Garante per la protezione dei dati personali - 9269629

From GDPRhub
- 9269629
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 9 GDPR
Article 83(5)(a) GDPR
Type: Investigation
Outcome: Violation found
Decided: 23. 01. 2020
Published: n/a
Fine: 30 000 EUR
Parties: Integrated University Hospital of Verona
National Case Number/Name: 9269629
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: {{{Initial_Contributor}}}

The Italian DPA imposed a fine of EUR 30.000,00 (and corrective measures) on the Italian hospital, Integrated University Hospital of Verona, which had previously notified the DPA of data breaches in violation of Article 5(1)(f) GDPR. The data controller did not process personal data in a manner that ensured appropriate security of personal data, namely protection against unauthorised or unlawful processing, and the data controller did not use appropriate technical and organizational measures to ensure confidentiality of patients' health data.

English Summary[edit | edit source]

Facts[edit | edit source]

The Italian DPA examined a personal data breach that was notified by a controller, the Integrated University Hospital of Verona, after the latter, in the course of its internal periodic privacy checks, had become aware of it. The notification regarded three data breaches. The unauthorised processing concerned health data of employees which was held at the same hospital. In one case, access had been made with the credentials of a doctor who had left his desk unattended; in the other two cases a trainee and a radiologist technician had entered the health records of their colleagues. In all three incidents it is ascertained, by the hospital's own admission, that the processing had been made not to provide medical services, but for exclusively personal reasons, described by the controller as "mere curiosity”.

Dispute[edit | edit source]

After the controller admitted that unauthorized access to patients' health data had been carried out by its own personnel motivated by "mere curiosity" and that the controller had no technical measures in place to prevent its personnel to access health data of patients, there was no substantial defense brought forward by the controller.

Holding[edit | edit source]

The Italian DPA concluded that the data breach could have been avoided if:

a) the controller had simply observed the 2015 Garante's guidelines on the processing of patients' health data which provide that access rights to patients' health data need to be limited/minimised only to health personnel who intervenes in the patients' medical treatment process and

b) the controller had paid more attention in designing the authorisation profiles and training of qualified personnel (privacy by design and by default).

Consequently, based on Article 83(5)(a) GDPR, the hospital was fined to pay a fine of EUR 30.000,00 for violation of Article 5(1)(f) GDPR. Corrective measures, as per Article 58(2)(d) GDPR, have been adopted, obliging the controller to complete implementation of relevant technical and organizational measures relating to access authorization and access profiles to patient´s health data.

Comment[edit | edit source]

Feel free to add your comment here

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.

THE DATA PROTECTION SUPERVISOR

At today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Augusta Iannini, Vice President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, 'General Data Protection Regulation' (hereinafter 'the Regulation');

HAVING REGARD TO Legislative Decree No 196 of 30 June 2003, 'Personal Data Protection Code', laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter 'the Code');

HAVING REGARD TO Regulation No 1/2019 on internal procedures having external relevance for the performance of tasks and the exercise of powers conferred on the EDPS for the protection of personal data, approved by resolution No 98 of 4/4/2019, published in OJ No 106 of 8/5/2019 and in www.gpdp.it, web doc. No 9107633 (hereinafter 'EDPS Regulation No 1/2019');

Having regard to the documentation in deeds;

Having regard to the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Guarantor No 1/2000 on the organisation and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. no. 1098801;

Rapporteur: Dr. Licia Califano;

PREMISE

1. The violation of personal data.

In May 2019, the Azienda Ospedaliero Universitaria Integrata di Verona (hereinafter referred to as the "Azienda") sent the Authority three communications relating to violations of personal data pursuant to art. 33 of the Regulation, in relation to the findings of the controls periodically carried out by the Azienda on access to patient health records (communications of 6.5.2019- prot. no. 25344; of 9.5.2019- prot. no. 26161 and of 22.5.2019- prot. no. 28317).

