Difference between revisions of "Garante per la protezione dei dati personali - 9524175"

From GDPRhub
 
Line 85: Line 85:
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
doc. web n. 9524175].
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
 
  
<pre>
+
Injunction order against Roma Capitale - 17 December 2020
<!DOCTYPE html><html class="ltr" dir="ltr" lang="it-IT"><head><title>Injunction order against Roma Capitale - 17 December 2020 ... - Privacy Guarantor </title><meta http-equiv="X-UA-Compatible" content="IE=Edge; IE=11; chrome=1" /><meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport" /><!-- CSS OWLCAROUSEL --><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/owlcarousel/owl.carousel.min.css" rel="stylesheet" type="text/css" /><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/owlcarousel/owl.theme.css" rel="stylesheet" type="text/css" /><!--[if lt IE 9]>
 
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
 
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
 
    <![endif]--><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/interna.css" rel="stylesheet" type="text/css" /><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/tree.css" rel="stylesheet" type="text/css"/><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/print.css" rel="stylesheet" type="text/css" media="print" /><link rel="apple-touch-icon" href="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/iphone.png" /><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/util-functions.js" type="text/javascript"></script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/clear-default-text.js" type="text/javascript"></script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/print.js" type="text/javascript"></script><script type="text/javascript">
 
function mailto(indirizzo) {
 
re = /\*/gi;
 
indirizzo=indirizzo.replace(re, "@");
 
    self.document.location.href = 'mailto:' + indirizzo
 
}
 
</script><script src="//f1-eu.readspeaker.com/script/7205/ReadSpeaker.js?pids=embhl" type="text/javascript"></script><meta content="text/html; charset=UTF-8" http-equiv="content-type" /><link charset="utf-8" data-senna-track="permanent" href="/o/frontend-theme-font-awesome-web/css/main.css" rel="stylesheet"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1611894639556&/o/frontend-js-jquery-web/jquery/jquery.min.js&/o/frontend-js-jquery-web/jquery/bootstrap.bundle.min.js&/o/frontend-js-jquery-web/jquery/collapsible_search.js&/o/frontend-js-jquery-web/jquery/fm.js&/o/frontend-js-jquery-web/jquery/form.js&/o/frontend-js-jquery-web/jquery/popper.min.js&/o/frontend-js-jquery-web/jquery/side_navigation.js" type="text/javascript"></script><link href="https://www.garanteprivacy.it/o/garante-privacy-theme/images/favicon.ico" rel="icon" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9524175" rel="canonical" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9524175" hreflang="it-IT" rel="alternate" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/en/home/docweb/-/docweb-display/docweb/9524175" hreflang="en-US" rel="alternate" /><link data-senna-track="temporary" href="https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9524175" hreflang="x-default" rel="alternate" /><link class="lfr-css-file" data-senna-track="temporary" href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/clay.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1610097796000" id="liferayAUICSS" rel="stylesheet" type="text/css" /><link data-senna-track="temporary" href="/o/frontend-css-web/main.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1573511642487" id="liferayPortalCSS" rel="stylesheet" type="text/css" /><link data-senna-track="temporary" href="/combo?browserId=other&amp;minifierType=&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;languageId=it_IT&amp;b=7201&amp;GSolrFormWeb:%2Fcss%2Fmain.css&amp;GSolrFormWeb:%2Fcss%2Fjquery-ui.css&amp;GSolrFormWeb:%2Fjs%2Fthemes%2Fdefault%2Fstyle.css&amp;com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT:%2Fcss%2Fmain.css&amp;com_liferay_portal_search_web_search_bar_portlet_SearchBarPortlet_INSTANCE_templateSearch:%2Fsearch%2Fbar%2Fcss%2Fmain.css&amp;com_liferay_product_navigation_product_menu_web_portlet_ProductMenuPortlet:%2Fcss%2Fmain.css&amp;com_liferay_product_navigation_user_personal_bar_web_portlet_ProductNavigationUserPersonalBarPortlet:%2Fcss%2Fmain.css&amp;t=1610097796000" id="2efaeb84" rel="stylesheet" type="text/css" /><script data-senna-track="temporary" type="text/javascript">
 
// <![CDATA[
 
var Liferay = Liferay || {};
 
  
Liferay.Browser = {
+
Register of measures
acceptsGzip: function() {
+
No 280 of 17 December 2020
return true;
 
},
 
  
+
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
  
getMajorVersion: function() {
+
AT TODAY'S MEETING, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;
return 0;
 
},
 
  
getRevision: function() {
+
HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, "Regulation");
return '';
 
},
 
getVersion: function() {
 
return '';
 
},
 
  
+
HAVING REGARD TO Legislative Decree No 196 of 30 June 2003 on the "Personal Data Protection Code, laying down provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, the "Code")
  
isAir: function() {
+
HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by resolution No. 98 of 4/4/2019, published in G.U. No. 106 of 8/5/2019 and at www.gpdp.it, web doc. No. 9107633 (hereinafter "Garante Regulation No. 1/2019");
return false;
 
},
 
isChrome: function() {
 
return false;
 
},
 
isEdge: function() {
 
return false;
 
