Garante per la protezione dei dati personali (Italy) - 9983244

Garante per la protezione dei dati personali - 9983244
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 9 GDPR Article 32 GDPR Article 2-septies(8) of the Italian Privacy Code
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	11.01.2024
Published:
Fine:	20,000 EUR
Parties:	n/a
National Case Number/Name:	9983244
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	ar

The DPA fined a general practitioner €20,000 for breaching their duty of confidentiality by installing outside their office an unlocked box where patients could find medical prescriptions to pick up.

English Summary

Facts

The Italian DPA was informed that a general practitioner (the controller) was processing personal data of his patients in breach of the principles of integrity and confidentiality.

On the exterior wall of the controller’s office, there was a mailbox and a metal box without any names, and on the box, there was the indication "only medical prescriptions" with a key inserted in the lock. This box was freely accessible to the public and was located on a public square. Inside the box, there were numerous medical prescriptions, not placed inside closed envelopes, issued to different subjects.

This practice was confirmed by other seven patients of the controller, who declared that this system had begun during the COVID-19 pandemic and was kept afterwards.

Considering that the described conduct was probably not compliant with the relevant data protection rules, the DPA notified the controller of the opening of the procedure pursuant to Article 58(2) GDPR.

Holding

To begin, the DPA noted that the data in question fell within the scope of Article 4(15) GDPR as data concerning health, which require additional protection since their processing could cause severe risks to the data subjects’ fundamental rights and freedoms, as noted in Recital 51 GDPR.

The DPA further observed that pursuant to Article 5(1)(f) GDPR, the controller should have respected the principles of integrity and confidentiality. Thus, the controller should have adopted technical and organisational measures to ensure a level of security appropriate to the risk, under Article 32 GDPR.

Furthermore, Article 2-septies(8) of the Italian Privacy Code also expressly prohibits the dissemination of data that may reveal the state of health of data subjects.

Referring to its own press releases from 2014 and 2015, the DPA stated that to avoid third parties from accessing sensitive data, such as health data, it is essential that prescriptions are delivered in a sealed envelope. Moreover, the DPA indicated that during the COVID-19 pandemic, the electronic prescription number had been envisaged with the aim of preventing patients from going to a general practitioner’s office to withdraw a prescription. Alternative that the controller should have used.

Consequently, considering that the controller violated Article 5 GDPR, Article 9 GDPR and Article 32 GDPR, as well as Article 2-septies(8) of the Italian Privacy Code and that the controller’s responsibility was high, the DPA fined the controller €20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Newsletter of February 14, 2024





[doc. web no. 9983244]

Provision of 11 January 2024

Register of measures
n. 11 of 11 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by Dr. Giuseppe Stanzione, president, Dr. Guido Scorza, vice president, Dr. Agostino Ghiglia and professor Ginevra Cerrina Feroni, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker Dr. Guido Scorza;

PREMISE

1. Reporting

With a note dated XX, the XX communicated to the Authority that it had acquired with respect to Dr. Bagnato "elements (...) appeared not to comply with the relevant legislation on the protection of personal data" in relation to "a system of prescribing medicines, specialist visits and medical certificates, in violation of the general principle which establishes that personal data must be processed in a way that guarantees adequate security thereof, including protection, through adequate organizational measures, from unauthorized or illicit processing and from accidental damage ("integrity and confidentiality").

In the aforementioned communication from the XX it was reported that it was possible "to ascertain that on the external wall of the medical office, next to the entrance door of the office and in its immediate vicinity, a post box and a metal container were affixed, both without any name. On the container, however, there was the indication "medical prescriptions only" while a key was inserted in the container's lock. Furthermore, said container was freely accessible to the public as, during the service, several people were seen who opened it and took some slips of paper that were inside it. Furthermore, it was located in the public square where there is free parking; in the same building and on the same level as the doctor's office, but with separate accesses, there is also the AVIS headquarters and a sampling center of the ASL of XX".

The XX also reports that it was found that inside the container "numerous medical prescriptions were kept, most of which consisted of "electronic prescription - reminder for the patient" and, for the remainder, of "pink prescriptions" taken from the NHS recipe book. The prescriptions had been filled out for different names, some bore the doctor's signature (in the case of NHS prescriptions) and all were accessible to anyone given that they (with the exception of one case) were not even placed inside closed envelopes; n. were placed in the container. 67 recipes. From an extemporaneous examination of the same it was possible to note that the medical prescriptions had been issued in favor of different subjects and reported prescriptions for both medicines and specialist tests".