In the communication of May 6, 2019, the Company stated that it had "found improper access to six patient files of patients who are at the same time company employees in the role of midwives" and that "there was no reason for a doctor of the (...) Operating Unit (Obstetrics and Gynaecology), including the credentials holder, to access the clinical data of patients not in charge, some of whom were at home on maternity leave at the time of the episode, and therefore it was an improper access". According to what was stated, the access was made "with the credentials of a doctor of the OOC of Obstetrics and Gynaecology" who, during the night shift on call, "left the PC in use unattended and accessible, allowing others to access the health data of the six midwives". The Company stated that the interested parties would be informed in a timely manner.

In its May 9, 2019 communication, the Company stated that it "found improper access to the health records of seven patients who are at the same time company employees". According to the statement, the access was made "by a medical radiology technician" in order to "see how the application worked" and, in other cases, through the use of the authentication credentials of the same person who had left his or her station "unattended and accessible". The Company indicated, in the aforementioned notification, that "checked the times and workstations on the dates mentioned, (...) there was no need to access the health records of the reported patient employees";

In its communication of 22 May 2019, the Company stated that "a doctor in specialist training at the UOC of Neurology B of the Bogo Hospital in Rome" had "improper access to the health records of some patients who are at the same time company employees". According to what is stated in the documents, in three separate cases, the access concerned the health records of neurological colleagues who were not being treated in the specialist's department and who, according to the Director of the OOC of Neurology, were not to be seen by that person. In view of the circumstances, the company stated "it is possible that the access was dictated by mere curiosity" and stated that the persons concerned would be informed promptly.

In the aforementioned notifications, the Company stated that it had brought to the attention of all personnel, through the "Technical regulations on the use of company IT resources" and the instructions contained in the deeds of designation to persons in charge/authorized treatment (including trainees), specific indications regarding the conditions of lawfulness of access to the company's health record (also with specific reference to colleagues' health records) and the measures relating to the setting of a timeout interval for the session of the application used for the record, which will be further and more detailed to the personnel.

With specific reference to the facts covered by the communication of 9 May 2019, the Company declared its intention to implement "further and more sophisticated filters that will allow radiology technicians to consult only the data (images) necessary to perform their duties".

In the aforementioned communications of violations, the Company stated that it has initiated disciplinary proceedings against the employees responsible for the aforementioned unauthorized access to health records (radiology and neurology) and that it is in the process of being evaluated for formal censure also against the doctor of the OOC of Obstetrics and Gynaecology who, although on call at night, has "violated precise company instructions".

The Company has also stated that, in the light of all the episodes covered by the aforesaid notifications, "a disclaimer will be activated on the application that manages the health record that, whenever a health care worker is about to access the health records of a patient who is not in charge of the relevant Operating Unit, reminds him that that access will be tracked and monitored, listing the essential rules that govern it".

2. The investigative activity.

In relation to the aforesaid communications of violations, the Office, by deed no. 25322/19 of 22 July 2019, with reference to the specific situations of illegality referred to therein, notified the Company, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation, inviting the aforementioned owner to produce to the Guarantor defensive writings or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).

In particular, the Office, in the aforesaid act, ordered the meeting of the investigative proceedings relating to the communications made and considered that the violations of personal data notified to the Guarantor pursuant to Article 33 of the Regulation, have found the existence of elements suitable to configure the Company to the violations referred to in Articles 5 and 9 of the Regulation, representing that:

- with reference to the treatments subject to notification, the Guarantor has adopted the "Guidelines on Health Dossier - 4 June 2015" (Measure of 4.6.2015, published in Official Gazette 164 of 17 July 2015, available on www.gpdp.it web doc no. 4084632), which, like the other measures of the Authority, continue to apply even after the full application of the Regulation, as they are compatible with the same (art. 22, paragraph 4, Legislative Decree no. 101/2018);

- in the aforesaid Guidelines, the Guarantor, in order to avoid the risk of access to the information processed through the health dossier by unauthorized persons or the communication of health data to third parties by persons authorized to do so, has specifically asked the data controller to pay particular attention to the identification of authorization profiles and training of the authorized persons, since access to the dossier must be limited only to health personnel who intervene in the process of patient care and technical methods of authentication to the dossier must be adopted that reflect the case histories of access to this tool specific to each health facility. To this end, in the aforesaid Guidelines, the Guarantor has indicated to the treatment owners to carry out a monitoring of the hypotheses in which the relative health personnel may need to consult the health dossier, for the purpose of caring for the person concerned and, on the basis of such recognition, to identify the different access authorisation profiles;

- on the basis of the elements acquired and the documentation in deeds, it is ascertained that health personnel of the Company have accessed the health dossier of patients who are, at the same time, employees of the Company and colleagues of the authors of the access in the absence of a suitable legal prerequisite, and - in some cases - have left the terminal in use unattended with all their active entitlements, making it possible for third parties to access the health dossiers of the Company's patients.

