Garante per la protezione dei dati personali (Italy) - 9993548
From GDPRhub
| Garante per la protezione dei dati personali - 9993548 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6(1)(f) GDPR Article 6(1)(a) GDPR Article 13 GDPR Article 14 GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 03.06.2018 |
| Decided: | 11.01.2024 |
| Published: | |
| Fine: | 5,000 EUR |
| Parties: | Euro Servizi per i Notai S.r.l. CONSIGLIO NAZIONALE DEL NOTARIATO |
| National Case Number/Name: | 9993548 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | im |
The DPA imposed a fine of €5,000 on a computing infrastructure provider for depending on third-party identification of platform users and exceeding its designated role as a processor.
English Summary
Facts
The National Council of Notaries ("the Council") requested the DPA to investigate regarding the proper classification of the relationships between banks and notaries when, in the process of loan stipulation, certain lending banks utilize the services of a third-party company named "Euro Servizi per i Notai S.r.l." ("ESpN") for managing document exchange with notaries through a platform known as PIGNA.
PIGNA is a service provided exclusively to banks by ESpN which is a computing service provider. It enabled banks and notaries, who handle tasks related to loan contracts and associated guarantees, to share required documents. This sharing occurred both before and after the contract was signed, except for a copy of the contract in enforceable form. Essentially, PIGNA facilitated the efficient exchange of necessary paperwork between these parties involved in the loan process.
Several concerns arose from the situation described. Firstly, the Council recommended an investigation with regards to the roles and responsibilities in the processing of personal data within the PIGNA platform. This includes notaries, banks, and ESpN. The concern revolved around the processing of personal data of borrowers, related third parties (like property sellers), and data concerning the notaries themselves.
Secondly, the relationship between PIGNA and individual notaries was unclear since notaries accessed the platform with authentication credentials provided by ESpN.
Thirdly, there were issues with the level of information provided to notaries and the sequence of notifications sent by PIGNA. It was highlighted that notaries receive a range of notifications via both the portal and email. In some instances, these notifications arrive unexpectedly, directly from the lending bank selected by the borrower. For instance, they may receive notice granting them authority to issue a mortgage loan, which is not necessarily communicated by the borrower's chosen lending bank.
Specifically, certain communications originating from platform accounts aim to offer notaries an overview of all individual positions opened as a periodic report. These communications are accompanied by a table or Excel sheet detailing various deeds under scrutiny or completed, all linked to the same notary, concerning different banks. They include an internal reference code within the portal and identify the relevant party (the borrower).
Upon this request, the DPA conducted an investigation.
Holding
The DPA’s investigation regarding the roles assigned for the data management revealed the following.
To begin with, the banks operate as data controllers within the framework of outsourcing contracts which are accompanied by special data protection agreements.
Next, the banks designate ESpN as the processor under Article 28 GDPR. All processing activities carried out by ESpN regarding the portal are predetermined by banks and made available to notaries for mortgage procedures.
Additionally, the notaries use the PIGNA portal in the interest and on behalf of the respective bank. After receiving an assignment from the bank, ESpN creates an account for the notary and provides the notary with initial authentication credentials. The ESpN sends the credentials to the notary’s official e-mail address found on the professional register of Notaries.
In this phase, ESpN acts as a data controller for the creation and maintenance of the notary’s account, as well as linking it to the specific areas designated for use by each individual bank. For this reason, the ESpN provides the notaries with the privacy policy which is published on the PIGNA portal and where legitimate interest under Article 6(1)(f) GDPR is identified as legal basis.
The DPA observed that ESpN, although not directly carrying out the identification of the notary availed itself of the identification carried out by a third party, i.e. the National Council of Notaries. This is because registration on PIGNA is carried out by using the e-mail address, assigned to the notary by the Council and published in the relevant register, which is collected by ESpN from the bank or directly from the Council. This reliance on third-party identification raised concerns because if ESpN lacks sufficient elements to guarantee the registrants' identity, it should conduct its own checks to ensure that only authorized individuals gain access to PIGNA. Therefore, by not independently verifying the identity of registrants, ESpN risks breaching the principle of integrity outlined in Article 5(1)(f) GDPR and Article 32 GDPR.
