Garante per la protezione dei dati personali (Italy) - 9980617

Garante per la protezione dei dati personali - 9980617

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 5(2) GDPR Article 9 GDPR Article 32 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	21.12.2023
Fine:	18,000 EUR
Parties:	Azienda Asl N.8 Di Cagliari
National Case Number/Name:	9980617
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	DPA (in IT)
Initial Contributor:	im

The DPA fined a health service provider €18,000 for the loss of biological data due to the lack of a complete record of processing operations performed on the tissue samples involved.

English Summary

Facts

A data subject filed a complaint against the local health unit no. 8 of Cagliari, the controller, loss of biological data of genetic nature contained in the histological slides kept in some medical records and their unlawful destruction. The data controller and the data subject were parties to legal proceedings prior to this decision.

Concerning the loss of data, according to an outsourced company (SISAR) which was responsible for the transfer of the samples from the Pathological Anatomy Department, the samples were correctly delivered to the Medical Records Office. However, more specific information about the recipients at the Medical Records Office was unavailable.

Concerning the destruction of the same samples, the storage period for preserving the biological samples was minimum 10 years after which an assessment was required to determine whether the samples may or may not be destroyed. In this case, the controller allegedly failed to perform this assessment, as they did not consider pending legal proceedings where samples served as an evidence.

The controller argued, based on the Article 29 WP Opinion 4/2007 on the concept of personal data, that the incident in question did not involve "personal biometric data". In particular, the controller emphasized that human tissue samples (like a blood samples) are sources out of which biometric data are extracted. As a result, collection, storage and use of tissue samples were subject to rules other than the GDPR.

Holding

Firstly, the DPA considered that the controller breached the accountability principle under Article 5(2) GDPR for failing to effectively demonstrate their data processing operations, including deletion or destruction of the samples after the minimum 10-year period. In addition, the controller did not adopt methods to ensure traceability of the processed data throughout all stages of processing and they were therefore not in the position to know the identity of the recipients in Medical Records Office.

Secondly, Article 5(1)(f) GDPR and Article 32 GDPR make it mandatory to ensure security of data processing by implementing appropriate technical and organization measures. In this case, the DPA found the controller in violation of the above-mentioned articles. This was due to the loss of stored personal data, resulting from the lack of consideration of pending legal proceedings, which required the samples in question to be present.

Thirdly, regarding the controller’s statement that the human tissue samples are not biometric data, the DPA decided that irrespective of whether or not the slides are classified as biometric data, they can certainly, in the present case, be classified as special categories of personal data under Article 9 GDPR. In fact, the biological materials extracted by the controller included numbers referring to the identity of the natural person to whom they belong. In addition, the samples reveal information concerning the provision of health care services and, thus, they constitute health data as defined in Article 4(15) GDPR.

For the reasons stated above, the DPA found the controller in violation of Article 5 GDPR, Article 9 GDPR and Article 32 GDPR and imposed a fine in the amount of €18,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9980617]

Provision of 21 December 2023

Register of measures
n. 601 of 21 December 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING REGARD TO Legislative Decree 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. The request and the preliminary investigation activity

With note dated XX, Mrs. XX formulated a complaint against the local social and health authority no. 8 of Cagliari complaining about the loss of "biological data, of a genetic nature, contained in the slides and histological inserts present in one's medical record" (...) "as a result of their delivery to subjects not better identified or even identifiable by the 'Hospital that detained them.' This circumstance would have been learned by the complainant only "following the filing of the report of the CTU-Technical Consultant of the Court of Appeal on the XX".

In particular, according to what was stated in the aforementioned complaint, the absence of the slides and histological inserts containing the genetic material of Ms. effect of making her lose the appeal case against ASL8. In this regard, the CTU himself declares that: «It is absolutely essential to remember that the undersigned was not put in a position to have access to the histological preparations which represent an important element in supporting or not the validity of the compensation request»".

Following the complaint, the Authority started an investigation, asking, with note dated XX, the local social and health authority no. 8 of Cagliari useful elements for the evaluation of the case in question. With a note dated XX, the General Director of the aforementioned Company provided feedback by declaring that:

- “from what is reported in the appeal pursuant to art. 77 of EU Regulation 2016/679, the complained of data breach to the detriment of the interested party appears to have occurred in the XX, probably on the XX (the day on which the material containing the interested party's genetic data would have been delivered to unspecified subjects) at the “Businco” hospital. ” and recalling the definition of data controller and “what is expressed in the Guidelines 07/2020 Version 2.0 of the EPDB” that “in the case that interests us the legal entity to which the law has attributed the task (purpose) of conservation of the “ biological data, of a genetic nature, contained in the slides and histological inserts present within the [...] medical record of the complainant" is to be identified on the basis of the legislative provisions in force at the time";

