Garante per la protezione dei dati personali (Italy) - 9445180

From GDPRhub
Garante per la protezione dei dati personali - 9445180
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.07.2020
Published:
Fine: 15000 EUR
Parties: n/a
National Case Number/Name: 9445180
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: Davide C.

The Italian DPA found that access of the employer to the email account of the former employee must protect the privacy of the latter and not infringe the data minimization and fairness principles. Also, the privacy rights of the data subject (e.g. right to access and right to erasure) must be granted in due time.

English Summary

Facts

A former employee requested Mapei S.p.A. to access the messages contained within his corporate email account, which was still active after the termination of the employment for alleged purpose of business continuity, and to delete the account itself. Since the company did not reply to his requests, he lodged a complaint with the Italian DPA. Only after the DPA opened the proceeding, the data controller provides the data subject with the copy of the emails contained in his account.

Holding

According to the Italian DPA, the company did not provide employees with an adequate corporate IT policy informing of the management of the email account after the termination of employment. More specifically, nothing was said about keeping the account active after the employee's leave and redirecting the emails to the manager's account. Moreover, the DPA found that the data controller did not comply with his obligation to respond to data subjects access and erasure request in due course.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI

In today's meeting, which was attended by Dr. Antonello Soro, President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 (hereinafter, "Regulation");

HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101 of 10 August 2018, hereinafter referred to as the "Code");

HAVING REGARD to the "Guidelines for electronic mail and internet", adopted by measure no. 13 of 1 March 2007 (published in the Official Gazette of 10 March 2007, no. 58);

HAVING REGARD to the complaint submitted to the Guarantor pursuant to article 77 of the Regulation da XX concerning the processing of personal data relating to the data subject carried out by Mapei S.p.A.;

EXAMINED the documentation in deeds;

HAVING CONSIDERED the observations made by the Secretary General pursuant to art. 15 of the Guarantor's Regulation no. 1/2000;

REPORTER Dr. Antonello Soro;

PROVIDED THAT

1. The complaint against the company and the investigative activity.

1.1. With a complaint dated August 3, 2018, Mr. XX (represented and defended by lawyers XX and XX) complained about alleged violations of the Rules by Mapei S.p.A. (hereinafter, the company), with particular reference to the failure to respond to the request for access to the contents of the communications received on the individualized e-mail account (XX), kept active and functioning even after the termination of the employment relationship (which occurred on 31.7.2017), as well as the request to obtain the cancellation of the account itself, a request made in a special notice sent to the company with a communication dated 4.6.2018, repeated on 27.7.2018, to which the company would not provide any response. In particular, the complainant complains that he learned that the aforementioned account was still active and the messages received there were read and found by the company, only after carrying out a special test (on 21.2.2018) and after sending a communication (on 27.2.20218) on the account subject of the complaint using the account of a third party. It was also complained that the company would have activated "a mailbox [...], called "mapeicopy", kept hidden from employees [...] but at the disposal of the General Management and its secretariat [...] which collects [...] the entire [...] incoming and outgoing correspondence".

With the request, therefore, the Guarantor was asked to declare the unlawfulness of the processing carried out in violation of the Regulation and to enjoin the company to cease such processing and to satisfy all requests to exercise the rights left unsatisfied.

With reference to the alleged violation of certain criminal provisions, it appears from the acts that a complaint has been filed with the competent judicial authority, with consequent application, in this respect, of Article 140-bis of the Code.