Moreover, the DPA found that relying on Article 6(1)(f) GDPR as legal basis for processing notaries' data does not hold for the registration phase and generation of authentication credentials. The processing of personal data in this context should fall under Article 6(1)(b) GDPR, namely a contractual relationship between ESpN and notaries. If the legal basis was legitimate interest, notaries would have a right to object. However, the right to object does not apply, as it would hinder the verification process of notaries' identities, necessary for accessing the portal. A contract between ESpN and notaries does not exist. Consequently, ESpN's handling of personal data related to notary registration and authentication credentials breached the principles of lawfulness and fairness.
Additionally, PIGNA sent a periodic report to notaries with a summary of the open positions with respect to all the banks. The DPA discovered that such processing was carried out by the ESpN in complete autonomy and outside the instructions received as per Article 28 GDPR from the banks which have never explicitly requested ESpN to send such reports. Further, ESpN privacy policy makes no mention of such periodic reporting.
It should be noted that pursuant to Article 28(10) GDPR, where a controller determines the purposes and means of the processing, he must be 'regarded as a controller of the processing in question'. Since ESpN lacked consent and failed to inform data subject of such processing, the DPA found a breach of the principles set out in Articles 5(1)(a) GPDR, Article 6(1)(a) GDPR, Article 13 GDPR and Article 14 GDPR.
For reasons stated above the DPA determined fine for ESpN in the amount of €5,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
[doc. web no. 9993548]
Provision of 11 January 2024
Register of measures
n. 58 of 11 January 2024
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, “Regulation”);
HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);
GIVEN the note with which the National Council of Notaries (hereinafter, "Council") requested clarification regarding the application of Regulation (EU) 2016/679 in relations between notaries and the "Pigna" portal managed by the company " Euro Servizi per i Notaries S.r.l.”;
GIVEN the preliminary investigation proceedings initiated by the Guarantor pursuant to art. 6, paragraph 1, of Internal Regulation no. 1/2019 on internal procedures with external relevance;
EXAMINED the documentation in the documents;
GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;
SPEAKER Prof. Ginevra Cerrina Feroni;
PREMISE
1. Request from the National Council of Notaries.
With a note dated 3/7/2018, the National Council of Notaries asked this Authority for some clarifications regarding the correct framework of the relationships between credit institutions and notaries when, in the stipulation of mortgage contracts, some lending banks make use of the services of a third-party company, “Euro Servizi per i Notai S.r.l.” (hereinafter “ESpN” or “the Company”) for the management of document exchange with notaries, via the IT Platform for the Management of Notarial Documents, called PIGNA (hereinafter “Pigna” or “portal”).
In particular, some doubts were raised regarding the role played by this Company in the relationship with the notaries in charge of the stipulation, considering that the operating methods of the aforementioned platform imply the processing of personal data, not only of the borrowers, but also of closely related third parties (e.g. seller of the property) as well as data regarding the notaries themselves.
The requests for clarification concerned, in particular, two aspects:
the role to be assigned - in relation to the management of personal data - to the various subjects who, in different capacities, operate within the Pigna platform (notaries, banks and ESpN);
the relationship between the portal and the individual notary. In particular, the Council represented that the appointed notaries (chosen from time to time by the borrowers or, in some cases, by the banks that use the platform) access the platform via specific authentication credentials provided directly by the manager, who, in this regard , would appear to provide notaries with "very concise information"; furthermore, it was highlighted that notaries receive various communications from the portal and via e-mail, "in some cases without even the intervention of the portal having been anticipated by communications directly coming from the lending bank chosen by the borrower" (such as for example the communication with which they are given the task and the consequent invitation to use the portal for the exchange of pre- and post-signing documents with the bank). In particular, some communications coming "from platform accounts" are aimed at providing notaries with "a summary view of all the individual open positions" and are accompanied "by a table or Excel sheet in which the various documents are reported under investigation or authorized, all referring to the same notary, in relation to different banks, with a reference code internal to the portal, the indication of the name of the interested party (the borrower), of the bank involved, the type of fulfillment considered missing and the time deemed appropriate from the moment in which the portal specifications required the relevant document or element to be made available". In the opinion of the Council, what has been reported above constitutes "a hypothesis of authentic profiling pursuant to art. 22 of the Regulations" by ESPN - manager of the portal - which, in this way, would process personal data relating to notaries, with particular regard not only to identification data but also to "those that appear to refer to professional performance and in general to the activity" of the notaries themselves.