In highlighting that the investigations were "carried out in the period between 02.09.2023 and 04.04.2023", it was represented that "what was ascertained by the staff of this Unit was confirmed by the declarations acquired from seven patients of the doctor. Wet, some of whom were identified among those who had been seen accessing the metal container" and that from the statements made "it emerged that the system described above had been implemented by Dr. XX Wet during the period in which the well-known Covid-19 problem was in place, and then also maintained subsequently, after the cessation of the same".

A document was attached to the aforementioned communication containing "Service note relating to facts and circumstances that may constitute a report to the Guarantor for the Protection of Personal Data, ascertained during observation services carried out in the period between 02.09.2023 and 04.04 .2023”, as well as reproductions of photographic surveys, to support what is reported.

2. The preliminary investigation activity

Following a request for information, formulated by the Authority, pursuant to art. 157 of the Code (note of the XX, prot. n. XX), Dr. Bagnato provided feedback, with the note of the XX, representing that:

- "in this regard, the episodic and occasional nature of the matter being reported is noted";

- "aware of the importance of the processing of the personal data of my clients, it is specified that the delivery of medical prescriptions by depositing them in the metal container takes place only and exclusively for those patients who expressly request it, thus consenting themselves to a limitation of your privacy. And in fact, in the same report it is highlighted that the recipes "were accessible to anyone given that they (with the exception of one case) were not even placed inside closed envelopes". This circumstance is a clear sign that when the patient did not expressly request it, the prescription was placed in a closed envelope to protect the integrity and confidentiality of his personal data";

- "this method of delivery of prescriptions allows (...) to limit the number of patient access during clinic hours, preventing the patient from having to go to my office simply to collect the prescriptions and at the same time allowing him/her an easy methods of using the service by being able to collect prescriptions at any time of the day";

- "the metal container, equipped with a key and always closed, is placed in an area delimited to the public by red posts accessible only to those who are interested in it, and not directly on the public square as reported in the report";

- "the "several" people who were seen by the investigating officers opening the container all took "slips of paper" (the medical prescriptions) present inside it. This confirms that access to the container was made exclusively by my patients, who repeatedly gave their consent to the issuing of prescriptions in those ways, and not by third parties";

- "in any case I have already removed the container which was the subject of the dispute".

With reference to what emerged from the examination of the documentation examined and the declarations made, taking into account that the described conduct was not found to comply with the relevant regulations on the protection of personal data, the Office, with act dated XX (protocol no. XX), notified Dr. Wet, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, law no. 689 of 24 November 1981 ).

In particular, the Office, with the aforementioned deed, considered that Dr. Bagnato has carried out processing of personal data in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation and the obligation regarding security of processing, referred to in art. 32 of the Regulation as well as art. 2-septies, paragraph 8, of the Code.

The Dr. Bagnato did not produce any defense document in this regard and did not ask to be heard by the Authority.

3. Outcome of the preliminary investigation

Having taken note of what the doctor represented during the procedure, it is noted that:

- "personal data" means "any information relating to an identified or identifiable natural person ("data subject")" and "health data" means "personal data relating to the physical or mental health of a natural person, including the of health care, which reveal information relating to your state of health" (art. 4, par. 1, nos. 1 and 15 of the Regulation). The latter data deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51 of the Regulation);

- the regulations on the protection of personal data provide that data controllers are required to respect the principles applicable to data processing, including that of "integrity and confidentiality", according to which personal data must be "processed in way to guarantee adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage" (art. 5, par. 1, letter. f) of the Regulation). The data controller is required to adopt adequate technical and organizational measures to guarantee a level of security adequate to the risk presented by the processing resulting from unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or however processed (art. 32 of the Regulation); in particular, in the healthcare sector, the owner must adopt suitable measures to guarantee, also in the organization of services and services, respect for the rights, fundamental freedoms and dignity of the interested parties (art. 83 of the Code - deemed compatible with the cited Regulation (EU) no. 2016/679, see art. 22, paragraph 11, legislative decree 10 August 2018, no. 101 -, in relation to which the Guarantor has adopted a specific general provision - see provision. of 9 November 2005, available on www.garanteprivacy.it, web doc. no. 1191411 - see art. 22, paragraph 4, of the aforementioned legislative decree no. 101/2018);