1.2. The company, in response to the request for elements (dated 12.10.2018) made by the Office, in a note dated 29.11.2018 stated that:

a. at the time of the termination of the employment relationship between the company and the complainant "it was necessary to entrust all the activities followed until then [by the complainant]" to the complainant's hierarchical superior as "head of the MAPEI UTT division" (note 29.11.2018, p. 2);

b. on 31.7.2017 (date of termination of the relationship) "the computer systems [of the company] have started the activities of recovery of computer equipment and user disabling with the sole survival of the forwarding [...] of incoming messages. That is, for [...] reasons of necessity to guarantee business continuity in relation to the construction sites and projects that [the complainant] was following [...] the "forwarding" of incoming messages in the mailbox XX to the mailbox [...] of the hierarchical superior [...] with effect from 1.8.2017". (cit. note, p. 4);

c. in order to "protect its business continuity by using a tool of its own (e-mail)" the company, in response to a message received (on 27.2.2018) on the account already assigned to the complainant "expressly specified that [the complainant] was no longer working" with the company (cit. note, p. 5);

d. "following receipt of the letter of formal notice [from the complainant] dated 4.6.2018, the mailbox [...] was definitively destroyed" (cit. note, p. 5);

e. "integral copy" of the messages (in number of 238) received "following automatic "forwarding" from the mailbox [referred to the complainant] was sent to the complainant's lawyers by PEC of November 27, 2018 [...]. These are [...] messages [...] all related to the work activity: therefore, no personal data of the [complainant] has ever been known or acquired by the company". (cit. note, p. 5);

f. the company is "encoding" an "operating practice currently already applied", which provides that "upon termination of the employment relationship the accounts attributable to the employee are removed after deactivation, with simultaneous activation of automatic systems to inform third parties and provide alternative addresses to be used for the continuation of professional relations with the company". (cit. note, p. 6);

g. "the mailbox "mapeicopy" is currently non-existent and no longer in use since 2016". (cit. note, p. 9).

The company has also attached a copy of the document "Security and correct use of information systems" dated 20.2.2017 (cit. note, Doc. 2).

1.3. With a note of reply dated 23 April 2019, the complainant - in confirming his requests to the Authority - has among other things complained that:

a. only on 27.11.2018 the company has provided a copy of the personal data subject of the request for access (submitted on 4.6.2018), however, the response is partial "missing the transmission of paper correspondence, allegedly not received, and noting a blatant and inexplicable hole [...] in the electronic one" since "between March 13, 2018 and June 4, 2018 (date of alleged deactivation of the email [...]) there is a total [...] absence of incoming communications" (note cit., p. 5);

b. the company has not provided evidence that the company regulation dated 20.2.2017 has been brought to the knowledge of the complainant and in any case "at no point in the company policy produced there is a provision that makes the employee aware of the "freedom" of the employer to keep the account active [...] once the employment relationship is terminated and to access indiscriminately [...] future incoming communications" (note cit., p. 6).

1.4. On 10 September 2019, pursuant to Article 166, paragraph 5, of the Code, the Office notified the company of alleged violations of the Regulation found, with reference to Articles 5, paragraph 1, letters a), c) and e), 12, 13 and 15 of the Regulation. By note of 10 October 2019, the company, represented and defended by lawyer Luigi Neirotti, stated that:

a. at the time of termination of the employment relationship with the complainant, the company had to entrust all the activities followed by the complainant to his hierarchical superior, "not only for the management of the current relationship but also to ensure the availability of the company and in any case the maintenance of contacts followed [by the complainant] in the interest of the company" (note 10.10.2019, p. 2);

b. the document "Security and correct use of information systems - Procedure" adopted on 1 July 2012 and "last revised on 20.2.2017" was made available to the complainant and all employees, as well as being available on the company's intranet (note cit., p. 3 and Annex 5, containing a note sent to all Mapei users on 9.7.2017);

c. in the document referred to in the previous letter, it was specified that "electronic mail is the exclusive property of the company and is a work tool that must be used by workers exclusively for professional purposes in relation to the specific tasks assigned to them"; furthermore, the company has clarified that "at any time, in response to a declared, motivated and documented need/request (e.g. ensuring business continuity, preventing and combating unlawful conduct or abuse), it reserves the right to access any electronic mailbox through the Company Information Systems". (cit. note, p. 3);

d. coherently with these procedures at the time of termination of the employment relationship, precisely on 1 August 2017, the company "began the activities of recovering IT equipment and disabling the user with the sole survival of the forwarding of incoming messages" (note cit., p. 4).