- “the L.R. n. 23/2014, in force at the time of the reported loss of the complainant's genetic data, containing «urgent rules for the reform of the regional healthcare system», provided for art. 9, paragraph 1 letter. c ["the incorporation into the hospital of national importance "G. Brotzu" of the "Microcitemic" and "Oncological - A. Businco" hospital facilities (the latter where the loss allegedly occurred), currently belonging to ASL n. 8 of Cagliari"]. Therefore, by virtue of the provisions referred to, at the time of the event which is the subject of the complaint (XX) the person to whom the law attributed the task of processing the complainant's personal data was to be identified in the Brotzu Office (...) today Arnas Brotzu”;

- in relation to the procedural matter which is the subject of the complaint, "the undersigned Administration was not and would not have been able to know about the loss of biological data of a genetic nature following the filing of the expert witness report on XX since it is not part of the proceedings pending before the Court of Appeal of Cagliari. In fact, in the aforementioned judgment, from the little information obtainable from the complaint, the now discontinued ASL 8 is involved (which the appellant in fact identifies with C.F. 02261430926) which then merged into the Company for the Protection of Health of Sardinia (ATS SARDEGNA) with L.R. n. 17/2016”;

- “this Company (Local Social Health Company no. 8 of Cagliari – VAT number 03990560926), as required by Regional Law. n. 24 of 2020, modified by art. 34 lett. B) of the subsequent L.R. n. 17 of 2021, has been established since 01.01.2022, and in addition, the Regional Health Liquidation Management has been established, with legal personality and patrimonial and economic autonomy, competent for the liquidation of all active and passive positions and all pending cases, from the date of establishment of the Health Protection Agency (ATS) and of those previously belonging to the abolished local health units and to the abolished health companies (see also the following link: https://www.atssardegna .it/company)”;

- "it is believed that the information requested by this Guarantor Authority regarding the facts which are the subject of the complaint presented pursuant to art. 77 of EU Regulation 2016/679 should not be addressed to this Company, but to Arnas Brotzu (at the time of the facts AO Brotzu) as Data Controller pursuant to art. 4 of EU Regulation 2016/679 to date as at the time of the facts".

Elements of information useful for the evaluation of the case were therefore requested from the G. Brotzu National Survey and High Specialization Company, with note dated XX (prot. n. XX), which provided feedback with note dated XX, declaring that :

- “it is not believed that genetic personal data are involved in the above-mentioned episode. In support of this statement, we report what is expressed in "Opinion 4/2007 on the concept of personal data" of WP29 page. 9 “Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules”. In this context, reference is made to Recommendation Rec (2006) 4 of the Committee of Ministers to member states on research on biological materials of human origin and its Explanatory Memorandum (partially applicable to the present case)”;

- "the materials (assemblies and slides) which are the subject of this complaint date back to a histological examination carried out by Mrs. XX in the year XX at the A. Businco Hospital, then incorporated into ASL no. 8 of Cagliari, which was therefore the data controller, pursuant to the then current art. 1, paragraph 2, letter. D), of the then current Law 675/1996";

- “only with the L.R. n. 23 of 17.11.2014, art. 9, co. 1, letter. C) and co. 3, letter. A), the Sardinia Region has arranged, starting from the 20th century, for the incorporation into the then G. Brotzu Hospital Company (today ARNAS G. Brotzu) of the A. Cao and A. Businco hospital facilities, therefore called hospital facility, until that moment, it did not fall within the competence of the undersigned Company and moreover at the date of incorporation there was still no obligation to notify violations of personal data, as is known, introduced by the articles. 33 ff. of the General Regulation on the protection of personal data 2016/679/EU (hereinafter GDPR)”;

- "the CTU Dr. XX, with communication XX of the XX, requested this Company: "as official consultant in the Case XX against ASL 8 Cagliari plus others, N.R. 468/2016, Court of Appeal of Cagliari... please kindly inform this CTU to whom the histological findings were delivered and never returned to your hospital. The party consultants gave me a document from the Oncology Hospital (...), from which it is not clear to whom the aforementioned histological material was delivered";

- “with note Prot. n. XX and Prot. n. XX of the XX, the Businco Medical Directorate immediately proceeded to verify what was requested by the CTU XX, requesting communications regarding both the Director of the SC Pathological Anatomy and the SISAR company, as the company awarded the outsourced archiving service, communications and related documentation regarding the "handling of the material in question";

- "from the examination of the respective findings it emerged that: on date XX the Anatomy Pathology department sent Sisar the request for copies of the reports and all the XX pieces of Mrs. XX, which on the same day Sisar sent a copy digital of the reports and communicated the delivery of the tiles for the following day; that, on the following XX, the tiles and slides were delivered by the Sisar operator to the medical records office of the P.O. Businco in the hands of Mrs. XX, who signed the report confirming delivery";

- “the Businco Health Directorate, with note prot. n. XX of the XX then communicated to Prof. XX "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy"";

- "following the receipt of the request for information from this Dear Guarantor (...), this General Directorate immediately proceeded to verify what happened, requesting information from the parties involved in any way, as well as finding the documentation related to the measures techniques and organizational measures adopted, with particular regard to the management of biological samples, and the instructions provided to staff on the matter";