2. The preliminary investigation activity: requests for information.
In order to acquire elements of evaluation, the Office has started an investigation, making requests for information to some of the most important banking institutions that join the platform and to ESpN itself, in the context of which it was asked to clarify the methods of the functioning of the aforementioned platform, the type of relationship between the banks and ESpN, as well as the obligations put in place for the purposes of compliance with the principles and provisions in force regarding the protection of personal data.
From the elements acquired from the credit institutions and the documentation produced by them, it emerged that:
the PIGNA portal is a service activated and made available to credit institutions by ESpN, through which banks and notaries (in charge of the various procedures for stipulating mortgage contracts and related guarantees) share the necessary documents, both in previous phase, as well as in the phase following the signing of the contract itself (with the sole exception of the copy of the contract in executory form);
to this end, the credit institutions that use the service sign a procurement contract for the supply of services, directly with ESpN, or with Centro Istruttorie S.p.a. (hereinafter, CISPA);
within these outsourcing contracts, which are also accompanied by specific data protection agreements, the banks operate as data controllers; for the designation of ESpN, as responsible pursuant to art. 28, not all the credit institutions interviewed adopt the same solution. In particular, some banks directly designate ESpN as data controller, while others designate CISPA as responsible which, in turn, as provided for in the contract for the provision of services with the owner, can subcontract certain activities to another entity , including ESpN, which therefore expressly assumes the role of sub-manager;
the use of the portal by the notary, which is not mandatory, requires the bank to communicate the contact details of the notary in charge of the stipulation to ESpN, who will make the authentication credentials available to him, after verifying the identity and communicating the conditions of use of the portal. Through the portal, the bank makes its documents available to the notary and the notary transmits the preliminary notarial report and the other stipulation and post-signature documents to the bank. If the notary does not send the complete documentation within the deadlines, the bank - via the portal - will send him a reminder communication. Once the procedure is concluded, ESPN and the bank proceed with the so-called “closing the position”.
Based on the elements received from ESPN it emerged that:
“the portal services are offered exclusively to the banks and/or on behalf of the banks”, which propose the notary to use the portal, determining the purposes of the processing; “all the treatments carried out by ESPN in relation to the portal [are] already predetermined by the banks and made available by them to the notaries for carrying out the mortgage procedures;
"the treatments carried out by the notaries as part of the individual practices for each bank are carried out in the interest and ownership of the bank itself, as it is a service carried out and provided by the bank (through ESpN)": when the notary accesses the own reserved area, within the portal, will be able to use the services of the portal itself "within the sole limits of the documentation made available by and for the individual banks" and it is not possible for the notary "to request customizations or different functions from ESpN of the Portal”;
ESpN, after having received from the bank (or through CISPA) the task of enabling the notary to use the portal, creates an account for the notary himself. In this phase, where the notary does not already have access credentials, "ESPN, on behalf of the bank", after searching the e-mail address of the notary in question on the professional register of the Notary, sends to the same, to the mailbox official email, credentials for first access;
in this phase, characterized by the activity of managing the authentication credentials for the creation of the account assigned to the notary "(username and password, where the username is the official public e-mail address assigned by the notary)", ESpN acts as data controller "for the sole creation and maintenance of the account and the connection of the same to the spaces for the exclusive use of the individual banks. […] This involves ownership only of the notary's credentials and access logs, without any extension to the documents and therefore to the data exchanged between the notary and the individual banks". In this capacity, ESpN provides notaries with the information pursuant to art. 13 of the Regulation, through publication on the portal. The data collected by ESpN, as owner (relating to credentials and access logs), are kept "until the last day of the year following the last date between: date of creation of the user; date of last access to the portal by the notary; date of the last update of the notary's credentials";
the "reports" that the portal periodically sends to notaries with the aim of providing them with a summary of open positions with respect to all banks, have a reminder function, for the exclusive use of notaries and cannot be viewed in any way by the banks ( who instead have access to the practices for which each notary is responsible) and the data contained therein are definitively deleted as soon as the notary completes the uploading of the missing documents. This processing would be carried out by the portal, as manager/sub-manager, on behalf of each bank and would have as its object the personal data relating to the financing practices whose ownership belongs, for each practice, to the individual bank that granted the assignment to the notary; it follows that the relevant information must be released to the interested parties (the borrowers) by the bank.