1.5. At the hearing held on December 3, 2019, the company reiterated, under its own responsibility, that it sent via Pec to the complainant a copy of all correspondence received on the account subject of the complaint during the period in which the reintroduction to the account of the complainant's former hierarchical superior was activated. The company also stated that no correspondence addressed to the complainant was received by regular mail. It was also represented that the company acted in good faith, considering that the document "Security and correct use of information systems - Procedure" of 2012 provided for the possibility of redirecting the account in case of prolonged absence of the worker. Finally, the company represented that it had initiated the review of internal procedures as part of the application of the accountability process provided for in the Regulation. In particular, starting in 2018, a procedure was initiated to "review company practice (completed on 24 September 2019) according to which individualized e-mail accounts, no longer in use, are immediately disabled upon termination of employment".

2. The outcome of the investigation and the procedure for the adoption of corrective measures and sanctions.

As a result of the examination of the statements made to the Authority during the proceedings and the documentation acquired, it appears that the company, in its capacity as owner, has carried out some processing operations of personal data relating to the complainant that do not comply with the regulations on the protection of personal data.

With reference to the alleged non-existence of processing of the complainant's personal data carried out during the management of messages contained in the individualized e-mail account allocated during the employment relationship, it should be noted first of all that, in accordance with the constant guidance of the European Court of Human Rights, the protection of privacy also extends to the working environment, considering that it is precisely during the performance of work and/or professional activities that relationships are developed where the personality of the worker is expressed (see articles 2 and 41, paragraph 2, Cost). Taking also into account that the boundary line between work/professional and strictly private sphere cannot always be drawn clearly, the Court considers Article 8 of the European Convention on Human Rights, which protects privacy without distinguishing between the private and professional spheres, to be applicable (see Article 2 and Article 41, paragraph 2, Cost). Niemietz c. Allemagne, 16.12.1992 (Rec. no. 13710/88), spec. par. 29; Copland v. UK, 03.04.2007 (Rec. no. 62617/00), spec. par. 41; Bărbulescu v. Romania [GC], 5.9.2017 (Rec. n. 61496/08), spec. par. 70-73; Antović and Mirković v. Montenegro, 28.11. 2017 (Rec. n. 70838/13), spec. par. 41-42). Therefore, the processing of data carried out by means of information technology within the framework of the employment relationship must comply with respect for fundamental rights and freedoms and the dignity of the data subject, for the protection of workers and third parties (see Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the employment context, spec. point 3).

2.1. Given that, unless the fact does not constitute a more serious offence, anyone who, in proceedings before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article 168 of the Code "False statements to the Guarantor and interruption of the performance of duties or exercise of powers of the Guarantor", it has emerged that the company, received on 4.6.2018 the request to exercise rights (in relation to articles. 15, 17 and 20 of the Regulation; see All. 4 and 5 of the complaint) and the reminder of 27.7.2018 (see All. 6 of the complaint), sent to the lawyers of the complainant on 7.8. 2018 a note with which they were "fully contest [...] the claims and requests made", on the basis of "legitimate interest in the management of orders and communications in transit in the company mailbox, even after the termination of employment" (see Annex 1, 1a and 1b, company note 29.11.2018). On 27.11.2018 (after the opening of the procedure on complaint by this Authority with note of 12.10.2018) the company has provided feedback to the complainant (see Annex 4, company note 29.11.2018) by sending "pdf file containing the full e-mail correspondence received [on the account referred to the complainant] after 31 July 2017" and stating that the personal data of the person concerned had been "fully deleted in accordance with the request of the same [...] of 1/4 June and 27 July 2018".

Therefore, it appears that the company has not responded to the requests relating to the exercise of access and cancellation rights made by the complainant (nor has it communicated the existence of a hypothesis of limitation of the rights of the interested party, within the terms provided by art. 2-undecies of the Code) only after receipt of the invitation to provide feedback from the Authority. This occurred in violation of art. 15 of the Regulation, in force at the time of submission of the request for access. It is also in violation of art. 12 of the same Regulation, also with reference to the late response to the request for cancellation submitted pursuant to art. 17 of the same (cancellation that, according to what is stated, would have occurred after the submission of the warning by the person concerned, but on a date prior to the submission of the complaint to the Guarantor).