- "from the examination of the documentation thus found (...) it therefore emerged that the materials under examination, (...) dating back to the 20th century, were the subject of various movements well before the 20th, given that a judgment is pending - at present level of appeal between ASL n. 8 of Cagliari and Mrs. XX - (...) and that the same materials were examined by the expert witnesses appointed in the previous level of the proceedings, in which, it should be noted, this Company is not a party and was never been informed on the matter, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";

- "from the examination of the SISAR delivery list it can be seen that on XX the latter would have physically delivered dowels and slides to the Businco Medical Records Office, in the person of XX who signed the delivery report (...). Otherwise, there is no further documentation in the documents certifying what happened following this delivery to the Medical Records Office. With regard to this last point, it is noted that (...) the documentation produced does not in any way reveal the delivery of these materials externally "to unknown persons". Indeed, otherwise the external company simply acknowledges the delivery of the materials on date XX to the Medical Records Office, while the wording "not returned" evidently refers to the Sisar company itself, which acknowledges that following delivery to the 'Medical Records Office has not received the materials back';

- "as emerges from the report of Dr. XX, as deputy Head of SC Pathological Anatomy (...), the Company and specifically, the Pathological Anatomy Service, by consolidated practice, proceeds to manage the delivery of slides and inserts to those entitled , “after checking a valid document, identity card, you have a pre-printed form filled out. In the meantime, we proceed to make a photocopy of the document which will be attached to a folder with the applicant's name. The patient is invited to return after 2/3 days necessary for the internal procedures: the person who deals with the request retrieves the material from the archive and submits it to the doctor who carried out the diagnosis so that he can check whether the material is suitable upon request. When everything is ready (reports and copy of the report with the request authorized by the doctor) the patient can come to collect it. Meanwhile, the person responsible for preparing the folder also makes a photocopy of the material he has to deliver (photocopy of the dowels for example). At the time of collection, the patient signs the pre-printed form which specifies how many tiles are being delivered to him". In relation to the archiving of the materials under examination, in the same way, we transcribe what was declared by the Director of the Pathological Anatomy Service, Dr. XX, (...), namely that: "both the slides and the tiles archived at the S.C. Pathological Anatomy, are located in laminate modules ordered by progressive number and by year in a locked room where they can access and move them (when it is necessary for the doctor to see any precedents of a case he is studying to reach a diagnosis, for example example) the staff who work at the same U.O. (Authorized personnel and coordinator). They cannot be accessed by outsiders, including Company employees as such unless accompanied by department personnel (Coordinator for example)... Currently (since the XX), by Company order (...), the archiving of the finds takes place at SISAR s.a.s., including the case under investigation";

- "with regard to the conservation times of the tiles and slides, it is important to note that (...), there is no specific legislative regulation and no strictly pre-established deadline. Indeed, from the examination of the Guidelines of the Ministry of Health on the subject of May 2015 (point 5.3.2), it emerges that the competent Ministry suggests, on the one hand, the outsourcing of the service - as this Company has arranged - and on the 'other, to proceed with the conservation of the materials of the type object of today's examination for a minimum period of 10 years (...)”;

- "well this requirement appears to have been respected by this Company, taking into account the circumstance that the elements under examination date back to the year XX";

- "furthermore, (...), this Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation";

- "the Company has also, over the years, carried out training on the protection of personal data (...)";

- "the events described above, which concern a particularly long historical period (please remember that the biological samples were taken in the 20th century, and that, as mentioned in the introduction, the present event concerns biological samples, and certainly not genetic data), in which several owners followed one another, and relating to periods for which there was not yet an obligation to notify violations of personal data (consequent as is known from the regulations referred to in articles 33 and 34 of the RGPD, and therefore applicable to date from 5/25/2018, as the notification obligation established by the Guidelines on the Health Dossier - 4 June 2015 [4084632]" is certainly not applicable to the present case);

- "(...) ARNAS was not part of the legal proceedings connected to this matter and did not have news of it until May 2022, or with the request of the CTU. In this context, in a situation in which it was complex to establish the actual ownership of the treatment (given the succession of regulatory changes already described in the introduction), or the exact moment in which these biological samples actually became no longer available, the event was not interpreted as a safety incident relevant to ARNAS pursuant to articles. 33 et seq. of the GDPR”;

- "as emerges from the mere examination of the request formulated by Prof. XX, in which communication was requested regarding "to whom the histological findings which were never returned to your hospital were delivered" and the response from the Businco health management, where declared that: "there is no documentation in the records of the undersigned Medical Directorate and of the SC Pathological Anatomy", it is clear that this Company has not become aware of the violation of availability of biological samples except with the request for information formulated by this esteemed Guarantor" ;

- "the Company is evaluating, among other things and in any case, multi-level training, dedicated both to top management figures and to all healthcare workers, which delves in detail into the profiles connected to safety incidents and the related obligations" .

To the acknowledgment note, the aforementioned Company has attached some documents, including the Declaration of the Director of the Pathological Anatomy Service (Dr. XX), from which it appears "there has never been a written protocol for the management of the findings as it is an abundantly consolidated procedure over time (over 40 years) and, in the custody of the finds stored in the archives of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy".