3. The preliminary investigation activity: the start of the procedure.
The Office, based on the declarations made by the parties and the elements acquired during the investigation, with a note dated 16 June 2022, notified ESPN of the initiation of the procedure for the adoption of the measures referred to in the articles. 58, par. 2, and 83 of the Regulation, in compliance with the provisions of the art. 166, paragraph 5, of the Code, in relation to the violation of the provisions of articles 5, par. 1, letter. a), and 6, par. 1, letter. a) and b), 13 and 14, par. 3, letter. b), of the Regulation.
In particular, it was found that:
a) in the information that ESPN provides to notaries when they register on the portal (information which is published on the portal itself), the legal basis of the processing has been identified in the art. 6, par. 1, letter. f), of the Regulation (legitimate interest). On this point, the need to distinguish the processing that ESpN implements for the registration of each notary (and the creation of the related account) and the related IT authentication procedure, compared to the subsequent processing concerning the generation and conservation of the logs was highlighted. access to the portal. In fact, while with respect to the latter processing the legitimate interest of the owner (art. 6, par. 1, letter f), of the Regulation) can constitute an appropriate legal basis as it is functional to guarantee the security of networks and information systems of the Company (see recital 49 of the Regulation, and Opinion of 9 April 2014, WP 217 of the Art. 29 Working Group), the same cannot be considered for the processing of personal data connected to the registration phase on the portal and the generation of credentials notary authentication; such processing is in fact necessary for the purposes of providing a service, by ESpN, to the notary with the consequence that the resulting processing of personal data is lawful in relation to the art. 6, par. 1, letter. b), of the Regulation;
b) with reference to the report that ESPN makes available to notaries in order to provide each of them with a summary of the open positions with respect to all the banks and which have a "mere reminder function for the exclusive use of the notary", it emerged that this is a processing activity carried out by ESPN in total autonomy - decision-making and management - compared to the banks (which have not expressly requested this processing); therefore, in relation to the processing in question, the Company - rather than acting as manager/sub-manager of each bank - operates as an independent data controller. It follows that the processing carried out in the terms indicated above is carried out without a suitable legal basis and without it having been adequately highlighted to the interested parties within the information;
c) the information that ESPN, as data controller, provides to notaries for the purposes of creating and managing authentication credentials and portal access logs is provided after the start of processing and is therefore late; in fact, the same is made available to interested parties on the portal, in that reserved part which each notary can access, only after ESPN has sent the e-mail containing the instructions and credentials for the first access; this in violation of the art. 14, par. 3, letter. b) and recital 61 of the Regulation.