},
 
isFirefox: function() {
 
return false;
 
},
 
isGecko: function() {
 
return false;
 
},
 
isIe: function() {
 
return false;
 
},
 
isIphone: function() {
 
return false;
 
},
 
isLinux: function() {
 
return false;
 
},
 
isMac: function() {
 
return false;
 
},
 
isMobile: function() {
 
return false;
 
},
 
isMozilla: function() {
 
return false;
 
},
 
isOpera: function() {
 
return false;
 
},
 
isRtf: function() {
 
return false;
 
},
 
isSafari: function() {
 
return false;
 
},
 
isSun: function() {
 
return false;
 
},
 
isWebKit: function() {
 
return false;
 
},
 
isWindows: function() {
 
return false;
 
}
 
};
 
  
Liferay.Data = Liferay.Data || {};
+
HAVING REGARD to the documentation on file;
  
Liferay.Data.ICONS_INLINE_SVG = true;
+
HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the office of the Garante for the protection of personal data, web doc. no. 1098801;
  
Liferay.Data.NAV_SELECTOR = '#navigation';
+
REPORTER Prof. Pasquale Stazione;
  
Liferay.Data.NAV_SELECTOR_MOBILE = '#navigationCollapse';
+
WHEREAS
  
Liferay.Data.isCustomizationView = function() {
+
1. Unlawfulness of the processing of personal data carried out by Roma Capitale through the "Tu Passi" booking system.
return false;
 
};
 
  
Liferay.Data.notices = [
+
By order no. 81 of 7 March 2019, adopted following a complex preliminary activity and investigations carried out pursuant to Article 58 of the Regulation and 157 and 158 of the Code, it was declared unlawful to process personal data of users and employees carried out by Roma Capitale through the "TuPassi" system, provided by Miropass s.r.l. (hereinafter, the "Company"), used since 2015 for the purpose of booking appointments and providing counter services.
null
 
  
+
With the aforementioned measure, the Guarantor has declared unlawful the processing carried out with this system for violation of Articles 5, 13, 14, 28 and 32 of the Regulation and Articles 13 and 29 of the Code, in relation to the processing carried out prior to the amendments made to the same by Legislative Decree no. 101/2018.
  
+
In particular, it appears to have been established that the processing was carried out in contrast:
];
 
  
Liferay.PortletKeys = {
+
- with the principles of lawfulness, fairness and transparency (Article 5(1)(a)) and with the obligation placed on the data controller to provide information to users and employees (Articles 13 and 14 of the Regulation, formerly Article 13 of the Code, prior to the amendments made to it by Legislative Decree No. 101/2018);
DOCUMENT_LIBRARY: 'com_liferay_document_library_web_portlet_DLPortlet',
 
DYNAMIC_DATA_MAPPING: 'com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet',
 
ITEM_SELECTOR: 'com_liferay_item_selector_web_portlet_ItemSelectorPortlet'
 
};
 
  
Liferay.PropsValues = {
+
- with the obligation to regulate, by means of an act having the characteristics set out in Article 28, paragraphs 2 and 3 of the Regulation (formerly Article 29 of the Code, prior to the amendments set out in Leg. Decree No. 101/2018), the processing of personal data entrusted, on behalf of the owner, to the Company within the scope of the assistance and maintenance services of the "TuPassi" system;
JAVASCRIPT_SINGLE_PAGE_APPLICATION_TIMEOUT: 0,
 
NTLM_AUTH_ENABLED: false,
 
UPLOAD_SERVLET_REQUEST_IMPL_MAX_SIZE: 104857600
 
};
 
  
Liferay.ThemeDisplay = {
+
- with the obligation to adopt technical and organisational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the nature, object, context, purpose and risks inherent in the processing for the rights and freedoms of natural persons (Article 32 of the Regulation).
  
+
The same measure prescribed "appropriate corrective actions aimed at eliminating the technical and organisational criticalities (see paras. 3.1 to 4)", ordering the body to communicate the initiatives undertaken within 90 days from the date of receipt of the measure, providing adequately documented feedback in this regard (see the provision cited above).
  
+
With the note of XX (prot. no. XX), the Office notified the measure to the Entity at the same time as the initiation of the proceedings, pursuant to Article 166, paragraph 5, of the Code, for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation, inviting the above mentioned data controller to produce to the Guarantor defensive writings or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).
getLayoutId: function() {
 
return '9';
 
},
 
  
+
In a note dated XX, prot. XX, the Entity sent its defence in relation to the notified breaches, stating, in particular, that it had "provided for the implementation of all the appropriate activities necessary to ensure the timely compliance with the regulatory requirements" and that it had proceeded "to designate the company [...] as data processor [.... ] with a measure digitally signed on XX (XX)", reserving the right to communicate, within the timeframe and in the manner provided for by measure no. 81 of 2019, "the initiatives undertaken to implement the provisions contained in the measure, with particular reference to the profiles of computer security in data traffic between the systems that make up the Tupassi architecture".
  