The G. Brotzu National Survey and High Specialization Company has also sent the aforementioned acknowledgment note from the Sisar of the XX and the delivery list of the XX, documents from which it appears that the histological inserts delivered were marked with the numbers XX ( n. 3 plugs) and n. XX (22 tiles) specifically indicated as referring to Mrs. XX, born on XX.

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5 of the Code

In relation to the facts described, the Office, with note dated XX (prot. n. XX), notified the G. Brotzu National Survey and High Specialization Company (hereinafter "ARNAS Brotzu Company"), pursuant to the art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of law no. 689 of 24/11/1981).

In particular, the Office, in the aforementioned act, considered that the ARNAS Brotzu Company had carried out data processing in violation of the basic principles of processing referred to in the articles. 5, 9, and 32 of the Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101”.

With a note dated XX, the ARNAS Brotzu Company sent its defense briefs, in which, in particular, it highlighted that:

“in the episode (…)(in question) no genetic data or even personal data are involved pursuant to art. 4, par. 1, no. 1 of the Regulation";

“the loss of materials, represented by slides and pieces of a histological examination, cannot be considered an illicit processing of personal data, due to the very nature of the samples involved”;

"the concept of "biological sample" was also explained in the same terms in the Guarantor's document relating to the Authorization for the processing of genetic data - 22 February 2007 (...) and then reiterated in the most recent Prescriptions relating to the processing of genetic data n. 8/2016 (…). Based on the 2016 provisions just mentioned, the current definition of "genetic data" is represented by "the result of genetic tests or any other information which, regardless of the type, identifies the genotypic characteristics of an individual transmissible within a group of people linked by kinship ties”; while "biological sample" must be considered "any sample of biological material from which genetic data of an individual can be extracted". It therefore emerges that, even in the current legislation on the matter, "genetic data" can be considered only and exclusively the result of a genetic test, i.e. an operation that makes it possible to extrapolate personal data capable of revealing the genotypic characteristics of an individual. Even the biological sample, considered in itself, is not personal data, in the absence of an extraction procedure that allows us to know the characteristic genetic data of an identified or identifiable individual";

"in the case in question, it was not the genetic data that were lost, but pieces of biological material, considered in themselves devoid of the character of personal data, or the information element required as essential also by the art. 4, no. 1 of Regulation (EU) 2016/679”;

"for the reasons set out above, it is believed that the hypothesis in question cannot be considered to fall within the competence of the Authority, precisely because the materials requested by the interested party and the CTU cannot be considered personal data";

“even if we assume that the biological samples considered in themselves are personal data, as has already been specified and as emerges from the report of Dr. XX, then Deputy Head of SC Pathological Anatomy (..) the Company and specifically, the service of Pathological Anatomy, was already equipped at the time with a structured process for managing the delivery of slides and inserts to those entitled (...)”;

"in relation to the archiving of the materials under examination, in the same way, the Company applied a structured process (...)", already described in the note dated XX in response to the Authority's request for information;

"in this case, the management of the biological samples by the Company complied with the provisions of the art. 4.2. of the «Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101", for the applicable part";

"access to the premises was strictly regulated and the management, conservation and transport of the samples were managed with modalities traced in a timely manner and such as to be able to reconstruct the entire path relating to the samples themselves, making the disputed episode a an exceptional fact given the absolutely significant number of samples regularly handled by the service. From this point of view, there is not even a violation of the art. 32 of the Regulation, given that suitable safety measures were applied to the management of biological samples (...)”;

“the violation of the articles would also appear to be contested. 5 and 9 of the Regulation for not having provided "proof of the evaluation, by the health facility and having consulted the doctor responsible for the conduct, regarding the opportunity to conserve the biological samples even beyond the proposed ten-year period (...)", assuming that this company was aware, at XX, of the pending legal proceedings";

"in reality (...) the Company was not, nor is, a party to the proceedings, nor was it the data controller at the time of its establishment, and was never properly informed in this regard, at least until May 2022, thus resulting in the absence of any "alert" regarding a specific conservation for reasons of justice";

“as regards the dispute regarding the violation of the art. 9 of the Regulation, it is reiterated that (...) there has been no communication to third parties of any personal data";

"this is an isolated case, also related to the complex matter of the succession between health companies following the multiple regional reforms on the matter, which led to the pending litigation to which ARNAS was and is totally extraneous and of which it came to knowledge only during the year 2022. The alleged violation concerned exclusively biological samples (tile and slides) of a single interested party”;

"with regard to the contested conduct, it must be specified that the same, if deemed to exist, must certainly be considered in its negligent nature (in the degree of slight negligence). In fact, the character is certainly negligent: the failure to formalize a procedure is contested which in essence would have merely implemented the consolidated work of good clinical practice and correct management of samples already in place for about forty years. The succession of healthcare company aggregation operations and related spin-offs have at least slowed down this activity, making it appropriate, if not necessary, to proceed in a homogeneous manner in the different structures. The requirements referred to in point a) of the chapter. 4.2. of the Requirements is largely covered by what has already been stated. Point b) is covered with regards to the tracking of movements (considered as a major risk factor)”;