With communication dated 7/15/2022, ESPN sent its defense writings with which, in formulating a request for a hearing, it requested the dismissal of the proceedings or alternatively the issuing of a warning provision (with relative confidentiality of the confidential information contained in the memorandum, as the same have "the nature of a corporate and/or commercial secret disseminated exclusively within ESPN and the companies belonging to the MutuiOnline Group") on the basis of the considerations set out below. In particular:
in relation to the first observation formulated by the Authority, in contesting the identification of the Company as a digital identity manager, it specified that "in the functioning of the portal the element of computer identification of the notary is completely absent"; in fact, the Company, "like any other digital platform, limits itself to the creation and management of authentication credentials (use of the notary's email and generation of temporary password) to allow access and registration to the portal, with the consequent authentication of individual credentials". On the other hand, ESPN believes that it does not share the position of the Authority which identifies the legal basis of the processing in the contractual relationship between the parties; this is because "in the context of the functioning of the portal, not only is an IT identification service absent but also the conditions for the possible provision of the service are absent, as ESPN does not collect the personal data and documents of the notary for the its identification. The objective element for the contractual qualification of the relationship between ESPN and the notary is completely missing." At the same time, ESPN reiterates that the legal basis of the processing in question must be identified in the legitimate interest as the same "is functional to guaranteeing the security of networks and information systems" - ensuring "the protection of individual access to the portal and making the navigation through a security measure" - and "this legal basis [...] also appears to be a condition of lawfulness more compatible with the relationships between ESPN and the notaries (who are hired directly on behalf of the Bank and, in some cases, without a prior dialogue with the notaries themselves), thus balancing the legal interests of the notaries in the broader design of the balancing carried out. This is also due to the fact that [...] the interested party can propose a possible opposition pursuant to the art. 21 of the GDPR at any time and if you believe there is a particular reason connected to your situation";
regarding the absence of a legal basis and transparency for the processing relating to reporting, the Company stated that the "service provided by ESPN to the banks determines a contractual obligation with an obligation of result borne by ESPN [... ]. Consequently, all activities carried out, primarily and/or ancillary, by ESPN are carried out to guarantee the obligation of result and therefore the provision of the main service [...]. The report, in fact, represents a means or a way to guarantee the achievement of the main obligation that binds ESPN to the Investigation Center and the Banks. For this reason, this activity must not be separated from the unicum of the contractual relationship but, on the contrary, must be considered as one of the tools with which ESPN provides its service. The resulting treatments fall within the scope of the treatments covered by the letter of appointment as data processor or sub-processor that ESPN signs with the banks or Investigation Center respectively;
with regard to the last aspect of illegality, the Company has communicated that it has taken action in the direction indicated by the Authority, providing that the information is provided to the notaries at the time of the first communication "or as an attachment to the e-mail of instructions for the access to the portal, which represents the first moment of contact with the notaries".
At the hearing, held on 10/27/2022, the Company, in reiterating what was already represented in the above-mentioned memorandum, pointed out that "the context in which the Company operates is characterized by extensive complexity, including of a regulatory nature - regulatory, which also requires continuous monitoring and improvement of the safety of the processing carried out within the Pigna platform", also specifying that:
"the identification of the legitimate interest as the legal basis of the processing was carried out by the Company also due to the purpose of IT security (authentication credentials being a security measure) and due to the fact that this choice is aimed at greater protection of the 'interested party who can, if necessary, exercise the right to object […]”;
"in relation to the sending of reports to notaries on the progress of the procedures entrusted to them, even if the banking institutions have never explicitly requested the Company to send such reports, the activity constitutes a tool through which the Company believes it can be able to fulfill the contractual obligation with the institutions themselves".
4. The Authority's assessments and the outcome of the investigation.
Following the examination of the declarations made by the Company during the proceedings (for the truthfulness of which the author is responsible pursuant to and for the purposes of art. 168 of the Code "Falseness in declarations to the Guarantor and interruption of the execution of the duties or exercise of the powers of the Guarantor") as well as the documentation acquired in the documents, the following is represented.
4.1. With reference to the legal basis of the processing of personal data connected to the registration on the PIGNA portal by the notary and the generation and management of the IT authentication credentials used to verify the identity upon subsequent access to the portal, the Authority observes, firstly, that the Company, although not directly identifying the notary (by requesting the exhibition and verification of his identity document), makes use of the identification carried out by a third party, namely the National Council of Notary; this is because registration on the portal occurs through the use of the email address, attributed to the notary by the Council and published in the relevant register, which is collected by ESpN from the bank or directly from the Council.
Otherwise, if ESpN does not have sufficient elements to guarantee the identity of the person registering, it should carry out its own checks on the identity of the latter to avoid assigning authentication credentials to subjects not authorized to access the PIGNA portal , with the consequent violation of the principle of integrity and confidentiality and of the processing security obligations (art. 5, par. 1, letter f), and 32 of the Regulation).