2.2. The company has also, according to what has been declared, kept the e-mail account relating to the complainant active since the termination of the employment relationship - on 31.7.2017 -, with automatic redirection of all incoming messages to the account assigned to the former hierarchical superior of the complainant from 1.8.2017 (i.e. for a significant period of time, just over 10 months) until the cancellation occurred following the submission of the warning by the person concerned on 4.6.2018. This treatment lasted beyond the date of application of the Regulation (15 May 2018).

In this regard, it does not appear that the complainant had been previously informed of the possibility of the processing - allegedly intended to ensure continuity of business activity - carried out by the company after the termination of the employment relationship. In fact, the document "Security and correct use of information systems - Procedure", dated 20.2.2017 (see Attachment 2, company note 29.11.2018), although it clarifies that e-mail is a "corporate communication tool" to be used exclusively for professional purposes, does not contain, contrary to the company's claims, any reference to the possibility that the company may keep the accounts active after the termination of the relationship with automatic redirection to a different e-mail address. On the other hand, there is the only and different possibility for the company to access, on a constant basis of the employment relationship, the mailboxes for specific, motivated and documented business needs, as well as to temporarily enable automatic forwarding to another mailbox in the event of prolonged absence of the recipient user of the message, without indicating the relevant methods (see "Security and correct use of computer systems - Procedure", point 4.4.). These procedures, however, differ from the indications provided to employers in the "Guidelines of the Guarantor by e-mail and Internet" aimed at reconciling the legitimate requirements of orderly conduct of work with the prevention of possible intrusion into the personal sphere of workers, as well as violations of the discipline on the possible secrecy of correspondence (Provision 1.3.2007, in G. U. No. 58 of 10.3.2007, spec. point 5.2, letter b),

This is in contrast with the provisions of art. 13 of Legislative Decree no. 196 of 30.6.2003, of the Code (text in force at the time of the start of treatment), according to which the owner is required to provide the person concerned - before the start of treatment - all the information relating to the essential characteristics of the treatment. In the context of the employment relationship, the obligation to inform the employee is also an expression of the general principle of correctness (see art. 11, paragraph 1, letter a) of the Code, text in force at the time of the facts; considering that the processing continued until 4 June 2018, see also, art. 5, paragraph 1, letter a) and 13 of the Regulation).

2.3. Finally, it was found that during the period during which the account remained active after the termination of the employment relationship, the company, by redirecting to a different company account, had access to the 238 messages received to the individualized email account referred to the complainant. This method of processing allowed the company to view incoming electronic mail (whether or not outside of work) to the individualized mailbox referred to the complainant and from persons inside and outside of work. In this way, the company became aware of some personal information relating to the person concerned and concerning not only the so-called external data of the aforementioned communications and any attached files, but also the content of the same (see, lastly, provision 4.12.2019, no. 216, in www.garanteprivacy.it, web doc. no. 9215890). In particular, an examination of the communications received on the account referred to the complainant after the termination of the employment relationship (see Doc. 4-A, company note 10.10.2019) reveals the presence of certain contents that not only relate to the professional activity of the person concerned with the company, but also to aspects of the personal sphere of the complainant (notifications relating to the account on LinkedIn, advertising messages relating to non-work related services) with respect to which the person concerned and third parties involved (whose rights must also be protected) could have had legitimate expectations of confidentiality. As pointed out in the "Guidelines of the Guarantor by e-mail and Internet", these protection requirements must be taken into account by the employer even in the event of termination of the employment relationship between the parties (see the provision cit., spec. point 5.2, letter b e, lastly, provision 4.12.2019 cit. and other measures referred to therein). To this end, the employer, in accordance with the principles of personal data protection and the indications contained in the aforementioned Guidelines, should instead have adopted technological and organizational measures to balance the legitimate interest of the owner to access the information necessary for the efficient management of its business and to ensure continuity with the expectation of confidentiality of correspondence from workers and third parties. In particular, in line with the aforesaid Guidelines, after the termination of the employment relationship, the company should have provided for the removal of the employee's account after deactivation of the same and the simultaneous adoption of automatic systems aimed at informing third parties and providing them with alternative addresses relating to his professional activity. This procedure, however, on the basis of the statements in the deeds, the same company has adopted since September 2019, as a result of the review of internal policies, "as part of the application of the accountability process provided for by the Regulation" as proof of the possible different balancing of the above interests.