getLayoutRelativeControlPanelURL: function() {
+
In the course of the investigation, the Entity has provided, at different times, also upon specific request of the Office (see, for instance, notes of XX, prot. XX and of XX prot. no. XX), further elements and copious documentation, not always relevant, aimed at documenting the fulfilment of the requirements set forth in order no. 81 of 7 March 2019 (see, minutes of the hearing convened ex officio at the offices of the Guarantor of XX and notes of XX, prot. no. XX, of XX, prot. no. XX and of XX, prot. no. XX).
return '/group/guest/~/control_panel/manage?p_p_id=GDocwebDisplay';
 
},
 
  
getLayoutRelativeURL: function() {
+
The complete compliance of the Entity with the requirements set out in the provision of 7 March 2019, no. 81 was finally acknowledged by the Office with the note of XX, prot. no. XX.
return '/home/docweb';
 
},
 
getLayoutURL: function() {
 
return 'https://www.garanteprivacy.it/home/docweb';
 
},
 
getParentLayoutId: function() {
 
return '45';
 
},
 
isControlPanel: function() {
 
return false;
 
},
 
isPrivateLayout: function() {
 
return 'false';
 
},
 
isVirtualLayout: function() {
 
return false;
 
},
 
 
  
getBCP47LanguageId: function() {
+
'''2.  Conclusions.'''
return 'it-IT';
 
},
 
getCanonicalURL: function() {
 
  
+
In light of the declarations made by the data controller in his defence, the truthfulness of which may be called to account pursuant to Article 168 of the Code, and the documentation produced by the data controller, taking into account also that the data controller has not contested the substantive aspects ascertained in order no. 81 of 7 March 2019 and notified by the Office with the notice of initiation of proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, users and employees, carried out by the Authority, are confirmed. 81 and notified by the Office with the act of initiation of the proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, of users and employees, carried out by the Entity through the "Tu Passi" system for the booking of services at the counter, for violation of Articles 5, 13, 14, 28 and 32 of the Regulation are confirmed.
  
return 'https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9524175';
+
Although the processing was undertaken by the Entity in the period prior to the entry into force of the Regulation (the "Tu passi" system appears to have been adopted as early as 2015), for the purposes of identifying the applicable legislation, in terms of time, it should be borne in mind that, according to the principle of legality referred to in Article 1, paragraph 2, of Law no. 689/1981, "The laws that provide for administrative sanctions apply only in the cases and times considered therein". From this follows the need to take into consideration the provisions in force at the time of the violation committed; in the case in question, given the permanent nature of the offence contested, this moment must be identified at the time of the cessation of the unlawful conduct, determined with the implementation of the measure of 7 March 2019, no. 81 and therefore in the full force of the provisions of the Regulations and the Code (as amended by Legislative Decree 101/2018).
},
 
getCDNBaseURL: function() {
 
return 'https://www.garanteprivacy.it';
 
},
 
getCDNDynamicResourcesHost: function() {
 
return '';
 
},
 
getCDNHost: function() {
 
return '';
 
},
 
getCompanyGroupId: function() {
 
return '10168';
 
},
 
getCompanyId: function() {
 
return '10135';
 
},
 
getDefaultLanguageId: function() {
 
return 'it_IT';
 
},
 
getDoAsUserIdEncoded: function() {
 
return '';
 
},
 
getLanguageId: function() {
 
return 'it_IT';
 
},
 
getParentGroupId: function() {
 
return '10160';
 
},
 
getPathContext: function() {
 
return '';
 
},
 
getPathImage: function() {
 
return '/image';
 
},
 
getPathJavaScript: function() {
 
return '/o/frontend-js-web';
 
},
 
getPathMain: function() {
 
return '/c';
 
},
 
getPathThemeImages: function() {
 
return 'https://www.garanteprivacy.it/o/garante-privacy-theme/images';
 
},
 
getPathThemeRoot: function() {
 
return '/o/garante-privacy-theme';
 
},
 
getPlid: function() {
 
return '10563';
 
},
 
getPortalURL: function() {
 
return 'https://www.garanteprivacy.it';
 
},
 
getScopeGroupId: function() {
 
return '10160';
 
},
 
getScopeGroupIdOrLiveGroupId: function() {
 
return '10160';
 
},
 
getSessionId: function() {
 
return '';
 
},
 
getSiteAdminURL: function() {
 
return 'https://www.garanteprivacy.it/group/guest/~/control_panel/manage?p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view';
 
},
 
getSiteGroupId: function() {
 
return '10160';
 
},
 
getURLControlPanel: function() {
 
return '/group/control_panel?refererPlid=10563';
 
},
 
getURLHome: function() {
 
return 'https\x3a\x2f\x2fwww\x2egaranteprivacy\x2eit\x2fweb\x2fguest';
 
},
 
getUserEmailAddress: function() {
 
return '';
 
},
 
getUserId: function() {
 
return '10138';
 
},
 
getUserName: function() {
 
return '';
 
},
 
isAddSessionIdToURL: function() {
 
return false;
 
},
 
isImpersonated: function() {
 
return false;
 
},
 
isSignedIn: function() {
 
return false;
 
},
 
isStateExclusive: function() {
 
return false;
 
},
 
isStateMaximized: function() {
 
return false;
 
},
 
isStatePopUp: function() {
 
return false;
 
}
 
};
 
  
var themeDisplay = Liferay.ThemeDisplay;
+
The breach of the aforementioned provisions therefore makes the administrative sanction provided for in Article 83(4) and (5) of the Regulation applicable, pursuant to Articles 58(2)(i) and 83(5) of the Regulation itself as also referred to in Article 166(2) of the Code.
  