“the Company has taken steps with resolution no. XX of the XX to identify, pursuant to art. 2-quaterdecies paragraphs 1 and 2 of the Legislative Decree. 196/2003, as designated the Directors of the Complex structure and the Directors of the Simple Departmental structure, and to establish that Persons authorized to process are to be understood as all employees and collaborators, in any capacity, of the hospital, who process personal data ( …)”;

the "Company has resolved, over the years, to approve the Annual Training Plan, providing, among other things, for the holding of courses relating to the monitoring of health documentation" and has "also taken steps, over the course of years, to carry out training on data protection”;

“ARNAS, with the help of the appointed DPO, immediately had a collaborative attitude with the Guarantor Authority, taking steps to react immediately to the report, to critically analyze the problematic profiles, and to promptly provide all the clarifications requested in a manner punctual; (...) the Company immediately took action, involving the DPO and the new Director of SC Anatomy Pathology (...) for an overall verification of the biological sample management process and for its formalization into a procedure aimed at crystallizing and, if where appropriate, improve the existing process. Among other things, the use of computerized archive cabinets that use the reading of the barcodes present on the tiles and slides is envisaged (...)";

“the processing concerned only biological samples from a single interested party”;

"it is underlined (...) that ARNAS is not involved in the pending dispute between the interested party and another healthcare company";

“the incorporation, merger and division operations that affected the processing posed strong organizational obstacles in general and for the specific processing. Please note that for administrative liability the burden of a possible sanction could ultimately fall on a natural person and therefore recital 148 could be applicable (...) at least in determining the extent of the sanction".

On XX, the hearing requested by the ARNAS Brotzu Company took place, during which it decided to show a presentation regarding the remediation measures, including the procedure for managing requests for biological material, adopted with resolution no. XX of the XX, which was broadcast during the hearing.

On the same occasion, in addition to what was already highlighted in the briefs, it was declared that:

- "the aforementioned resolution (n. XX of the XX) formalizes the procedure already in use and introduces elements of improvement and simplification, with the aim of reducing the possibility of error;

- the actions to improve the procedure also consist of centralizing it at the Pathological Anatomy;

- the procedure allows the minimization of the planned steps and the better tracking of the operations carried out on the plugs and slides;

- the Company, as part of the three-year requirement plan, has requested the creation of computerized cabinets for the purposes of completely digitalized management of the archive, with the possibility of being notified via an alert of the failure to return any biological material possibly delivered to the patient ;

- in the short term, a field training activity has already been planned on the new procedure, already communicated within the pathological anatomy service, and, furthermore, a course/conference on the latest developments regarding the protection of personal data in healthcare;

- in relation to the event which is the subject of the complaint, it is specified that in the XX the bar code was not foreseen and the tiles were marked manually with a pencil, resistant to the solvents used to process the material;

- through the aforementioned changes the Company intends to undertake a process of continuous improvement, also providing for periodic audits that allow the concrete application of the procedure and its effectiveness to be monitored;

- even just the complaint procedure had the effect of activating the Company even more to take every possible action to improve the procedures and avoid the repeatability of the event that occurred;

- the DPO was immediately involved in the process of analyzing the facts subject to the complaint and in the improvement actions".

From the documentation containing "Presentation of the procedure referred to in resolution no. XX of the XX", transmitted on the occasion of the aforementioned hearing, it appears that "the biological material (paraffin plugs, histological and cytological slides) is stored in special archives according to the numbering (assigned by the computer system) with which they were accepted at the 'entrance. This is a unique and progressive numbering distinguished by year and type of sample. The number and corresponding barcode are printed on paraffin tiles and slides."

3. Outcome of the preliminary investigation

Having taken note of what is represented by the ARNAS Brotzu Company in the documentation in the documents, in the defense briefs and during the hearing, it is observed that:

1. the Regulation provides that personal data must be "processed in a manner that guarantees adequate security (...), including protection, through appropriate technical and organizational measures, from unauthorized or illicit processing and from loss, destruction or accidental damage (principle of «integrity and confidentiality»)” (art. 5, par. 1, letter f) of the Regulation). The adequacy of such measures must be assessed by the controller and processor with respect to the nature of the data, the object, the purposes of the processing and the risk to the fundamental rights and freedoms of the data subjects, taking into account the risks that derive from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or otherwise processed (art. 32, par. 1 and 2 of the Regulation);

2. in light of the principle of responsibility (so-called accountability), "the data controller must comply with and be able to demonstrate compliance with the principles and obligations set out in the Regulation" (art. 5, par. 2, 24 and of Regulation);

