Garante per la protezione dei dati personali - 9509515
|Garante per la protezione dei dati personali - 9509515|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 6(1)(c) GDPR
Article 9(2)(b) GDPR
Article 58(2)(i) GDPR
Article 58(2)(d) GDPR
Article 83(2)(b) GDPR
Article 83(2)(a) GDPR
Article 83(2)(c) GDPR
Article 83(2)(f) GDPR
Article 83(5) GDPR
|Parties:||Concentrix Cvg Italy s.r.l.|
|National Case Number/Name:||9509515|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
The Italian DPA (Garante) fined a company €20000 for its implementation of an internal “clean desk policy” that required call centre employees with health conditions to keep medication and sanitary products on their desks, subject to a documented request from the Human Resources department.
English Summary[edit | edit source]
Facts[edit | edit source]
A company implemented internal rules that included a “clean desk” and locker policy. Under the policy, call centre workers could not have any objects on their desks, except for medicines or sanitary products that that they needed to have “immediately available” to them. After 3 months the company reformed the policy to include new rules, including requiring any bag containing medical items to be “no larger than a smartphone”, and a new procedure whereby employees seeking to keep medical items on their desk would have to inform Human Resources of their condition(s) in a request that would be documented, and potentially obtain proof from a doctor explaining why the employee needed to have the items in reach. In response to the complaint, the company argued inter alia that it had since reformed the policy, and that the legal basis for the processing entailed a legitimate interest for fraud prevention under Article 6(1)(f) GDPR.
Dispute[edit | edit source]
Did the company’s policy breach Article 6 or any other articles of the GDPR?
Holding[edit | edit source]
The Garante held that the policy breached the the principles of lawfulness and minimisation under Articles 5(1)(a) and (c), and Articles 6(1)(b), (c) and Article 9(2)(b), for the processing of special categories of personal data. The breach was due to the policy involving a “submission of knowledge to others” that constituted an “elimination of any area of confidentiality and intimacy” which permitted third parties to become of employees’ health or the existence of conditions they would normally be able to keep private. The Garante did not agree that Article 6(1)f) could be used as a basis for processing here, because they were not satisfied that a balancing test on the merits of “fraud prevention” had been carried out by the company. The company was ordered to bring its policies in line with the principles of lawful processing and data minimisation, pursuant to Article 58(2)(d).
The Garante also fined the company €20000 for its breach of Articles 5(1)(a) and (c) GDPR. In determining the amount of the fine the Garante considered the following: -Article 83(2)(a) - the policy covered the processing of the personal data of 253 employees in the context of employment relationships; -Article 83(2)(b) - the negligent conduct of the company in failing to comply with data protection policies via its internal rules; -Article 83(2)(c) - the company’s “comprehensive and active” cooperation with the Garante during the proceedings; -Article 83(2)(f) - the absence of previous similar processing issues with the company.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO NEWSLETTER OF 23 DECEMBER 2020 [web doc. no. 9509515]. Injunction order against Concentrix Cvg Italy s.r.l. - 26 November 2020 Register of Measures No 235 of 26 November 2020 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members and Cons. Fabio Mattei, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation") HAVING REGARD to the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter the "Code"); HAVING REGARD to the report submitted to the Guarantor concerning the processing of personal data carried out by Concentrix Cvg Italy s.r.l.; HAVING EXAMINED the documentation on file; HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Garante's Regulation No. 1/2000; Dr Agostino Ghiglia as rapporteur; WHEREAS 1. The report against the company and the preliminary investigation activity. 1.1. In a report dated 2 August 2019, UILCOM Sardegna complained about alleged violations of the Regulations by Concentrix Cvg Italy s.r.l. (hereinafter, the company), with particular reference to the adoption of a Company Regulation (in force since 17 June 2019 according to what is indicated in point 5 of the same Regulation) by which, in order to guarantee the secrecy of the data processed on behalf of customers, it would have been provided for the prohibition for the employees of the company to hold certain objects and/or clothing as well as "the obligation to keep in sight on the desk boxes of medicines and tampons". The Authority opened an inquiry under Article 144 of the Code. 1.2. The company, in response to the request for elements (note dated 17 September 2019) formulated by the Office, by note dated 28.10.2019 stated that: a. the internal rules were adopted as part of the implementation of an "information security management system" of which a "clean desk policy" is part [...] "to ensure that objects such as purses, large bags, mobile phones or other electronic devices cannot be used to capture personal information for illicit purposes" (see note 28.10.2019, p. 2); b. "guidelines have been provided that allow exceptions in cases where medication or health-related items need to be immediately available to the employee during the work shift, in which case they can be kept on the desk [...]