Liferay.AUI = {
+
In this context, considering that the conduct has exhausted its effects, since the necessary measures have been adopted over time to comply with the provisions of the aforementioned measure, in order to make the processing compliant with the rules on the protection of personal data, as noted in the note of XX, prot. XX, there are no grounds for the adoption of further corrective measures referred to in Article 58(2) of the Regulation.
  
+
'''3. Adoption of the injunction order for the application of the pecuniary administrative sanction and of the accessory sanctions (art. 58, par. 2, lett. i and 83 of the Regulation; art. 166, par. 7, of the Code).'''
  
getAvailableLangPath: function() {
+
Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166 of the Code, the Guarantor has the power to "impose an administrative fine pursuant to Article 83, in addition to or instead of the [other] [corrective] measures referred to in this paragraph". 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the College [of the Guarantor] adopts the injunction order, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Art. 16, paragraph 1, of the Guarantor's Regulation No. 1/2019).
return 'available_languages.jsp?browserId=other&themeId=garanteprivacy_WAR_garanteprivacytheme&colorSchemeId=01&minifierType=js&languageId=it_IT&b=7201&t=1611894632102';
 
},
 
getCombine: function() {
 
return true;
 
},
 
getComboPath: function() {
 
return '/combo/?browserId=other&minifierType=&languageId=it_IT&b=7201&t=1573511642052&';
 
},
 
getDateFormat: function() {
 
return '%d/%m/%Y';
 
},
 
getEditorCKEditorPath: function() {
 
return '/o/frontend-editor-ckeditor-web';
 
},
 
getFilter: function() {
 
var filter = 'raw';
 
  
+
In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case in question - also considering the reference contained in Article 166, paragraph 2, of the Code - the violation of the cited provisions is subject to the application of the same administrative pecuniary sanction provided for in Article 83, paragraph 5, of the Regulation.
 
filter = 'min';
 
 
 
  
return filter;
+
The amount of the aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, shall be determined by taking into due account the elements provided for in Article 83(2) of the Regulation.
},
 
getFilterConfig: function() {
 
var instance = this;
 
  
var filterConfig = null;
+
In relation to the aforementioned elements, consideration was given to the large number of interested parties (users and employees) who have used the system over time to book and manage appointments with the offices of the Entity and the duration of the overall processing, which began in 2015. Consideration was also given to the manner in which, during the preliminary investigation, the Entity provided the elements of assessment requested by the Office, by means of numerous submissions of documentation, at times irrelevant, with inevitable repercussions on the timeliness of the definition of the procedure, also in the phase of verification of the correct compliance with measure no. 81/2019. This was also due to the operational difficulties encountered by the Data Protection Officer - who, moreover, was subject to changes during the preliminary investigation - in cooperating effectively and adequately acting as a contact person for the administration as well as a "point of contact for the authority for matters related to the processing" (Article 39(1)(d) and (e) of the Regulation), as a result of the not always appropriate organisational choices of the Entity. For the purposes of the overall commensuration of the sanction, it was also considered that in relation to the obligation to provide information to users of the "Tupassi" system, there is a specific previous sanction (cf. act of contestation of administrative violation of 23 May 2018 no. 51, defined with registration, pursuant to Article 18, paragraph 2, of Legislative Decree 101/2018, "with reference to data processing carried out until that date", see point 3.1. prov. no. 81/2019). The same violation was again ascertained, together with the other profiles, during the checks carried out in October 2018 (see, note of XX, prot. no. XX initiating the procedure, pursuant to Article 166, paragraph 5, of the Code).
  
if (!instance.getCombine()) {
+
On the other hand, it was considered that, as already pointed out by the Guarantor, some of the contested violations originated from the specific characteristics of the system used by the Body for the booking services, which in the "standard version", originally distributed by the supplying Company, did not allow "to configure "case by case" the typology of the processed data and the maximum retention times, and therefore to respect the principles applicable to the data processing (Art. 5, para. 1, spec. lett. a), b), c) and e) Regulation)". (cf. paragraph 5, Provv. cit.). Without prejudice to the attribution of responsibility to the data controller for the alleged infringements, this circumstance was in any case taken into account for the purposes of calculating the penalty. Account was also taken of the undertaking given by the Entity to bring its processing operations into line with the rules on the protection of personal data (regulation of the relationship with the supplier pursuant to Article 28 of the Regulation, integration of the information notice, suspension of the reporting functions, identification of the data retention periods).
filterConfig = {
 
replaceStr: '.js' + instance.getStaticResourceURLParams(),
 
searchExp: '\\.js$'
 
};
 