By note dated 21 August 2019 (prot. no. 45332), the Company submitted its defensive briefs, in which, in summary, it was represented that "access to the health records of patients, who are at the same time employees of this Company, in the absence of appropriate legal prerequisites" is to be attributed, in all three cases, an "unfaithful" conduct of company personnel who acted in contempt of precise instructions given by the data controller and the rules established to govern access to the computerised archive of patients' health data, so much so that in two cases a complaint was also filed with the competent Judicial Authority against the alleged perpetrators of the offence referred to in the article. 615-ter, Criminal Code".

In particular, in its defensive writings, the Company stated that:

a) considering the level of risk for the rights and freedoms of the persons concerned, it has notified the aforesaid accesses to the Authority and has taken steps to inform the persons concerned;

b) the interested parties have not suffered damage of a measurable amount "being reasonably able to attribute to "mere curiosity" the motivation that prompted the authors of the accesses to make them", as evidenced by the fact that the undue accesses "were discovered as a result of controls carried out by the Company on the use of the application that manages the patients' health record, and not on the basis of reports from the persons concerned", as well as the fact that, in response to the communication to the persons concerned of undue access to the health dossier, "only four employees out of the nineteen reports (considering all three disputed cases) asked to know which health documents had been unlawfully accessed"; in this regard, the Company specified that "in three cases (out of the nineteen cases mentioned above) access to the patient file in question was not followed by any activity of viewing clinical documents";

(c) 'with regard to the intentional or negligent nature of the infringement (Article 83(2)(b) of the RGPD), if by the material authors the maliciousness cannot be questioned (including the case notified in the note of 6 May 2019, where it has been established with reasonable certainty that the illicit access was maliciously committed by unknown persons by exploiting the location left culpably unattended by the d.ssa on night guard duty), assessed from the point of view of the Data Controller, any intentional breach of the confidentiality of the persons concerned must clearly be excluded, finding it difficult to find negligence or negligence directly attributable to the Company itself, also in light of what is specified below";

d) with regard to the measures adopted by the data controller to mitigate the damage suffered by the data subjects (Article 83, paragraph 2, letter c) of the Regulation), the Company "discovered the violation thanks to the systematic checks carried out, and promptly reported it" to the Guarantor and "has implemented corrective measures aimed at further reducing the possibility that it may be repeated in the future", preventing "the progression to a level that could have serious repercussions for the data subjects";

e) "since the issue, by this Authority, in June 2015, of the new Guidelines on the subject of health dossiers (...) the Company has promptly taken the measures, technical and organizational, deemed necessary to comply with the indications of the Guarantor" and "has taken further initiatives, including information", among which are worth mentioning:

- the insertion on the dossier management application of a warning page that now appears automatically whenever the clinical documentation of patients who are not in charge of the structure of the health care provider that is carrying out the access is consulted, where the user is informed that the access will be tracked and monitored, with an indication of the consequences of sanctions in case of illegal access or not justified by real work needs".

- the sending to all the Operating Unit Managers and to all the Coordinators of the health care professions, who in the Company have the role of privacy delegates" of the "note prot. n. 35475 of 26.06.2019, with which the circular of 2016 was retransmitted, which, in illustrating the contents of the above mentioned Guidelines on health dossier issued by this Authority on 4 June 2015, provided precise instructions on the requirements to be put in place in order to comply with them, also with regard to controls on the lawfulness of access to the dossier";

- the renewed definition of the "rules for the correct treatment of personal data contained in the health dossier, with particular reference to access to clinical documentation of patients not in charge for whom a specific reason is required to be chosen in a drop-down menu that reproduces those most frequently used, or to be typed in a free note field";

