, taking into account that, as reported during the preliminary investigation, once ordered by the Court, an unheard alternative party the seizure on the complainant's bank account, the lawyer immediately notified the seizing company to protect the interests of her client, therefore there was no need or urgency to proceed as was considered.

Finally, the lack of proof on the part of Mr. XX of having suffered an injury from the processing of data nor the circumstance that he never presented, as represented by the lawyer. XX during the hearing, no request for compensation. In fact, it does not constitute in any way a condition of prosecution with respect to the exercise of the Authority's corrective and sanctioning powers, nor a typical element of the contested administrative offenses.

3. Conclusions.

On the basis of the above, taking into account the declarations made by the data controller during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs and in the hearing do not allow the findings notified by the Office to be overcome with the act of initiating the procedure, since none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, we note the illicit nature of the processing of personal data underlying the contested communication, carried out by the lawyer. XX in violation of articles. 5, par. 1, letter. c) and 6 of the Regulation.

Considering that the conduct has exhausted its effects, the conditions for the adoption of the corrective measures referred to in the art. 58, par. 2, of the Regulation.

4. Adoption of the injunction order for the application of the administrative sanction

pecuniary (articles 58, par. 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).
The ascertained offense is subject to the application of a pecuniary administrative sanction pursuant to art. 83, par. 5, of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" (art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019).

The intra-law commensuration of the sanction to be imposed, depending on the circumstances of each individual case, must be determined taking into account the principles of effectiveness, proportionality and dissuasiveness (art. 83, paragraph 1, of the Regulation), on the basis of the criteria referred to in the paragraph 2 of the same article, in relation to which it is noted that:

- the Authority became aware of the event following a complaint by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the data processing carried out by the lawyer concerned judicial documents relating to the interested party (art. 83, par. 2, letter g) of the Regulation);

- from the point of view of the subjective element, no intentional attitude emerges on the part of the data controller (art. 83, par. 2, letter b) of the Regulation);

- the party has demonstrated a good degree of cooperation with the Authority (art. 83, par. 2, letter f) of the Regulation);

- there are no previous measures issued by the Guarantor for relevant violations against the party (art. 83, par. 2, letter e) of the Regulation);

- the number of people entitled to access the certified company email inbox was small (art. 83, par. 2, letter k) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5 of the Regulation, in the amount of 500.00 (five hundred) euros for the proven offence, as a pecuniary administrative sanction deemed to be, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the lawyer. XX for the violation of articles 5, p.1, letter c) and 6 of the Regulation.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the RGDP to the lawyer. XX to pay the sum of 500.00 (five hundred) euros as a pecuniary administrative sanction for the offenses indicated in this provision, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days of notification of this document, an amount equal to half of the fine imposed.

ORDERS

to the lawyer XX, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 500.00 (five hundred) according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

Pursuant to article 78 of the Regulation, articles 152 of the Code and 10 of Legislative Decree no. 150 of 2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 16 November 2023

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE DEPUTY SECRETARY GENERAL
Philippi