3. according to the definition provided by the Regulation, data relating to health are "personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information relating to his or her state of health", including "information about the natural person collected during his registration for the purpose of receiving healthcare services or the related provision referred to in Directive 2011/24/EU of the European Parliament and of the Council; a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes; information resulting from examinations and checks carried out on a part of the body or an organic substance, including genetic data and biological samples; and any information concerning, for example, a disease, a disability, the risk of diseases, medical history, clinical treatments or the physiological or biomedical state of the data subject, regardless of the source, such as, for example, a doctor or other healthcare worker, a hospital, a medical device or an in vitro diagnostic test” (art. 4, par. 1, point 15 and Cons. no. 35);

4. with particular reference to the custody and safety of biological samples, the "Measure containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510) has, in this regard, prescribed specific precautions that must be adopted by the data controller with particular reference to the conservation, use and transport of biological samples which must take place in ways also aimed at guaranteeing their quality, integrity, availability and traceability (point 4.2., letter b));

5. the regulations regarding the protection of personal data also provide that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis (art. 9 Regulation and art. 84 of the Code in conjunction with art. 22, paragraph 11, Legislative Decree no. 101 of 10 August 2018);

6. the guidelines of the Ministry of Health-Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" (XX), available at https://www. salute.gov.it/imgs/C_17_pubblicazioni_2369_annex.pdf, provide that, with regards to the sampled material (paraffin blocks and slides), "given (...) the need to set a minimum term for the duration of the conservation obligation, reporting the need for regulatory intervention on this point, it is believed that this deadline can appropriately be set at ten years. (…) As regards medico-legal needs and the possible defense of the healthcare facility or the doctor during any civil or criminal proceedings (…), it should be underlined that the term in question only involves the termination of a conservation obligation of the material, remaining (...), the right of the facility to retain the material for a longer period (for example in all cases in which a dispute with a patient or his successor in title is pending). In the event of an indefinite duration of the obligation, the structure is required to conserve and deliver the sample at any time to the civil judicial authority and failure to deliver it may be detected pursuant to art. 116 c.p.c. With the setting of a duration deadline, any failure to deliver the material (in the event of destruction or loss) after the expiry of the deadline itself cannot be detected pursuant to the art. 116 c.p.c.,”, specifying that “the ten-year term is a minimum term, upon expiration of which the conservation obligation for the structure that holds it expires. In any case, if civil or criminal proceedings are underway, the healthcare facility, having heard the doctor responsible for the conduct, is required to evaluate the opportunity to conserve the material even beyond the ten-year period, in consideration of the ongoing litigation, without prejudice to the discretion of the same on the point and the extinction of the aforementioned conservation obligation" (see point 5.3.2. of the aforementioned document).

4. Conclusions

In light of the assessments set out above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code ("False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor"), it is noted that the elements provided by the ARNAS Brotzu Company in the defense briefs referred to above and during the hearing are not suitable to fully accept the dismissal requests, not allowing the findings notified by the Office to be overcome with the aforementioned document initiating the proceedings.

Preliminarily, it should be noted that, regardless of the qualification of the slides and pieces of a histological examination as "genetic data", they certainly can, in the specific case, be attributable, in any case, to the particular categories of personal data provided for in the art. 9 of the Regulation. In fact, the biological materials extracted from the complainant, associated with elements, in this case numerical (XX and XX), referring to the identity of the natural person to whom it belongs (Mrs. XX), since they reveal information regarding the provision of services of health care, constitute health data, as defined by the art. 4, par. 1, point 15 of the Regulation and Council. n. 35, protected by the specific guarantees of art. 9 of the Regulation.

Having said this, it should be noted that, in light of the documentation acquired, there has "never existed a written protocol for the management of the finds as it is a procedure well consolidated over time (over 40 years) and, in the custody of the finds stored in the archive of the U.O. of Pathological Anatomy (tens of thousands of cases have now been archived), we have always taken the utmost care and attention in safeguarding them in the best possible way. The writer does NOT know that there are written protocols for the management and custody of the finds at the U.O. of Pathological Anatomy where he works and/or in Sardinia and/or in Italy" (see Declaration of the director of the pathological anatomy service, Attachment no. 7 to the email of the XX).

In this regard, even if the ARNAS Brotzu Company, as declared by itself, had not been aware, in the XX, of the pending judgment which could have required further investigations to be carried out on the biological samples taken and, therefore, even if it was not was placed in a position to carry out an evaluation - as required by the aforementioned guidelines of the Ministry of Health - Superior Council of Health regarding "Traceability, Collection, Transport, Conservation and Archiving of cells and tissues for diagnostic investigations of PATHOLOGICAL ANATOMY" of XX - in relation to the opportunity to conserve biological samples even beyond the proposed ten-year term, in any case, the aforementioned circumstances do not exempt the Company from the obligation to document which processing operation (including any cancellation and destruction) had been carried out on the personal data contained in the slides associated with uniquely identified persons for health purposes.

In fact, in light of the so-called principle “accountability”, which requires data controllers to be able to demonstrate the implementation of measures suitable for effectively implementing the data protection principles (art. 5, par. 2, of the Regulation), the Company, even if there was no longer an obligation to conserve the biological samples, it would still have had to adopt methods aimed at guaranteeing their traceability and identifying documented procedures for managing the operations carried out, in all phases of the treatment , taking into account, in particular, the risks deriving from the loss of personal data stored, in accordance with the provisions of the articles. 5, par. 1, letter. f) and 32 of the Regulation.