}
 
  
return filterConfig;
+
Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine the amount of the pecuniary sanction also taking into account the first application phase of the sanctioning provisions pursuant to Article 22, paragraph 13, of Legislative Decree 10/08/2018, no. 101, in the amount of EUR 500,000 (five hundred thousand) for the violation of Articles 5, 13, 14, 28 and 32 of the Regulation. In quantifying the sanction, the Garante has taken into particular consideration the fact that the violations are connected to processing that began before the Regulation was finally applied.
},
 
getJavaScriptRootPath: function() {
 
return '/o/frontend-js-web';
 
},
 
getLangPath: function() {
 
return 'aui_lang.jsp?browserId=other&themeId=garanteprivacy_WAR_garanteprivacytheme&colorSchemeId=01&minifierType=js&languageId=it_IT&b=7201&t=1573511642052';
 
},
 
getPortletRootPath: function() {
 
return '/html/portlet';
 
},
 
getStaticResourceURLParams: function() {
 
return '?browserId=other&minifierType=&languageId=it_IT&b=7201&t=1573511642052';
 
}
 
};
 
  
Liferay.authToken = 'gtgabZDB';
+
Taking into account the particular sensitivity and the number of data processed, it is also considered that the ancillary sanction of the publication of this measure on the website of the Garante, as provided for in Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply.
  
+
Lastly, it should be noted that the conditions set out in Article 17 of Regulation No. 1/2019 concerning internal procedures of external relevance, aimed at performing the tasks and exercising the powers delegated to the Garante, are met.
  
Liferay.currentURL = '\x2fweb\x2fguest\x2fhome\x2fdocweb\x2f-\x2fdocweb-display\x2fdocweb\x2f9524175';
+
'''HAVING REGARD TO THE FOREGOING, THE SUPERVISOR'''
Liferay.currentURLEncoded = '\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175';
 