Secondly, it is stated that the processing of personal data in question is necessary to allow the notary to benefit from an IT authentication service functional for access - via specific authentication credentials - to the Pigna portal for the exchange of documents with the banks; it follows that a contractual relationship is established between ESPN and the notary and the related processing of personal data therefore finds its condition of lawfulness in the art. 6, par. 1, letter. b) of the Regulation.
Furthermore, it is noted that the right of opposition - referred to by the Company in its defense writings (and again during the hearing) in support of the choice to identify the legal basis for the processing of notaries' authentication credentials in the legitimate interest - does not appear concretely applicable to the processing in question, as the exercise of this right would make it impossible to verify the identity of the notary when accessing the portal and, therefore, to allow the same notary in charge to use it for the management of the documentation relating to the mortgage loan procedures entrusted to him by the banks.
In light of the above, the processing of personal data connected to the registration on the portal by the notary and the generation and management of computer authentication credentials are carried out by the Company in violation of the general principle set out in art. 5, par. 1, letter. a) ("lawfulness and correctness") and the lawfulness requirement provided for by the art. 6, par. 1, letter. b) of the Regulation.
4.2. With reference, however, to the processing carried out by the Company by sending reports to notaries, it emerged that the same are carried out by the Company itself in full autonomy and outside of the instructions received pursuant to art. 28 of the Regulation by the banks which, as owners, "have never explicitly requested the Company to send such reports".
In this regard, it is highlighted that the processing of personal data must be carried out in compliance with the general principles set out in the art. 5 of the Regulation; in particular, par. 1 of the aforementioned article of the Regulation establishes that personal data must be "processed in a lawful, correct and transparent manner towards the interested party («lawfulness, correctness and transparency»)" (art. 5, par. 1, letter a) , of the Regulation).
The art. 6, par. 1 of the Regulation also provides that the processing of personal data is lawful only if and to the extent that at least one of the conditions of lawfulness indicated therein occurs, including, in particular, the consent expressed by the interested party to the processing of their data. for one or more specific purposes (art. 6, par, 1, letter a), and cons. 40, 42, 43 and 44).
With particular reference to the principle of transparency referred to in the aforementioned art. 5, par. 1, letter. a), of the Regulation, this translates into the obligation on the part of the owner to provide the interested party with all the information relating to the processing of personal data concerning him, in an easily understandable way, making him aware, at the moment in which the data personal data are obtained, including the purposes and methods of the processing and the legal basis thereof, as well as all further information necessary to ensure that the processing is correct and transparent in compliance with the provisions of the articles. 13 and 14 of the Regulation.
The art. 28, par. 3 of the Regulation, in providing that the processing by the person responsible must be governed by a contract which specifically identifies "the duration, nature and purposes of the processing, the type of data and the categories of interested parties, the obligations and rights of the owner", expressly provides that personal data are processed "on the basis of documented instructions from the owner" (art. 28, par. 3, letter a), of the Regulation). The same “Guidelines 07/2020 on the concepts of data controller and data processor” adopted by the EDPB on 7 July 2021 provide that “data controllers give instructions relating to each processing activity to data controllers. […] The person responsible limits himself to what is established by the data controller” (par. 1.3.1). It must therefore be excluded that the person in charge can be granted such a wide margin of autonomy as to allow him to process the data collected for a different and additional purpose than that contractually envisaged (i.e. the reminder activity relating to a single case). However, it is understood that the manager himself, in carrying out his duties, can act with "autonomy of means and organization", provided that he respects the instructions received (see in this regard the aforementioned Guidelines where it is established that "the instructions of the data controller may leave a certain margin of discretion [...]; this allows the data controller to choose the most suitable technical and organizational means", paragraph 4).
Furthermore, it is noted that based on the provisions of par. 10 of the same art. 28 of the Regulation, where a person responsible determines the purposes and means of the processing, the same must be "considered a data controller in question".