For these reasons, in relation to the described loss of personal data contained in the slides belonging to the complainant, we note the illegality of the processing of personal data carried out by the Company, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Gazette no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510).

In this framework, considering that the Company has taken steps to adopt a procedure for the management and conservation of biological material, adopted with resolution no. XX of the XX, the conditions for the adoption of the corrective measures referred to in the art. do not currently exist. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i) and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. f) and par. 2 of the Regulation and art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019 (published in the Official Journal no. 176 of 29 July 2019 and available at www.gpdp.it, web doc. no. 9124510), is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation (see on this point, art. 21, paragraph 5, of Legislative Decree no. 101 of 10 August 2018, according to which "violations of the provisions contained in the general authorizations referred to in this article and in the general provision referred to in paragraph 1 are subject to the administrative sanction referred to in art. 83, par. 5, of the Regulation").

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

Taking into account that the violation of the aforementioned provisions took place as a consequence of a single conduct (same treatment or treatments connected to each other), the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the articles. 5, par. 1, letter. f) of the Regulation and the aforementioned "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019, the total amount of the fine is to be quantified up to 20,000,000 euros (so-called "static" statutory maximum).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

With specific regard to the violation committed by the ARNAS Brotzu Company, it is highlighted that the level of severity was considered medium, taking into account the number of interested parties involved, the category of personal data involved, the purpose of the processing as well as the level of damage suffered by the the interested party (art. 83, par. 2, letter a) of the Regulation; see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point no. 60).

The further elements provided for by the art. were then considered. 83, par. 2 of the Regulation and in particular that:

- the Authority became aware of the case in question following a complaint lodged by the interested party (art. 83, par. 2, letter h) of the Regulation);

- the Company has taken charge of the findings raised by the Office by adopting the specific procedure mentioned relating to the delivery of slides and histological and cytological test cards (art. 83, par. 2, letter c) of the Regulation);

- the Company has demonstrated a high degree of cooperation with the Authority in all phases of the procedure (art. 83, par. 2, letter f) of the Regulation);

- no measures have previously been taken against the owner for relevant violations (art. 83, par. 2, letter e) of the Regulation);

- the reorganization operations of the Sardinian regional system, provided for by the regional law of the Sardinia Region, of 11 September 2020, n. 24 (containing "Reform of the regional healthcare system and systematic reorganization of the relevant regulations. Repeal of regional law no. 10 of 2006, regional law no. 23 of 2014 and regional law no. 17 of 2016 and further sector regulations ”), which affected the data controller, led to certain organizational obstacles, also for the purpose of reconstructing the event that gave rise to the violation in question (art. 83, par. 2, letter k) of the Regulation).

On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 18,000.00 (eighteen thousand) euros for the violation of the art. 5, par. 1, letter. f) and par. 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the requirements relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.

Due to the particular sensitivity of the data processed, it is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the G. Brotzu National and High Specialization Company, for the violation of the art. 5, par. 1, letter. f) and 2 of the Regulation, of the art. 32 of the same Regulation, as well as the "Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of Legislative Decree 10 August 2018, n. 101” of the Guarantor n. 146 of 5 June 2019.

ORDER

pursuant to the articles 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to the G. Brotzu National and Highly Specialized Company, with registered office in Cagliari, P.le Ricchi, n. 1 — 09134, VAT number 023155209200, to pay the sum of 18,000.00 (eighteen thousand) euros as a pecuniary administrative sanction for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 18,000.00 (eighteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 21 December 2023

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

[doc. web no. 9980617]

Provision of 21 December 2023

Register of measures
n. 601 of 21 December 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC” (hereinafter “Code”);

HAVING SEEN the Legislative Decree. 10 August 2018, n. 101 containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the freedom circulation of such data and repealing Directive 95/46/EC";

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. The request and the preliminary investigation activity

With note dated XX, Mrs. XX formulated a complaint against the local social and health authority no. 8 of Cagliari complaining about the loss of "biological data, of a genetic nature, contained in the slides and histological inserts present in one's medical record" (...) "as a result of their delivery to subjects not better identified or even identifiable by the 'Hospital that detained them.' This circumstance would have been learned by the complainant only "following the filing of the report of the CTU-Technical Consultant of the Court of Appeal on the XX".

In particular, according to what was stated in the aforementioned complaint, the absence of the slides and histological inserts containing the genetic material of Ms. effect of making her lose the appeal case against ASL8. In this regard, the CTU himself declares that: «It is absolutely essential to remember that the undersigned was not put in a position to have access to the histological preparations which represent an important element in supporting or not the validity of the compensation request»”.