. However, a process exception has not been implemented to allow the employee to store such items in a small case at the desk to ensure the privacy of personal and health information" (see footnote cit., p. 2); c. after the adoption of the reported policy, a 'committee supervising and guaranteeing each policy' was set up with the task of verifying, before the application of the acts containing internal regulations, the possible conflict 'with other policies, with legal or contractual regulations, or [the violation of] the rights and freedoms of others' (see footnote cited, p. 3); d. therefore "when the policy in question was introduced in Italy, since the Committee had not yet been created, no exception to the process was introduced which would provide for the possibility of bringing into the production area [...] a small bag in which to store medicines or objects relating to the health of the employee himself" (see footnote cited above, p. 3); e. "as of 1 November 2019 [...] it will be guaranteed to the employee, subject to prior notification to Human Resources, to [...] keep at his or her desk the necessary medication or health items, contained in a small bag or case. This will prevent the disclosure of any health condition and ensure that the employee's privacy is protected' (see footnote cit., p. 3); f. 'the bag must be large enough to contain the necessary items, but not large enough to contain a mobile phone, or other device that could be used for illicit purposes' (see footnote cit., p. 3); g. the new procedure involves the following steps: 'the employee informs HR of a health problem that requires medication or medical supplies to be stored at their desk [...]'; 'HR may request that a medical document be provided to the company doctor indicating why medication must be within the employee's reach'; 'once the company doctor's confirmation is received, HR will document the exception to the policy and send a note to the production department stating that the use of a small bag is approved' (see note cit., p. 3); 'the employee's health problem requires that medication or medical supplies be stored at their desk [...]'; 'HR may request that a medical document be provided to the company doctor indicating why medication must be within the employee's reach'; 'once the company doctor's confirmation is received, HR will document the exception to the policy and send a note to the production department stating that the use of a small bag is approved' (see note cit., p. 3). note cit, p. 3); h. with reference to the specification of the date on which the reportable company regulation became effective the company stated that "a notice to all employees was sent by email on 20 June 2019. [...] Each individual employee has duly noted the policy and accepted it in writing. […] The company policy came into force with individual acceptance" (see footnote cit., p. 3). 1.3. In a note dated 5 December 2019, the reporting organisation sent its counter-arguments in which, inter alia, it argued that: "no worker has received any communication", therefore it is not clear "whether the process that the company says it implemented on 1 November is already operational or not"; "the fact that workers have signed the policy (not all of them have done so) [...] does not relieve the company of the responsibilities involved in maintaining an adequate level of privacy"; the reporting organisation also reiterated the deemed unlawfulness of what was established in the company policy, also following the changes announced by the company in its feedback to the Authority. 1.5. On 20 January 2020, pursuant to Article 166, paragraph 5, of the Code, the Office notified the company of the alleged violations found, with reference to Articles 5, paragraph 1, letters a) and c), 6, paragraph 1, letters b) and c), 9, paragraph 2, letter b) of the Regulation. In a memorandum dated 19 February 2020, the company, represented and defended by the lawyer Francesca Rubina Gaudino, declared that a. "the internal regulation on the use of lockers adopted in June 2019 [...] does not involve any processing of data relating to health" (see note 19.2.2020, p. 1); b. according to the policy adopted in June 2019, 'nothing prevents the employee from storing medication in a dark, unlabelled container' (see note cited above, p. 1); c. 