In light of the above, the processing relating to the production and sending of reports is carried out by the Company in the absence of the consent of the interested parties and of suitable information in this regard, with consequent violation of the principles set out in the articles. 5, par. 1, letter. a), 6, par. 1, letter. a), 13 and 14 of the Regulation.
4.3. With reference to the detected untimeliness of the information provided to interested parties upon accessing the portal, the Authority takes note of what was declared by the Company regarding the regularization of the moment of delivery of the information itself at the time of the first communication " or attached to the email with instructions for accessing the portal, which represents the first moment of contact with the notaries".
5. Conclusions: illegality of the treatments carried out. Corrective measures pursuant to art. 58, par. 2, of the Regulation.
In light of the previous assessments, it is noted that the declarations made by the data controller in the defense writings ˗ the truthfulness of which can be called upon to respond pursuant to art. 168 of the Code ˗ do not allow us to overcome all the findings notified by the Office with the initiation of the proceedings and are insufficient to allow them to be archived, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance.
The processing carried out by ESpN is unlawful in the terms set out above, in relation to the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and b), 13 and 14 of the Regulation.
Violation of the provisions mentioned above entails the application of the administrative sanction provided for by the art. 83, par. 5, letter. a) and b), of the Regulation.
Furthermore, taking into account the above considerations, it is deemed necessary, where ESPN intends to continue the processing of data relating to notaries for the purpose of sending them the aforementioned reports, to order it, pursuant to art. 58, par. 2, letter. d) of the Regulation, to carry out the processing in question as owner, with consequent compliance with all the obligations that the legislation on the protection of personal data places on the owners themselves.
6. Injunction order.
Violation of the provisions mentioned above entails the application of the administrative sanction provided for by the art. 83, par. 5, letter. a) and b), of the Regulation.
With reference to the elements listed in the art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and its quantification, taking into account that the sanction must be "effective, proportionate and dissuasive in each individual case" (art. 83, par. 1, of the Regulation), yes represents that, in the specific case, the circumstances reported below were taken into consideration:
a) the nature of the violations was considered relevant, as they concerned the general principles of lawfulness in the processing of personal data;
b) the Company, during the procedure, collaborated with the Authority, providing adequate clarifications regarding the choices made;
c) the Company took steps, during the investigation, to regularize the profile relating to the information to be provided to interested parties pursuant to art. 14, par. 3, letter. b), of the Regulation;
d) there are no previous violations or measures taken by the Authority pursuant to art. 58 of the Regulations to be paid by the Company.
In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, par. 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved referring to the financial statements for the year 2022.
On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 5,000 (five thousand.00) euros for the violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a), 13 and 14 of the Regulation.
Finally, we inform you that as per the legislative and regulatory provisions of the Office (art. 154-bis, paragraph 3, of the Code; art. 37 of the Guarantor's Regulation no. 1/2019), a copy of this provision will be published on the website Guarantor's website.
In this context, also in consideration of the type of violation ascertained, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, the accessory sanction of the publication of the order-injunction must be provided (see art. 38 of internal regulation no. 1 of 2019).
Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THE WHEREAS, THE GUARANTOR
a) declares, pursuant to articles. 57, par. 1, and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. a), 6, par. 1, letter. a) and b), 13 and 14 of the Regulation;
b) pursuant to art. 58, par. 2, letter. d), of the Regulation enjoins the aforementioned Company to conform, within six months from the date of notification of this provision, the processing of personal data connected to the sending of reports with the principles indicated in par. 4.2.
ORDER
to Euro Servizi per i Notai S.r.l., with registered office in Milan, via F. Casati, n. 1/A, P.I. 06417850960, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 5,000 (five thousand.00) euros as a pecuniary administrative sanction for the violations indicated in this provision;
ORDERS
to the same Euro Servizi per i Notaries S.r.l. to pay the sum of 5,000 (five thousand.00) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.
We represent that pursuant to art. 166, paragraph 8, of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.
HAS
pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.
Pursuant to art. 78 of the Regulation and the articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.
Rome, 11 January 2024
PRESIDENT
Stantion
THE SPEAKER
Cerrina Feroni
THE GENERAL SECRETARY
Mattei