- information relating to health may be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself, subject to the latter's written authorization (art. 9 Regulation); in this context, in the Guarantor's press release of 14 November 2014, it was expressly highlighted that "medical prescriptions can be left at pharmacies and doctors' offices for collection by patients, as long as they are placed in a closed envelope. Leaving prescriptions and certificates within anyone's reach or even unattended, in trays placed on pharmacy counters or on the desks of doctors' offices, violates patients' privacy." It was also pointed out that "the procedures, which have been in force for some time, allow doctors to leave prescriptions and certificates to patients in the waiting rooms of their practices or at pharmacies, without necessarily having to deliver them in person. To prevent sensitive data, such as health data, from being known to outsiders, it is however essential that prescriptions and certificates are delivered in a sealed envelope. The sealed envelope is even more necessary if it is not the patient who collects the documents, but a person specially delegated by them" (see press release of 14 November 2015, web doc. no. 3533579);

- dissemination means "giving knowledge of personal data to undetermined subjects, in any form, including by making them available or consulting them" (art. 2-ter paragraph 4, letter b) of the Code);

- the regulations on the protection of personal data expressly prohibit the dissemination of data capable of revealing the state of health of the interested parties (art. 2-septies, paragraph 8 and art. 166, paragraph 2, of the Code).
Finally, it should be highlighted that already in the emergency period, certain measures were envisaged to facilitate the use of the simplified methods of acquiring the dematerialized reminder or the electronic prescription number, in order to avoid the patient having to go to the doctor's office to collect the prescription; this, in order to contain the spread of the Sars Cov-2 virus (ministerial decree of 25 March 2020 and ministerial decree of 30 December 2020, on which the Authority expressed its competent opinion - see provision of 19 March 2020, web doc. no. 9296257, of 2 April 2020, web doc. no. 9308089, provision of 12 November 2020, web doc. 9519603). With legislative decree 29 December 2022, n. 198, as amended by the conversion law of 24 February 2023, n. 14, it was provided that "The methods of use of alternative tools to the paper reminder of the electronic prescription and of use of the electronic prescription reminder in pharmacies, set out in articles 2 and 3 of the ordinance of the Head of the Civil Protection Department n. . 884 of 31 March 2022, published in the Official Journal no. 83 of 8 April 2022, implementing article 1 of the legislative decree of 24 March 2022, n. 24, are extended until 31 December 2024 and are extended to the sending of the electronic prescription number (NRE) by email" (art. 4, paragraph 6).

Finally, it should be noted that already in 2021 the Guarantor, in adopting a sanctioning measure against another doctor for similar conduct, had provided relevant indications for the processing of personal data in question (see provision of 28 October 2021 , web doc. no. 9716887).

4.  Conclusions

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the following is noted.

The brief arguments reported by the owner in the response to the request for information, with particular reference to the declarations relating to the reasons why he intended to introduce a different method of delivery of prescriptions (facilitate the methods of using the prescription collection service, in every moment of the day, and limit the number of patients who access the medical practice) as well as the presumed acquisition of the patients' consent, do not allow the objections raised by the Office to be overcome with the act of initiating the procedure and, therefore, to order the dismissal of the proceedings, without, however, any of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illicit nature of the processing of personal data carried out by the doctor is noted. Wet, in violation of articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8, of the Code, in the terms set out in the justification.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of the articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8, of the Code, determined by the processing of personal data, subject of this provision, carried out by Dr. Wet, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation in relation to which, in particular, it is noted that:

- the data processing carried out concerned information on the health status of a large number of the doctor's clients. Wet and had an established duration of two months (art. 83, par. 2, letters a) and g) of the Regulation);

- the violation and the degree of responsibility of the owner is high (art. 83, par. 2, letters b) and d) of the Regulation);

- the report was made by XX also on the basis of statements made by patients regarding the doctor's conduct. Wet (art. 83, par. 2, letter k) of the Regulation);