Following the complaint, the Authority started an investigation, asking, with note dated XX, the local social and health authority no. 8 of Cagliari useful elements for the evaluation of the case in question. With a note dated XX, the General Director of the aforementioned Company provided feedback by declaring that:

- “from what is reported in the appeal pursuant to art. 77 of EU Regulation 2016/679, the complained of data breach to the detriment of the interested party appears to have occurred in the XX, probably on the XX (the day on which the material containing the interested party's genetic data would have been delivered to unspecified subjects) at the “Businco” hospital. ” and recalling the definition of data controller and “what is expressed in the Guidelines 07/2020 Version 2.0 of the EPDB” that “in the case that interests us the legal entity to which the law has attributed the task (purpose) of conservation of the “ biological data, of a genetic nature, contained in the slides and histological inserts present within the [...] medical record of the complainant" is to be identified on the basis of the legislative provisions in force at the time";

- “the L.R. n. 23/2014, in force at the time of the reported loss of the complainant's genetic data, containing «urgent rules for the reform of the regional healthcare system», provided for art. 9, paragraph 1 letter. c ["the incorporation into the hospital of national importance "G. Brotzu" of the "Microcitemic" and "Oncological - A. Businco" hospital facilities (the latter where the loss allegedly occurred), currently belonging to ASL n. 8 of Cagliari"]. Therefore, by virtue of the provisions referred to, at the time of the event which is the subject of the complaint (XX) the person to whom the law attributed the task of processing the complainant's personal data was to be identified in the Brotzu Office (...) today Arnas Brotzu”;

- in relation to the procedural matter which is the subject of the complaint, "the undersigned Administration was not and would not have been able to know about the loss of biological data of a genetic nature following the filing of the expert witness report on XX since it is not part of the proceedings pending before the Court of Appeal of Cagliari. In fact, in the aforementioned judgment, from the little information obtainable from the complaint, the now discontinued ASL 8 is involved (which the appellant in fact identifies with C.F. 02261430926) which then merged into the Company for the Protection of Health of Sardinia (ATS SARDEGNA) with L.R. n. 17/2016”;

- “this Company (Local Social Health Company no. 8 of Cagliari – VAT number 03990560926), as required by Regional Law. n. 24 of 2020, modified by art. 34 lett. B) of the subsequent L.R. n. 17 of 2021, was established on 01.01.2022, and in addition, the Regional Health Liquidation Management was established, with legal personality and patrimonial and economic autonomy, competent for the liquidation of all active and passive positions and all pending cases, from the date of establishment of the Health Protection Agency (ATS) and of those previously belonging to the abolished local health units and to the abolished health companies (see also the following link: https://www.atssardegna .it/company)”;

- "it is believed that the information requested by this Guarantor Authority regarding the facts which are the subject of the complaint presented pursuant to art. 77 of EU Regulation 2016/679 should not be addressed to this Company, but to Arnas Brotzu (at the time of the facts AO Brotzu) as Data Controller pursuant to art. 4 of EU Regulation 2016/679 to date as at the time of the facts".

Elements of information useful for the evaluation of the case were therefore requested from the G. Brotzu National Survey and High Specialization Company, with note dated XX (prot. n. XX), which provided feedback with note dated XX, declaring that :

- “it is not believed that genetic personal data are involved in the above-mentioned episode. In support of this statement, we report what is expressed in "Opinion 4/2007 on the concept of personal data" of WP29 page. 9 “Human tissue samples (like a blood sample) are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as for instance a pattern for fingerprints is biometric data, but the finger itself is not). Therefore the extraction of information from the samples is collection of personal data, to which the rules of the Directive apply. The collection, storage and use of tissue samples themselves may be subject to separate sets of rules”. In this context, reference is made to Recommendation Rec (2006) 4 of the Committee of Ministers to member states on research on biological materials of human origin and its Explanatory Memorandum (partially applicable to the present case)”;

- "the materials (assemblies and slides) which are the subject of this complaint date back to a histological examination carried out by Mrs. XX in the year XX at the A. Businco Hospital, then incorporated into ASL no. 8 of Cagliari, which was therefore the data controller, pursuant to the then current art. 1, paragraph 2, letter. D), of the then current Law 675/1996";

- “only with the L.R. n. 23 of 17.11.2014, art. 9, co. 1, letter. C) and co. 3, letter. A), the Sardinia Region has arranged, starting from the 20th century, for the incorporation into the then G. Brotzu Hospital Company (today ARNAS G. Brotzu) of the A. Cao and A. Businco hospital facilities, therefore called hospital facility, until that moment, it did not fall within the competence of the undersigned Company and moreover at the date of incorporation there was still no obligation to notify violations of personal data, as is known, introduced by the articles. 33 ff. of the General Regulation on the protection of personal data 2016/679/EU (hereinafter GDPR)”;

- "the CTU Dr. XX, with communication XX of the XX, requested this Company: "as official consultant in the Case XX against ASL 8 Cagliari plus others, N.R. 468/2016, Court of Appeal of Cagliari... please kindly inform this CTU of whom the histological findings were delivered and never returned to your hospital. The party consultants gave me a document from the Oncology Hospital (...), from which it is not clear to whom the aforementioned histological material was delivered";