- the next activation of "new rules that will allow the refinement of the algorithm for determining the status of "patient in charge", which until now has represented the discrimination for direct access, with or without motivation, to the clinical history of patients by the operators involved in various ways in the process of patient care", in order to "temporally limit access to the integrated systems only to patients included in a work list (booking from CUP, access to Emergency Room, hospitalization, etc..For the category of doctors alone, given the need to guarantee the "right to health" in the event of a request for access outside the predefined time limit, access will in any case be granted subject to justification, subject to verification. In this way, by reducing the access to files with reasons, for which the system has not recognized the patient's care, the effectiveness and efficiency of the controls will be improved, which will only monitor potentially inappropriate accesses, limiting the number of so-called "false positives".

- with specific reference to the category of medical radiology technicians, one of whom was involved in the violation notified on 09.05.2019, "the changes currently being implemented will prevent the occurrence in the future of episodes similar to the one in question; until now, in fact, the technicians in question were allowed, in order to allow the correct performance of their work according to precise indications from the Healthcare Professions Management, to access the dossier of patients included in the radiology system without the time filter, soon to be activated as mentioned, of the patient's inclusion in a work list on the date of performance of the service, and therefore limiting themselves to entering the reason required at the time of the context call by the vertical application in use at the radiology services. Also in the pipeline is the creation for radiology technicians of an additional profile that will allow them to access not the entire patient's dossier, but only the documents included in it that are of close interest for their activity (X-ray reports and images): as already specified in the notification, this is a particularly onerous intervention and not immediately implemented, because it has a strong impact on the reference software".

3. Outcome of the investigation activity.

Having taken note of what the Company represented in the defence briefs, it is noted that:

1. as repeatedly stated in the deeds, the 16 (sixteen) accesses subject to investigation by the Guarantor's Office were not carried out by medical personnel in order to provide treatment services to the persons concerned, but for personal reasons described by the Company as "mere curiosity", in violation of Articles 5 and 9 of the Regulation;

2. the communications made by the Company made it possible to highlight that the measures adopted by the Company, with reference to the treatments carried out through the Company's health record, did not allow to avoid the possibility that the qualified health personnel could access the clinical records of patients not being treated by the same, resulting in the unlawful processing of personal data concerning the persons concerned, in violation of art. 5 of the Regulation;

3. in particular, the Company has adopted technical and organizational measures that were found to be not fully adequate in order to ensure adequate security of personal data, including protection from unauthorized processing as established by art. 5, paragraph 1, letter f) of the Regulation;

4. the Company, in violation of art. 5, par. 1, letter f), of the above mentioned Regulation, has implemented the measures aimed at limiting access to the patient's health record only to the health care personnel who are treating them at a given time only after having ascertained the episodes covered by the aforementioned communications (measures described in the previous letter e)), identifying logical and IT solutions that are based, in fact, on the indications already provided by the Guarantor in the aforementioned 2015 Guidelines (cf. par. 6 of the aforementioned Guidelines) and reiterated in the measures adopted by the Authority on the subject since 2013 and published on the Guarantor's website (see measures of 10.1.2013 - web document no. 2284708, of 3.7.2014 -web document no. 3325808, of 23.10.2014 -web document no. 3570631, of 18.12.2014 -web document no. 3725976, of 22.10.2015 -web document no. 4449114 and of 22.6.2016 -web document no. 5410033). The prior adoption of such measures, also in light of the principles of data protection from design (privacy by design) and by default (privacy by default) provided for in Article 25 of the Regulation, could have prevented (or limited) the aforesaid unauthorized access to the company's health records that are the subject of the aforesaid communications of violations made by the Company;

5. with specific reference to the access to the company's health records by medical radiology technicians (see violation notified on 09.05.2019), according to what stated in the deeds, no "time filter" had been identified, nor any limitation regarding the type of data or documents accessible by the same. In violation of art. 5 of the Regulation, the Company, only following the facts notified on 9 May 2019, has therefore decided to adopt measures (currently being implemented) aimed at limiting access to the health records of patients taken care of by the aforementioned technicians through the identification of a specific "profile" that will allow them to access only the documents necessary to carry out the activities assigned to them. In this regard, the Guarantor, in the aforesaid 2015 Guidelines, had already indicated the need for the data controller to monitor the hypotheses in which the relevant health personnel may need to consult the health dossier, for the purpose of caring for the person concerned and, on the basis of this reconnaissance, to identify the different access authorisation profiles. It is up to the data controller to assess, in fact, in relation to the different profiles of authentication to the dossier, whether it is essential that all data and documents present in the same or only a part of them are actually accessible (see point 6 of the aforementioned Guidelines).