- the doctor did not demonstrate full cooperation with the Authority during the investigation procedure, having provided a concise response to the request for information formulated by the Authority; the same, however, also failed to produce defensive writings or documents in relation to the notification, pursuant to art. 166, paragraph 5, of the Code, starting the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, in order to prove what was initially claimed.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of €20,000.00 for the violation of the articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, in relation to the particular category of personal data processed and the number of interested parties involved.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

violation of the articles was detected. 5, 9, 32 of the Regulation as well as art. 2-septies, paragraph 8 of the Code, declares the unlawfulness of the processing of personal data carried out by Dr. Wet within the terms set out in the motivation;

ORDER

to Dr. XX Bagnato, born in XX (XX) on XX, C.F. XX resident in XX (XX), XX, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violation referred to in this provision, according to the methods indicated in the annex, within 30 days of notification of reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Dr. Wet, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000.00 (twenty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981;

HAS

- the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code;

- the annotation of this provision in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2 of the Regulation itself.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei

SEE ALSO: Newsletter of February 14, 2024





[doc. web no. 9983244]

Provision of 11 January 2024

Register of measures
n. 11 of 11 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by Dr. Giuseppe Stanzione, president, Dr. Guido Scorza, vice president, Dr. Agostino Ghiglia and professor Ginevra Cerrina Feroni, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

Speaker Dr. Guido Scorza;

PREMISE

1. Reporting

With a note dated XX, the XX communicated to the Authority that it had acquired with respect to Dr. Bagnato "elements (...) appeared not to comply with the relevant legislation on the protection of personal data" in relation to "a system of prescribing medicines, specialist visits and medical certificates, in violation of the general principle which establishes that personal data must be processed in a way that guarantees adequate security thereof, including protection, through adequate organizational measures, from unauthorized or illicit processing and from accidental damage ("integrity and confidentiality").

In the aforementioned communication from the XX it was reported that it was possible "to ascertain that on the external wall of the medical office, next to the entrance door of the office and in its immediate vicinity, a post box and a metal container were affixed, both without any name. On the container, however, there was the indication "medical prescriptions only" while a key was inserted in the container's lock. Furthermore, said container was freely accessible to the public as, during the service, several people were seen who opened it and took some slips of paper that were inside it. Furthermore, it was located in the public square where there is free parking; in the same building and on the same level as the doctor's office, but with separate accesses, there is also the AVIS headquarters and a sampling center of the ASL of XX".

The XX also reports that it was found that inside the container "numerous medical prescriptions were kept, most of which consisted of "electronic prescription - reminder for the patient" and, for the remainder, of "pink prescriptions" taken from the NHS recipe book. The prescriptions had been filled out for different names, some bore the doctor's signature (in the case of NHS prescriptions) and all were accessible to anyone given that they (with the exception of one case) were not even placed inside closed envelopes; n. were placed in the container. 67 recipes. From an extemporaneous examination of the same it was possible to note that the medical prescriptions had been issued in favor of different subjects and reported prescriptions for both medicines and specialist tests".

In highlighting that the investigations were "carried out in the period between 02.09.2023 and 04.04.2023", it was represented that "what was ascertained by the staff of this Unit was confirmed by the declarations acquired from seven patients of the doctor. Wet, some of whom were identified among those who had been seen accessing the metal container" and that from the statements made "it emerged that the system described above had been implemented by Dr. XX Wet during the period in which the well-known Covid-19 problem was in place, and then also maintained subsequently, after the cessation of the same".

A document was attached to the aforementioned communication containing "Service note relating to facts and circumstances that may constitute a report to the Guarantor for the Protection of Personal Data, ascertained during observation services carried out in the period between 02.09.2023 and 04.04 .2023”, as well as reproductions of photographic surveys, to support what is reported.

2. The preliminary investigation activity

Following a request for information, formulated by the Authority, pursuant to art. 157 of the Code (note of the XX, prot. n. XX), Dr. Bagnato provided feedback, with the note of the XX, representing that:

- "in this regard, the episodic and occasional nature of the matter being reported is noted";

- "aware of the importance of the processing of the personal data of my clients, it is specified that the delivery of medical prescriptions by depositing them in the metal container takes place only and exclusively for those patients who expressly request it, thus consenting themselves to a limitation of your privacy. And in fact, in the same report it is highlighted that the recipes "were accessible to anyone given that they (with the exception of one case) were not even placed inside closed envelopes". This circumstance is a clear sign that when the patient did not expressly request it, the prescription was placed in a closed envelope to protect the integrity and confidentiality of his personal data";