The processing carried out by the company has therefore violated the principles of necessity, lawfulness and proportionality (see Articles 3 and 11, paragraph 1, letter a) d) and e) of the Code, text in force at the time when the processing began; Considering that the processing continued until 4 June 2018 see also Article 5, paragraph 1, letter a), c) and e) of the Regulation).

3. Conclusions: unlawfulness of treatment. Corrective measures pursuant to Article 58, paragraph 2, of the Regulation.

For the above reasons, the processing of personal data referring to the complainant carried out by the company through the failure to respond to requests for the exercise of rights within the terms provided for by the law, as well as through the prolonged activity of the individualized e-mail account after the termination of the employment relationship and subsequent access to messages received there (until the warning of the person concerned and in any case for more than ten months), without this practice having been made explicit in the document dedicated to the policies regarding the use of the company's computer systems, is unlawful, in the terms set out above, in relation to articles. 5, par. 1, lett. a), c) and e), 12, 13 and 15 of the Regulation.

It is noted that the company, during the proceedings, has provided the interested party with feedback on the request for access and has also initiated a review of its internal policy with particular reference to the management of e-mail accounts after the termination of employment (see Corporate IT Operative lnstructions for hiring, termination and relocation of employees, 24.9.2019, in Annex 7, Company note 10.10.2019).

In order to bring the processing of employees' personal data in line with the provisions of the Regulation, the company must also adopt measures to provide the data subjects with all the information and communications required following the exercise of their rights, as well as to facilitate the exercise of rights by the data subjects, within the terms set forth in Article 12 of the Regulation.

Therefore, given the corrective powers granted by art. 58, par. 2 of the Regulation, in the light of the circumstances of the specific case:

- the company is enjoined to comply with the provisions of art. 12 of the Regulation, with particular reference to the obligation to adopt appropriate measures to provide feedback to the data subject, facilitating the exercise of the rights provided for by articles 15-22 of the Regulation;

- in addition to the corrective measure, a pecuniary administrative sanction in accordance with art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).

4. Ordinance injunction.

Pursuant to Art. 58, par. 2, letter i) of the Regulation and Art. 166, paragraphs 3 and 7 of the Code, the Guarantor provides for the application of the pecuniary administrative sanction provided for by Art. 83, par. 5, letter a) of the Regulation, through the adoption of an injunction order (Art. 18, Law 24.11.1981, No. 689), in relation to the processing of personal data referred to the complainant, whose unlawfulness has been ascertained, in the terms set out above, in relation to Articles 5, paragraph 1, letter a), c) and e), 12, 13, 15 of the Regulation, the outcome of the proceedings referred to in Article 166, paragraph 5 conducted in contradictory manner with the data controller (see point 1.4. and 1.5. above).

It is considered necessary to apply paragraph 3 of Article 83 of the Regulation where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, with intent or negligence, various provisions of this Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation", considering that the ascertained violations of the Article. 5 of the Regulation are to be considered more serious, since they relate to the non-observance of several principles of a general nature applicable to the processing of personal data, the total amount of the sanction is calculated so as not to exceed the maximum amount specified for the aforementioned violation. Consequently, the sanction provided for by art. 83, par. 5, letter a) of the Regulation is applied, which sets the maximum amount at 20 million Euros or, for companies, 4% of the annual worldwide turnover of the previous financial year, whichever is higher.