// ]]>
 
</script><script src="/o/js_loader_config?t=1611894639564" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/loader/config.js&/o/frontend-js-web/loader/loader.js&/o/frontend-js-web/aui/aui/aui.js&/o/frontend-js-web/aui/aui-base-html5-shiv/aui-base-html5-shiv.js&/o/frontend-js-web/liferay/browser_selectors.js&/o/frontend-js-web/liferay/modules.js&/o/frontend-js-web/liferay/aui_sandbox.js&/o/frontend-js-web/misc/svg4everybody.js&/o/frontend-js-web/aui/arraylist-add/arraylist-add.js&/o/frontend-js-web/aui/arraylist-filter/arraylist-filter.js&/o/frontend-js-web/aui/arraylist/arraylist.js&/o/frontend-js-web/aui/array-extras/array-extras.js&/o/frontend-js-web/aui/array-invoke/array-invoke.js&/o/frontend-js-web/aui/attribute-base/attribute-base.js&/o/frontend-js-web/aui/attribute-complex/attribute-complex.js&/o/frontend-js-web/aui/attribute-core/attribute-core.js&/o/frontend-js-web/aui/attribute-observable/attribute-observable.js&/o/frontend-js-web/aui/attribute-extras/attribute-extras.js&/o/frontend-js-web/aui/base-base/base-base.js&/o/frontend-js-web/aui/base-pluginhost/base-pluginhost.js&/o/frontend-js-web/aui/classnamemanager/classnamemanager.js&/o/frontend-js-web/aui/datatype-xml-format/datatype-xml-format.js&/o/frontend-js-web/aui/datatype-xml-parse/datatype-xml-parse.js&/o/frontend-js-web/aui/dom-base/dom-base.js&/o/frontend-js-web/aui/dom-core/dom-core.js&/o/frontend-js-web/aui/dom-screen/dom-screen.js&/o/frontend-js-web/aui/dom-style/dom-style.js&/o/frontend-js-web/aui/event-base/event-base.js&/o/frontend-js-web/aui/event-custom-base/event-custom-base.js&/o/frontend-js-web/aui/event-custom-complex/event-custom-complex.js&/o/frontend-js-web/aui/event-delegate/event-delegate.js&/o/frontend-js-web/aui/event-focus/event-focus.js&/o/frontend-js-web/aui/event-hover/event-hover.js&/o/frontend-js-web/aui/event-key/event-key.js&/o/frontend-js-web/aui/event-mouseenter/event-mouseenter.js&/o/frontend-js-web/aui/event-mousewheel/event-mousewheel.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/event-outside/event-outside.js&/o/frontend-js-web/aui/event-resize/event-resize.js&/o/frontend-js-web/aui/event-simulate/event-simulate.js&/o/frontend-js-web/aui/event-synthetic/event-synthetic.js&/o/frontend-js-web/aui/intl/intl.js&/o/frontend-js-web/aui/io-base/io-base.js&/o/frontend-js-web/aui/io-form/io-form.js&/o/frontend-js-web/aui/io-queue/io-queue.js&/o/frontend-js-web/aui/io-upload-iframe/io-upload-iframe.js&/o/frontend-js-web/aui/io-xdr/io-xdr.js&/o/frontend-js-web/aui/json-parse/json-parse.js&/o/frontend-js-web/aui/json-stringify/json-stringify.js&/o/frontend-js-web/aui/node-base/node-base.js&/o/frontend-js-web/aui/node-core/node-core.js&/o/frontend-js-web/aui/node-event-delegate/node-event-delegate.js&/o/frontend-js-web/aui/node-event-simulate/node-event-simulate.js&/o/frontend-js-web/aui/node-focusmanager/node-focusmanager.js&/o/frontend-js-web/aui/node-pluginhost/node-pluginhost.js&/o/frontend-js-web/aui/node-screen/node-screen.js&/o/frontend-js-web/aui/node-style/node-style.js&/o/frontend-js-web/aui/oop/oop.js&/o/frontend-js-web/aui/plugin/plugin.js&/o/frontend-js-web/aui/pluginhost-base/pluginhost-base.js&/o/frontend-js-web/aui/pluginhost-config/pluginhost-config.js&/o/frontend-js-web/aui/querystring-stringify-simple/querystring-stringify-simple.js&/o/frontend-js-web/aui/queue-promote/queue-promote.js&/o/frontend-js-web/aui/selector-css2/selector-css2.js&/o/frontend-js-web/aui/selector-css3/selector-css3.js&/o/frontend-js-web/aui/selector-native/selector-native.js&/o/frontend-js-web/aui/selector/selector.js&/o/frontend-js-web/aui/widget-base/widget-base.js&/o/frontend-js-web/aui/widget-htmlparser/widget-htmlparser.js&/o/frontend-js-web/aui/widget-skin/widget-skin.js&/o/frontend-js-web/aui/widget-uievents/widget-uievents.js&/o/frontend-js-web/aui/yui-throttle/yui-throttle.js&/o/frontend-js-web/aui/aui-base-core/aui-base-core.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/aui-base-lang/aui-base-lang.js&/o/frontend-js-web/aui/aui-classnamemanager/aui-classnamemanager.js&/o/frontend-js-web/aui/aui-component/aui-component.js&/o/frontend-js-web/aui/aui-debounce/aui-debounce.js&/o/frontend-js-web/aui/aui-delayed-task-deprecated/aui-delayed-task-deprecated.js&/o/frontend-js-web/aui/aui-event-base/aui-event-base.js&/o/frontend-js-web/aui/aui-event-input/aui-event-input.js&/o/frontend-js-web/aui/aui-form-validator/aui-form-validator.js&/o/frontend-js-web/aui/aui-node-base/aui-node-base.js&/o/frontend-js-web/aui/aui-node-html5/aui-node-html5.js&/o/frontend-js-web/aui/aui-selector/aui-selector.js&/o/frontend-js-web/aui/aui-timer/aui-timer.js&/o/frontend-js-web/liferay/dependency.js&/o/frontend-js-web/liferay/dom_task_runner.js&/o/frontend-js-web/liferay/events.js&/o/frontend-js-web/liferay/language.js&/o/frontend-js-web/liferay/lazy_load.js&/o/frontend-js-web/liferay/liferay.js&/o/frontend-js-web/liferay/util.js&/o/frontend-js-web/liferay/global.bundle.js&/o/frontend-js-web/liferay/portal.js&/o/frontend-js-web/liferay/portlet.js&/o/frontend-js-web/liferay/workflow.js&/o/frontend-js-web/liferay/form.js&/o/frontend-js-web/liferay/form_placeholders.js&/o/frontend-js-web/liferay/icon.js&/o/frontend-js-web/liferay/menu.js&/o/frontend-js-web/liferay/notice.js&/o/frontend-js-web/liferay/poller.js&/o/frontend-js-web/aui/async-queue/async-queue.js&/o/frontend-js-web/aui/base-build/base-build.js&/o/frontend-js-web/aui/cookie/cookie.js&/o/frontend-js-web/aui/event-touch/event-touch.js&/o/frontend-js-web/aui/overlay/overlay.js&/o/frontend-js-web/aui/querystring-stringify/querystring-stringify.js&/o/frontend-js-web/aui/widget-child/widget-child.js&/o/frontend-js-web/aui/widget-position-align/widget-position-align.js&/o/frontend-js-web/aui/widget-position-constrain/widget-position-constrain.js&/o/frontend-js-web/aui/widget-position/widget-position.js" type="text/javascript"></script><script data-senna-track="permanent" src="/combo?browserId=other&minifierType=js&languageId=it_IT&b=7201&t=1573511642052&/o/frontend-js-web/aui/widget-stack/widget-stack.js&/o/frontend-js-web/aui/widget-stdmod/widget-stdmod.js&/o/frontend-js-web/aui/aui-aria/aui-aria.js&/o/frontend-js-web/aui/aui-io-plugin-deprecated/aui-io-plugin-deprecated.js&/o/frontend-js-web/aui/aui-io-request/aui-io-request.js&/o/frontend-js-web/aui/aui-loading-mask-deprecated/aui-loading-mask-deprecated.js&/o/frontend-js-web/aui/aui-overlay-base-deprecated/aui-overlay-base-deprecated.js&/o/frontend-js-web/aui/aui-overlay-context-deprecated/aui-overlay-context-deprecated.js&/o/frontend-js-web/aui/aui-overlay-manager-deprecated/aui-overlay-manager-deprecated.js&/o/frontend-js-web/aui/aui-overlay-mask-deprecated/aui-overlay-mask-deprecated.js&/o/frontend-js-web/aui/aui-parse-content/aui-parse-content.js&/o/frontend-js-web/liferay/layout_exporter.js&/o/frontend-js-web/liferay/session.js&/o/frontend-js-web/liferay/deprecated.js" type="text/javascript"></script><script data-senna-track="temporary" src="/o/js_bundle_config?t=1611894646278" type="text/javascript"></script><script data-senna-track="temporary" type="text/javascript">
 