- "this method of delivery of prescriptions allows (...) to limit the number of patient access during clinic hours, preventing the patient from having to go to my office simply to collect the prescriptions and at the same time allowing him/her an easy methods of using the service by being able to collect prescriptions at any time of the day";

- "the metal container, equipped with a key and always closed, is placed in an area delimited to the public by red posts accessible only to those who are interested in it, and not directly on the public square as reported in the report";

- "the "several" people who were seen by the investigating officers opening the container all took "slips of paper" (the medical prescriptions) present inside it. This confirms that access to the container was made exclusively by my patients, who repeatedly gave their consent to the issuing of prescriptions in those ways, and not by third parties";

- "in any case I have already removed the container which was the subject of the dispute".

With reference to what emerged from the examination of the documentation examined and the declarations made, taking into account that the described conduct was not found to comply with the relevant regulations on the protection of personal data, the Office, with act dated XX (protocol no. XX), notified Dr. Wet, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, inviting it to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, law no. 689 of 24 November 1981 ).

In particular, the Office, with the aforementioned deed, considered that Dr. Bagnato has carried out processing of personal data in violation of the basic principles of processing referred to in the articles. 5 and 9 of the Regulation and the obligation regarding security of processing, referred to in art. 32 of the Regulation as well as art. 2-septies, paragraph 8, of the Code.

The Dr. Bagnato did not produce any defense document in this regard and did not ask to be heard by the Authority.

3. Outcome of the preliminary investigation

Having taken note of what the doctor represented during the procedure, it is noted that:

- "personal data" means "any information relating to an identified or identifiable natural person ("data subject")" and "health data" means "personal data relating to the physical or mental health of a natural person, including the of health care, which reveal information relating to your state of health" (art. 4, par. 1, nos. 1 and 15 of the Regulation). The latter data deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51 of the Regulation);

- the regulations on the protection of personal data provide that data controllers are required to respect the principles applicable to data processing, including that of "integrity and confidentiality", according to which personal data must be "processed in manner to guarantee adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage" (art. 5, par. 1, letter f) of the Regulation). The data controller is required to adopt adequate technical and organizational measures to guarantee a level of security adequate to the risk presented by the processing resulting from unauthorized disclosure or access, accidentally or illegally, to personal data transmitted, stored or however processed (art. 32 of the Regulation); in particular, in the healthcare sector, the owner must adopt suitable measures to guarantee, also in the organization of services and services, respect for the rights, fundamental freedoms and dignity of the interested parties (art. 83 of the Code - deemed compatible with the cited Regulation (EU) no. 2016/679, see art. 22, paragraph 11, legislative decree 10 August 2018, no. 101 -, in relation to which the Guarantor has adopted a specific general provision - see provision. of 9 November 2005, available on www.garanteprivacy.it, web doc. no. 1191411 - see art. 22, paragraph 4, of the aforementioned legislative decree no. 101/2018);

- information relating to health may be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself, subject to the latter's written authorization (art. 9 Regulation); in this context, in the Guarantor's press release of 14 November 2014, it was expressly highlighted that "medical prescriptions can be left at pharmacies and doctors' offices for collection by patients, as long as they are placed in a closed envelope. Leaving prescriptions and certificates within anyone's reach or even unattended, in trays placed on pharmacy counters or on the desks of doctors' offices, violates patients' privacy." It was also pointed out that "the procedures, which have been in force for some time, allow doctors to leave prescriptions and certificates to patients in the waiting rooms of their practices or at pharmacies, without necessarily having to deliver them in person. To prevent sensitive data, such as health data, from being known to outsiders, it is however essential that prescriptions and certificates are delivered in a sealed envelope. The sealed envelope is even more necessary if it is not the patient who collects the documents, but a person specially delegated by them" (see press release of 14 November 2015, web doc. no. 3533579);

- dissemination means "giving knowledge of personal data to undetermined subjects, in any form, including by making them available or consulting them" (art. 2-ter paragraph 4, letter b) of the Code);