'in order to avoid any misunderstanding [the company] has amended the policy and clarified that an employee may store medication on his or her desk in small opaque plastic containers or pill boxes without any labels' (see note cited, p. 1); d. workers 'are authorised to leave their workstations to take and make use of medicines, medical devices, tampons, wipes and liquids stored in cabinets assigned to them' (see note cited, p. 2); e. the company "as of February 18, 2020 [...] revised the policy and established [...] that an operator using a medical device larger than a smartphone at their workstation may use a larger bag [...] subject to written notice to and approval by the local human resources department" (see note cited above, p. 2); f. 'the [...] policy, approved in December 2019, indicated the possibility for human resources to ask a doctor to confirm the need for workers to keep a medication on hand'; however, the company 'has never implemented the revised policy [and] has no plans to do so in the future'; the version revised on 18 February 2020 'does not contain any provision requiring the presentation of a medical certificate' (see note cited, p. 3); g. the latest version of the policy (of 18 February 2020) is, at present, "in the process of being implemented" also in order to take into account the Authority's comments and decisions in these proceedings; moreover, the company intends to share the latest revisions of the policy with the employees' representatives (see footnote cited, p. 3); h. this version of the policy stipulates that the worker must inform the human resources department in writing if he "intends to use an opaque bag no bigger than a smartphone to store drugs, medical devices and/or tampons, wipes and liquids on the desk of his workstation if the employee intends to use a bag larger than a smartphone, he/she must notify the human resources office of the 'approximate size of the bag [...] needed to store the medical device' and request 'permission to use it'; the human resources office 'shall create and maintain a record of each communication or request for use of a bag for the storage of drugs, medical devices and/or absorbents, wipes and liquids and, in the case of a larger bag, the approximate size of the latter' (see. footnote cit, p. 4); i. The company will carry out random inspections of the contents of the bags placed on the desks (see footnote, p. 4); j. the legal basis of the processing carried out on the basis of what has been established with the internal policy lies in Article 6, paragraph 1, letter f) of the Regulation (legitimate interest) in relation to the purpose of fraud prevention; should the processing carried out on the basis of the internal policy be qualified by the Authority as processing of data relating to health, the company "considers such processing to be legitimate on the basis of Article 9 (2) (B) GDPR in conjunction with Article 32 GDPR" (see note cited, p. 4) (see footnote cit., p. 5-8). 1.6. On 4.8.2020, at the hearing requested by the party, the company stated that: - the "locker policy" that is the subject of the complaint, "adopted to bring internal discipline into line with group directives", was actually in operation from 20 June to 24 July 2019, the date on which it was suspended by the company; - the new versions of the policy sent to the Authority during the proceedings "have not been implemented"; - the permitted work breaks are as follows: a 15-minute break every two hours and the lunch break, as well as the possibility of going to the toilets outside the permitted breaks. 2. The outcome of the investigation and the procedure for the adoption of corrective measures and sanctions. 2.1. After examining the statements made to the Authority in the course of the proceedings as well as the documentation acquired, it appears that the company, in its capacity as data controller, has carried out some processing operations of personal data referring to employees which do not appear to comply with the rules on the protection of personal data, in the terms described below. Whereas, unless the act constitutes a more serious offence, whoever, in proceedings before the Garante, falsely declares or attests information or circumstances or produces false documents or deeds, shall be held liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor", it emerged that the company adopted internal regulations (Company Regulations - Assignment and use of lockers), applied as of 20 June 2019 and whose effectiveness was suspended on 24 July 2019, which, in making "express and full reference to the provisions of Appendix 1. 0 ("Employee information Security Responsibilities Policies") and Procedure 1.0 ("Clean desk and Screen saver")", established that "it is possible to introduce the following objects inside the work areas, only if they are stored according to the following scheme", and in particular "at the Desk", the following objects for personal use: "medicines or medical devices in use; wet wipes [...], sanitary towels" (see point 4, regulation cited). In this regard, the above-mentioned "Appendix 1.0" provides that "Officers are prohibited from bringing personal items (such as bags, backpacks, purses, etc.) into the operational areas of call centres on sites where lockers, provided to protect personal belongings, are present" (see Annex submitted on 30.10.2019). Accordingly, on the basis of the