// <![CDATA[
 
 
 
 
 
  
+
having noted the unlawfulness of the processing carried out by Roma Capitale on the grounds of breach of Articles 5, 13, 14, 28 and 32 of the Regulation in the terms set out in the grounds;
  
+
'''ORDERS'''
// ]]>
 
</script><script data-senna-track="temporary" src="/combo?browserId=other&amp;minifierType=&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;languageId=it_IT&amp;b=7201&amp;GSolrFormWeb:%2Fjs%2Fjquery-ui.js&amp;t=1610097796000" type="text/javascript"></script><meta property='og:title' content="Regulation 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (current text)"><meta property='og:image' content='https://garanteprivacy.it/o/g.docweb.display/images/bn.jpg'><meta property='og:url' content='https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524175'><meta property='og:title' content="Injunction order against Roma Capitale - December 17, 2020 [9524175]"/><meta property='og:image' content='https://www.garanteprivacy.it/o/g.docweb.display/images/bn.jpg'/><meta property='og:url' content='https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9524175' /><link class="lfr-css-file" data-senna-track="temporary" href="https://www.garanteprivacy.it/o/garante-privacy-theme/css/main.css?browserId=other&amp;themeId=garanteprivacy_WAR_garanteprivacytheme&amp;minifierType=css&amp;languageId=it_IT&amp;b=7201&amp;t=1610097796000" id="liferayThemeCSS" rel="stylesheet" type="text/css" /><style data-senna-track="temporary" type="text/css">
 
#interna-main-dx .testo p a {​​​​
 
font-weight: bold;
 
color: #2173bc;
 
}​​​​
 
.portlet-asset-publisher ul.internal-title-list a, a:hover {​​​​
 
color: #2173bc;
 
}​​​​
 
  
#elenco-main div.notizia div.notizia-testo h2 a, a:hover {​​​​
+
Roma Capitale in the person of its pro-tempore legal representative, with registered office in Rome, p.zza del Campidoglio, tax code 02438750586, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of EUR 500,000.00 (five hundred thousand) by way of pecuniary administrative sanction for the violations indicated in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of the legislative decree no. 150 of 1/9/2011), the offender has the right to settle the dispute by paying, within the term of 30 days, an amount equal to half of the fine imposed, according to the modalities indicated in the annex;
color: #2173bc;
 
}​​​​
 
.azione span span{
 
margin-left: 14px ! important;
 
    margin-top: 2px ! important;
 
    color: #2173bc ! important;
 
}
 
  
.helper-hidden-accessible{
+
'''ENJOINS'''
color: #2173bc ! important;
 
}
 
.azione span{
 
    color: #2173bc !important;
 
}
 
  
#interna-menu ul li ul.nested-menu li div.selected {
+
Roma Capitale to pay the sum of euro 500,000.00 (five hundred thousand) in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, in accordance with the procedures indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive measures pursuant to art. 27 of law no. 689/1981;
    background: #e8eae9;
 
    border-left: 4px solid #214b5f;
 
    margin: 0 -4px;
 
    padding: 5px;
 
}
 
  
.journal-content-article .testo p a {
+
'''DISPOSES'''
    font-weight: bold;
 
    color: #2173bc;
 
}
 
</style><style data-senna-track="temporary" type="text/css">
 
  
+
pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions of art. 17 of the Regulation of the Guarantor no. 1/2019 are met.
  
+
Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.
  
+
Rome, 17 December 2020
  
+
THE PRESIDENT
 +
Stanzione
  
#p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_ .portlet-content {
+
THE REPORTER
 +
Stanzione
  
}
+
THE SECRETARY GENERAL
 
+
Mattei
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
#p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_ .portlet-content {
 
 
 
}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
#p_p_id_GDocwebDisplay_ .portlet-content {
 
 
 
}
 
#portlet_GDocwebDisplay td {
 
padding-right: 15px;
 
}
 
blockquote {
 
font-size: inherit;
 
    border-left: inherit;
 
}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
</style><script type="text/javascript">
 
// <![CDATA[
 
Liferay.Loader.require('frontend-js-spa-web@3.0.22/liferay/init.es', function(frontendJsSpaWeb3022LiferayInitEs) {
 
(function(){
 
var frontendJsSpaWebLiferayInitEs = frontendJsSpaWeb3022LiferayInitEs;
 
(function() {var $ = AUI.$;var _ = AUI._;
 
 
 
Liferay.SPA = Liferay.SPA || {};
 
Liferay.SPA.cacheExpirationTime = -1;
 