- the regulations on the protection of personal data expressly prohibit the dissemination of data capable of revealing the state of health of the interested parties (art. 2-septies, paragraph 8 and art. 166, paragraph 2, of the Code).
Finally, it should be highlighted that already in the emergency period, certain measures were envisaged to facilitate the use of the simplified methods of acquiring the dematerialized reminder or the electronic prescription number, in order to avoid the patient having to go to the doctor's office to collect the prescription; this, in order to contain the spread of the Sars Cov-2 virus (ministerial decree of 25 March 2020 and ministerial decree of 30 December 2020, on which the Authority expressed its competent opinion - see provision of 19 March 2020, web doc. no. 9296257, of 2 April 2020, web doc. no. 9308089, provision of 12 November 2020, web doc. 9519603). With legislative decree 29 December 2022, n. 198, as amended by the conversion law of 24 February 2023, n. 14, it was provided that "The methods of use of alternative tools to the paper reminder of the electronic prescription and of use of the electronic prescription reminder in pharmacies, set out in articles 2 and 3 of the ordinance of the Head of the Civil Protection Department n. . 884 of 31 March 2022, published in the Official Journal no. 83 of 8 April 2022, implementing article 1 of the legislative decree of 24 March 2022, n. 24, are extended until 31 December 2024 and are extended to the sending of the electronic prescription number (NRE) by email" (art. 4, paragraph 6).

Finally, it should be noted that already in 2021 the Guarantor, in adopting a sanctioning measure against another doctor for similar conduct, had provided relevant indications for the processing of personal data in question (see provision of 28 October 2021 , web doc. no. 9716887).

4.  Conclusions

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor", the following is noted.

The brief arguments reported by the owner in the response to the request for information, with particular reference to the declarations relating to the reasons why he intended to introduce a different method of delivery of prescriptions (facilitate the methods of using the prescription collection service, in every moment of the day, and limit the number of patients who access the medical practice) as well as the presumed acquisition of the patients' consent, do not allow the objections raised by the Office to be overcome with the act of initiating the procedure and, therefore, to order the dismissal of the proceedings, without, however, any of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

Therefore, the preliminary assessments of the Office are confirmed and the illicit nature of the processing of personal data carried out by the doctor is noted. Wet, in violation of articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8, of the Code, in the terms set out in the justification.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The violation of the articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8, of the Code, determined by the processing of personal data, subject of this provision, carried out by Dr. Wet, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1 of the Regulation, in light of the elements provided for in art. 83, par. 2, of the Regulation in relation to which, in particular, it is noted that:

- the data processing carried out concerned information on the health status of a large number of the doctor's clients. Wet and had an established duration of two months (art. 83, par. 2, letters a) and g) of the Regulation);

- the violation and the degree of responsibility of the owner is high (art. 83, par. 2, letters b) and d) of the Regulation);

- the report was made by XX also on the basis of statements made by patients regarding the doctor's conduct. Wet (art. 83, par. 2, letter k) of the Regulation);

- the doctor did not demonstrate full cooperation with the Authority during the investigation procedure, having provided a concise response to the request for information formulated by the Authority; the same, however, also failed to produce defensive writings or documents in relation to the notification, pursuant to art. 166, paragraph 5, of the Code, starting the procedure for the adoption of the measures referred to in the art. 58, par. 2 of the Regulation, in order to prove what was initially claimed.

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of €20,000.00 for the violation of the articles. 5, 9 and 32 of the Regulation, as well as art. 2-septies, paragraph 8 of the Code, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, in relation to the particular category of personal data processed and the number of interested parties involved.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

violation of the articles was detected. 5, 9, 32 of the Regulation as well as art. 2-septies, paragraph 8 of the Code, declares the unlawfulness of the processing of personal data carried out by Dr. Wet within the terms set out in the motivation;

ORDER

to Dr. XX Bagnato, born in XX (XX) on XX, C.F. XX resident in XX (XX), XX, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation, as well as art. 166 of the Code, to pay the sum of 20,000.00 (twenty thousand) euros as a pecuniary administrative sanction for the violation referred to in this provision, according to the methods indicated in the annex, within 30 days of notification of reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Dr. Wet, in case of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 20,000.00 (twenty thousand) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. . 27 of law no. 689/1981;

HAS

- the publication of this provision on the Guarantor's website, pursuant to art. 166, paragraph 7, of the Code;

- the annotation of this provision in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2 of the Regulation itself.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 11 January 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE GENERAL SECRETARY
Mattei