above-mentioned internal provisions, call centre operators working for the company were required to display on the work table purely personal items such as medicines, medical aids, tampons, wet wipes, which the worker uses during his work, even outside the cases in which it is possible to go to the assigned cabinet in advance to collect such items for personal use (in particular, outside the permitted breaks of 15 minutes every two hours and during the lunch break). This is without the possibility of placing such objects inside cases or other small containers in order to remove them from the visibility of others (colleagues and hierarchical superiors) with the consequent possibility for them to learn, indirectly, personal situations or states or information relating to the state of health unrelated to the content of the work and damaging the dignity and confidentiality of the employee. In this regard, it should be noted that during the course of the proceedings the company did not provide any concrete evidence on the basis of which it was possible to ascertain that "in practice" operators were allowed to place the aforementioned objects for personal use inside containers (as claimed in the defence pleadings of 19.2.2020 and at the hearing of 4.8.2020). In fact, the company itself has repeatedly stated that it was only after the application of the policy that the possibility of storing the aforementioned objects for personal use in a small bag or case was envisaged (as an "exception") (see point 1.2., lett. b., c. and d.) and that the draft internal rules subsequently drawn up (approved in December 2019 and 18 February 2020 respectively and never applied: see point 1.5. f. and g. above) provided for a special authorisation procedure relating precisely to the possibility of keeping a small or "larger" container or bag at one's workstation. Considering that, according to the current legislation, the employer may process the information necessary and relevant for the management of the employment relationship in accordance with the provisions of the laws, regulations and provisions of the applicable collective agreements and/or of the individual employment contract (see Articles 5(1)(a) and (c) and 6(1)(b) and (c) of the Regulation), whereas the so-called "special data" may be processed only if "the data are not processed in a specific way". particular data may be processed only if 'processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of employment and social security law and social protection, insofar as it is authorised by Union or Member State law or by a collective agreement in accordance with the law of the Member States, subject to appropriate safeguards for the fundamental rights and interests of the data subject' (see Article 9(2)(b) of the Regulation), it appeared that the reported processing operations were carried out in the absence of any of the aforementioned legitimation criteria. Nor, in this respect, can the internal company regulations be taken into consideration, as they do not fall within the list of sources indicated by the legislation (see Articles 6(1)(c) and 88, as well as recital 45 of the Regulation on the meaning of "legal obligation"). Nor could the written 'acceptance' of the internal regulations, if such a manifestation of will were in fact established, have constituted a legal basis capable of legitimising the processing of personal data (limited to those other than the 'special' data referred to in Art. 9, Regulation (EU) 2016/679), this in light of the asymmetry between the respective parties to the employment relationship and the consequent, possible need to ascertain from time to time and in concrete terms the actual freedom of the consent expressed (see provv. 13.12.2018, no. 500, in www.garanteprivacy.it, doc. web n. 9068983). As regards the alleged legitimate interest of the company (see point 1.5., letter j. above) in relation to the purpose of preventing fraud, it is noted that such legitimacy criterion, which is, moreover, admissible only for "common" data, may be used after carrying out a comparative test on the non prevalence in the concrete case of interests or fundamental rights and freedoms of the data subject (see Article 6(1)(f) of the Regulation). It does not appear that such an assessment was carried out by the company, given that the internal rules were adopted in June 2019 before the body responsible for verifying possible conflicts of the company's rules with "other policies, with legal or contractual provisions, or [the violation of] the rights and freedoms of others" was set up (see point 1.2., letter c. above). Moreover, in any case, the processing operations carried out from 20 June to 24 July 2019 do not comply with the principles of lawfulness and data minimisation (see Article 5(1)(a) and (c) of the Regulation). a) and c) of the Regulation): the legitimate purpose of preventing possible unlawful access to the data processed on behalf of the clients within the scope of the call centre service provision, in fact, can and must be pursued by refraining from processing workers' personal data, even of a "particular" nature (with