4. Conclusions.

In the light of the above evaluations, taking into account the statements made by the data controller during the course of the preliminary investigation ˗ and considering that, unless the fact does not constitute a more serious offence, whoever, in proceedings before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under the terms of art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor" ˗ it is represented that the elements provided by the data controller in the defensive briefs do not allow to overcome the findings notified by the Office with the act of initiation of proceedings, not resorting, however, to any of the cases provided for in Article 11 of the Regulation of the Guarantor No. 1/2019.

For these reasons, it is noted that the processing of personal data carried out by the Azienda Ospedaliero Universitaria Integrata di Verona is unlawful, within the terms set out in the grounds, in particular, for having processed personal data in violation of Article 5, paragraph 1, letter f) of the Regulation.

5. Corrective measures.

In the light of the above assessments, it is deemed necessary to order the Azienda Ospedaliero Universaliero Integrata di Verona, pursuant to art. 58, par. 2, letter d), of the Regulations, to take the following corrective measures:

- within 90 days of notification of this measure, complete the implementation of the measures described in the notifications sent to the Guarantor and in the defensive writs aimed at improving the procedures for access to company health records by personnel authorised to do so.

6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i and 83 of the Regulation; article 166, par. 7 of the Code).

The violation of art. 5, par. 1, letter f) of the Regulation, caused by the conduct of the Company, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 5, letter a) of the Regulation.

The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations and art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, in that framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (art. 16, paragraph 1, of the Regulation of the Guarantor No 1/2019).

The aforementioned fine imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, set out in Article 83, paragraph 1, of the Regulation, in the light of the elements provided for in Article 85, paragraph 2, of the Regulation in relation to which it is noted that:

- the Authority has provided specific indications regarding the application of the discipline on the protection of personal data to the treatments carried out through the corporate health records already with the aforementioned Guidelines of 2015 (art. 83, par. 2, letter a) of the Regulation);

- the Company has decided to implement the measures aimed at limiting access to the patient's health record only to the health personnel who are treating him/her at a given time in order to identify, in relation to the various authentication profiles of the record, the data and documents whose access is indispensable only after having ascertained the episodes covered by the aforesaid communications, by means of logical-informatics solutions already indicated by the Guarantor in the aforementioned 2015 Guidelines (cf. paragraph 6 of the aforementioned Guidelines) and reiterated in the measures adopted by the Authority on the subject since 2013 and published on the website of the Guarantor (Article 83, paragraph 2, letters c) and d) of the Regulation);

- even if the number of data subjects whose data have been violated is not particularly high (16 data subjects) compared to the total number of patients assisted by the Company, similar unauthorized access could have occurred to a much higher number of data subjects, since the Company has not implemented, especially with regard to radiologist personnel, measures to limit access only to the files of patients actually being treated and only to personal data deemed necessary to ensure the health care provided (Article 83, paragraph 2, letters a) and d) of the Regulation);

- the unauthorized access to the aforementioned notifications concerned clinical documentation containing numerous data on the health of the persons concerned (art. 4, par. 1, no. 15 of the Regulation). In this regard, it must also be considered that the aforesaid accesses concerned information that can be traced back to the particular categories of data, which can be consulted through a particular information tool that, by its very nature, is responsible for documenting the clinical history of a person, through the collection of documentation relating to all health services (reports, medical records, first aid reports) provided by the Company to the same person over time (in this sense, see also the information provided by the Company on the health record on its website, https://www.aovr.veneto.it/informativa-sul-dossier-sanitario-elettronico). In fact, the accesses subject to the above mentioned communications of violation concerned not only single reports, but also the "computer archive" that the Company itself defines as a tool aimed at ensuring "a thorough knowledge of the clinical history" of the person concerned (see above information provided by the Company) (art. 83, par. 2, letter g) of the Regulation);