With reference to the elements listed in Art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Art. 83, par. 1 of the Regulation), it is represented that, in the case in point, the following circumstances have been considered:

a) in relation to the nature, seriousness and duration of the violation, the nature of the violation was considered relevant and concerned the general principles of processing; the violations also concerned the provisions on the exercise of rights and information;

b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the data controller, the company's negligent conduct and the degree of responsibility of the company that failed to comply with data protection regulations with regard to a number of provisions was taken into account;

c) the company has overall and actively cooperated with the Authority during the proceedings;

d) the absence of specific precedents (relating to the same type of processing) charged to the company.

It is also considered that the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere when determining the amount of the sanction (art. 83, par. 1 of the Regulation) are relevant in the case in question, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness, first of all the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2018. Finally, account is taken of the administrative sanctions imposed under the previous regime for the corresponding administrative offences and the extent of the sanctions imposed in similar cases.

In light of the above elements and the assessments made, in the case in point, it is considered that Mapei S.p.A. will be subject to an administrative penalty of €15,000.00 (fifteen thousand).

In this context it is also considered, in view of the type of violation ascertained, which concerned the electronic correspondence of a worker and lasted for over 10 months, as well as the lack of prior information and the adoption of organizational measures that do not comply with the regulations in force, that under Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019, it should proceed to the publication of this measure on the website of the Guarantor.

It is also considered that the conditions set out in Article 17 of Regulation No. 1/2019 on internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

It should be noted that, pursuant to Article 170 of the Code, anyone who, being required to do so, fails to comply with this prohibition measure is punished with imprisonment from three months to two years; in any case, the sanction set forth in Article 83, paragraph 5, letter e) of the Regulation may be applied in administrative proceedings.

ALL OF THE ABOVE, THE GUARANTOR

notes the unlawfulness of the processing carried out by Mapei S.p.A. in the person of its pro-tempore legal representative, with registered office in Milan, Via Cafiero Carlo 22, C.F. 01649960158, pursuant to articles 57, paragraph 1, letter f) and 83 of the Regulations, as well as article 166 of the Code, for violation of articles 57, paragraph 1, letter f) and 83 of the Code. 5, par. 1, lett. a), c) and e), 12, 13 and 15 of the Regulation, as well as articles 3 and 11, par. 1, lett. a), d) and e) of the Code, in force at the time when the processing started and now corresponding, in the current legislation, to art. 5, par. 1, lett. a), c) and e) cit. of the Regulation);

ORDER

Pursuant to art. 58, par. 2, letter d) of the Regulations, Mapei S.p.A. shall comply with the provisions of art. 12 of the Regulations, with particular reference to the obligation to adopt appropriate measures to provide feedback to the data subject, facilitating the exercise of the rights provided for in articles 15-22 of the Regulations, within 60 days of receipt of this measure (art. 58, par. 2, letter d) Regulations);

ORDER

pursuant to art. 58, par. 2, letter i) of the Regulations, Mapei S.p.A. to pay the sum of 15,000 (fifteen thousand) euro as an administrative fine for the violations indicated in this measure;

ORDER

also to the same Company to pay the sum of Euro 15,000.00 (fifteen thousand), according to the methods indicated in the attachment, within 30 days from the notification of this measure, under penalty of adopting the consequent executive acts in accordance with Article 27 of Law no. 689/1981. Please note that this is without prejudice to the right for the offender to settle the dispute by paying - again in the manner indicated in the Annex - an amount equal to half of the penalty imposed, within the period referred to in Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011 provided for the lodging of the appeal as indicated below (Article 166, paragraph 8, of the Code);

ORDER

the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code, and art. 16, paragraph 1, of the Regulation of the Guarantor No 1/2019, and considers that the conditions set out in art. 17 of Regulation No 1/2019 are met.

It requests Mapei S.p.A. to communicate what initiatives have been taken in order to implement the provisions of this measure and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this measure; failure to do so may result in the application of the administrative penalty provided for in art. 83, paragraph 5, letter e) of the Regulation.

Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this measure may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, within thirty days from the date of notification of the measure itself, or sixty days if the applicant resides abroad.