reference to the medicines and medical devices that the data subject needs to have at his disposal also during the work performance: see Article 9(1) of the Regulation), whose submission to the knowledge of others entails the elimination of any area of confidentiality and intimacy in the workplace, allowing third parties to learn both the state of health and the existence of conditions normally kept confidential by the persons concerned in their relationship life, with a consequent violation of the dignity of the person, understood as a "constitutional value that permeates positive law" (see Corte Cost, 17.7.2000, no. 293; see also Corte Cost., 19.12.1991, no. 467; art. 1, Charter of Fundamental Rights of the European Union; art. 1 of the Code; see also art. 88, par. 2 of the Regulation). 2.2. With reference to the communication and/or authorisation procedure relating to the possibility for workers to take with them to their workstations a case or a bag containing items for strictly personal use - including drugs, medical devices and sanitary napkins - noting that, according to what was stated by the company during the proceedings, such procedure, where it envisaged the issue of a certificate by the competent doctor, has never been applied, nor does the scheme currently being drafted envisage the involvement of the doctor, the company is required to comply with the processing of personal data related to such procedure (including the proposed keeping of records: see point 1.5, lett. 1.3 above). point 1.5., letter h. above) to the general principles of lawfulness and minimisation, so as to prevent the processing (including the recording) of specific information relating to the objects to be placed in the containers (without prejudice to the possibility of carrying out subsequent checks, as declared to the company, within the limits provided for by the applicable sector regulations). 3. Conclusions: unlawful processing. Corrective measures under Article 58(2) of the Regulation. For the reasons set out above, the processing of personal data referring to the operators working at the call centre, carried out by the company on the basis of the company regulations applied in the period between 20 June and 24 July 2019, is unlawful, in the terms set out above, in relation to Articles 5(1)(a) and (c), 6(1)(b) and (c) and 9(1)(b) of the Regulation. Therefore, having regard to the remedial powers granted by Article 58(2) of the Regulation, in the light of the circumstances of the specific case - the company is ordered to comply with the principles of lawfulness and minimisation laid down in the Regulation in respect of the processing carried out by means of the company's "locker policy", which is currently being drawn up, preventing the processing of specific information relating to objects for strictly personal use that operators ask to be placed in cases or bags at their workstations; - in addition to the corrective measure, a pecuniary administrative sanction is imposed pursuant to article 83 of the Regulation, commensurate with the circumstances of the case (article 58, paragraph 2, letter i) of the Regulation). 4. Injunction order. Pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166, par. 3 and 7 of the Code, the Garante orders the application of the administrative fine provided for by art. 83, par. 5, letter a) of the Regulation, through the adoption of an injunction order (art. 18, l. 24.11.1981, no. 689), in relation to the processing of personal data of the operators working at the call centre carried out by the company on the basis of the company regulation applied in the period between 20 June and 24 July 2019. 689), in relation to the processing of the personal data of the operators working at the call centre carried out by the company on the basis of the company regulations applied in the period between 20 June and 24 July 2019, which was found to be unlawful, in the terms set out above, in relation to Articles. 5, par. 1, lett. a) and c), 6, par. 1, lett. b) and c) and 9, par. 1, lett. b) of the Regulation, as a result of the procedure pursuant to art. 166, par. 5 carried out in cross-examination with the data controller (see point 1.5. and 1.6. above). Considered that it is necessary to apply paragraph 3 of Art. 83 of the Regulation where it provides that "Where, in relation to the same or related processing operations, a controller [...] intentionally or negligently infringes several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious infringement", considering that the ascertained infringements of Art. Considering that the ascertained breaches of Article 5 of the Regulation are to be considered more serious, since they relate to the non-compliance with a plurality of principles of a general nature applicable to the processing of personal data, the total amount of the penalty shall be calculated in such a way as not to exceed the maximum amount specified for the aforementioned breach. Consequently, the sanction provided for in Article 83(5)(a) of the Regulation, which sets the maximum fine at €20 million or, for companies, at 4% of the annual worldwide turnover