- while considering the absence of complaints submitted to the Authority by data subjects whose data have been accessed without authorisation, it is not possible to exclude that they may have suffered, or will suffer in the future, prejudicial consequences as a result of such conduct, especially in view of the fact that they are vulnerable as information relating to their state of health has been accessed and that, in all cases, the data subjects are also colleagues of the persons who have made the access;

- according to what stated by the Company, the reasons that motivated the aforesaid accesses are attributable to "mere curiosity" (art. 83, par. 2, letter b) of the Regulation);

In relation to the matter, it is noted favourably that:

- it was the Azienda sanitaria itself that communicated to the Guarantor the aforementioned accesses to the company's health records, through three communications of violation of personal data highlighted above (art. 83, par. 2, letter h) of the Regulation);

- the accesses, which are the subject of the aforementioned communications of violation, have been identified by the Company within the scope of the controls periodically carried out by the same in relation to access to patients' health records (art. 83, par. 2, letter d) of the Regulation). The aforesaid accesses refer to conduct carried out from 3 to 6 months prior to the aforesaid Company controls;

- the Company has spontaneously initiated a review of the technical and organisational specifications relating to access to company health records.

On the basis of the above elements, assessed as a whole, it is deemed to determine the amount of the pecuniary sanction provided for by Article 83, paragraph 5, letter a) of the Regulation, in the measure of € 30,000 (thirty thousand) for the violation of Article 5, paragraph 1, letter f) of the Regulation as a pecuniary administrative sanction considered, pursuant to Article 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive.

It is also considered that the accessory sanction of the publication on the website of the Guarantor of this measure, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor no. 1/2019, should apply, also in consideration of the invasiveness of the unlawful processing disputed with respect to the fundamental rights of the data subjects, the type of personal data subject to unlawful processing, the deficiencies found in relation to the security of information systems of the Company.

Finally, it should be noted that the requirements of art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

ALL THIS BEING SAID, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Azienda Ospedaliero Universitaria Integrata di Verona, for violation of art. 5 par. 1, letter f), of the Regulations in the terms set out in the grounds.

INGIUNGE

pursuant to art. 58, par. 2, letter d), of the Regulations, to the Azienda Ospedaliero Universaliero Integrata di Verona within 90 days of notification of this measure, to complete the implementation of the measures described in the notifications sent to the Guarantor and in the defensive writings, aimed at improving the procedures for access to company health records by personnel authorised to do so.

In this regard, the Company is requested to communicate what steps have been taken in order to implement what has been ordered in this measure and to provide adequately documented feedback, pursuant to Article 157 of the Code, within 20 days from the expiration of the deadline indicated above; failure to do so may result in the application of the administrative fine provided for in Article 83, paragraph 5, of the Regulation.

ORDER

pursuant to articles 58, paragraph 2, letter i) and 83 of the Regulations, as well as article 166 of the Code, to the Azienda Ospedaliero Universitaria Integrata di Verona, with registered office in Verona (VR), Piazzale Aristide Stefani, 1 - C.F./P. VAT 0390142023, in the person of the pro-tempore legal representative, to pay the sum of Euro 30,000.00 (thirty thousand) as an administrative fine for the violations indicated in this measure, according to the methods indicated in the attachment, within 30 days of the notification of this measure, under penalty of adopting the consequent executive acts in accordance with art. 27 of Law no. 689/1981.

INGIUNGE

the aforesaid Company, in the event of failure to settle the dispute pursuant to Article 166, paragraph 8, of the Code, to pay the sum of Euro 30,000.00 (thirty thousand), according to the methods indicated in the attachment, within 30 days of notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of Law no. 689/1981.

AVAILABLE

pursuant to art. 166, paragraph 7, of the Code, the publication of this measure in its entirety on the website of the Guarantor and considers that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an appeal against this measure may be lodged with the ordinary judicial authorities, on pain of inadmissibility, within thirty days of the date of communication of the measure itself or within sixty days if the plaintiff resides abroad.