for the previous year, whichever is higher, shall apply. With reference to the elements listed in art. 83, paragraph 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relevant quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (art. 83, paragraph 1 of the Regulation), it is hereby stated that, in the present case, the following circumstances have been considered (a) in relation to the nature, seriousness and duration of the breach, it was considered relevant that the breach concerned the general principles of processing in relation to a significant number of data subjects (based on the visas, the company appears to have 253 employees as at 30.9.2019); the breaches also concerned the conditions of lawfulness of processing (more specific provisions regarding processing in the context of employment relationships); (b) with regard to the intentional or negligent character of the infringement and the degree of responsibility of the owner, the negligent conduct of the company and the degree of responsibility of the company for failing to comply with the data protection rules in respect of a number of provisions were taken into account (c) the company cooperated comprehensively and actively with the Authority during the proceedings; f) the absence of specific precedents (relating to the same type of processing) against the company. It is also considered that, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere when determining the amount of the sanction (Article 83(1) of the Regulation), the economic conditions of the offender, determined on the basis of the revenues earned by the company with reference to the financial statements for the year 2019, are relevant in this case. In light of the above-mentioned elements and of the assessments carried out, it is deemed, in the case in question, to apply to Concentrix Cvg Italy s.r.l. the administrative sanction of the payment of a sum equal to EUR 20,000.00 (twenty thousand). In this context, it is also considered, in view of the type of violations found that have affected the conditions of lawfulness of the treatment, that pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019, we must proceed with the publication of this measure on the website of the Guarantor. It is also considered that the conditions set out in Article 17 of Regulation No 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. It should be noted that in the event of failure to comply with an order of the Authority, the sanction referred to in Article 83(5)(e) of the Regulation may be applied administratively. THAT SAID, THE SUPERVISOR notes the unlawfulness of the treatment carried out by Concentrix Cvg Italy s.r.l. in the person of its legal representative, with registered office in Cagliari, Strada statale 195 - Km 2300 snc, C.F. 11414850153, pursuant to art. 144 of the Code, for the violation of art. 5, par. 1, lett. a) and c), 6, par. 1, lett. b) and c) and 9, par. 1, lett. b) of the Regulation; INITIATES pursuant to art. 58, par. 2, letter d) of the Regulation to Concentrix Cvg Italy s.r.l. to comply with the Regulation the treatments carried out with the company regulation in the process of elaboration regarding the definition of the "locker policy", within 60 days of receipt of this measure; ORDER pursuant to art. 58, par. 2, letter i) of the Regulation to Concentrix Cvg Italy s.r.l. to pay the sum of euro 20.000,00 (twenty thousand) as a pecuniary administrative sanction for the violations indicated in this measure; URGES the same Company to pay the aforesaid sum of EUR 20,000.00 (twenty thousand), in accordance with the procedures indicated in the annex, within 30 days of notification of this measure, under penalty of the adoption of the consequent executive measures pursuant to Article 27 of Law no. 689/1981. It is reminded that the transgressor has the right to settle the dispute by paying - according to the modalities indicated in the enclosure - an amount equal to half of the sanction imposed, within the term provided by art. 10, paragraph 3, of the legislative decree no. 150 of 1.9.2011 for the submission of the appeal as indicated below (art. 166, paragraph 8, of the Code); ORDER the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor No 1/20129, and considers that the conditions of art. 17 of Regulation No 1/2019 are met. Requests Concentrix Cvg Italy s.r.l. to communicate which initiatives have been taken in order to implement the provisions of this measure and to provide in any case adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this measure; any failure to respond may result in the application of the administrative sanction provided for in art. 83, par. 5, letter e) of the Regulation. Pursuant to Article 78 of the Regulation, as well as Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an objection to this provision may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place identified in Article 10, within thirty days from the date of notification of the provision itself, or sixty days if the applicant resides abroad. Rome, 26 November 2020 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE SECRETARY GENERAL Mattei