Liferay.SPA.clearScreensCache = false;
 
Liferay.SPA.debugEnabled = false;
 
Liferay.SPA.excludedPaths = ["/documents","/image"];
 
Liferay.SPA.loginRedirect = '';
 
Liferay.SPA.navigationExceptionSelectors = ':not([target="_blank"]):not([data-senna-off]):not([data-resource-href]):not([data-cke-saved-href]):not([data-cke-saved-href])';
 
Liferay.SPA.requestTimeout = 0;
 
Liferay.SPA.userNotification = {
 
message: 'Sembra che la richiesta stia impiegando più del previsto.',
 
timeout: 30000,
 
title: 'Oops'
 
};
 
 
 
frontendJsSpaWebLiferayInitEs.default.init(
 
function(app) {
 
app.setPortletsBlacklist({"com_liferay_nested_portlets_web_portlet_NestedPortletsPortlet":true,"com_liferay_site_navigation_directory_web_portlet_SitesDirectoryPortlet":true,"com_liferay_login_web_portlet_LoginPortlet":true,"com_liferay_login_web_portlet_FastLoginPortlet":true});
 
app.setValidStatusCodes([221,490,494,499,491,492,493,495,220]);
 
}
 
);})();})();
 
});
 
// ]]>
 
</script><script data-senna-track="temporary" type="text/javascript">
 
if (window.Analytics) {
 
window._com_liferay_document_library_analytics_isViewFileEntry = false;
 
}
 
</script><script type="text/javascript">
 
// <![CDATA[
 
Liferay.on(
 
'ddmFieldBlur', function(event) {
 
if (window.Analytics) {
 
Analytics.send(
 
'fieldBlurred',
 
'Form',
 
{
 
fieldName: event.fieldName,
 
focusDuration: event.focusDuration,
 
formId: event.formId,
 
page: event.page - 1
 
}
 
);
 
}
 
}
 
);
 
 
 
Liferay.on(
 
'ddmFieldFocus', function(event) {
 
if (window.Analytics) {
 
Analytics.send(
 
'fieldFocused',
 
'Form',
 
{
 
fieldName: event.fieldName,
 
formId: event.formId,
 
page: event.page - 1
 
}
 
);
 
}
 
}
 
);
 
 
 
Liferay.on(
 
'ddmFormPageShow', function(event) {
 
if (window.Analytics) {
 
Analytics.send(
 
'pageViewed',
 
'Form',
 
{
 
formId: event.formId,
 
page: event.page,
 
title: event.title
 
}
 
);
 
}
 
}
 
);
 
 
 
Liferay.on(
 
'ddmFormSubmit', function(event) {
 
if (window.Analytics) {
 
Analytics.send(
 
'formSubmitted',
 
'Form',
 
{
 
formId: event.formId
 
}
 
);
 
}
 
}
 
);
 
 
 
Liferay.on(
 
'ddmFormView', function(event) {
 
if (window.Analytics) {
 
Analytics.send(
 
'formViewed',
 
'Form',
 
{
 
formId: event.formId,
 
title: event.title
 
}
 
);
 
}
 
}
 
);
 
// ]]>
 
</script></head><body class=" controls-visible  yui3-skin-sam guest-site signed-out public-page site"><nav class="quick-access-nav" id="oshr_quickAccessNav"><h1 class="hide-accessible"> Navigation</h1><ul><li> <a href="#main-content">Skip to content</a> </li></ul></nav><div id="wrapper" class="container"><header id="banner"><div id="heading"><h1 class="company-title"><a class="logo custom-logo" href="https://www.garanteprivacy.it" title="Privacy Guarantor"><img alt="Guarantor for the protection of personal data" src="/image/company_logo?img_id=9504180&amp;t=1611894661660" /></a> </h1></div><nav class="sort-pages modify-pages" id="navigation" role="navigation"><div class="pull-left"><ul class="nav" aria-label="Pagine Sito" role="menubar"><li aria-selected='true' class="selected" id="layout_36" role="presentation"> <a aria-labelledby="layout_36" aria-haspopup='true' accesskey="H" title="H." href="https://www.garanteprivacy.it/home"  role="menuitem"><span>Home</span></a></li><li  class="lfr-nav-item" id="layout_2" role="presentation"> <a aria-labelledby="layout_2"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/autorita"  role="menuitem"><span>The authority</span></a></li><li  class="lfr-nav-item" id="layout_4" role="presentation"> <a aria-labelledby="layout_4"  accesskey="P" title="P." href="https://www.garanteprivacy.it/home/provvedimenti-normativa"  role="menuitem"><span>Measures and legislation</span></a></li><li  class="lfr-nav-item" id="layout_3" role="presentation"> <a aria-labelledby="layout_3"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/attivita-e-documenti"  role="menuitem"><span>Activities and documents</span></a></li><li  class="lfr-nav-item" id="layout_5" role="presentation"> <a aria-labelledby="layout_5"  accesskey="S" title="S." href="https://www.garanteprivacy.it/home/stampa-comunicazione"  role="menuitem"><span>Press and communication</span></a></li><li  class="lfr-nav-item" id="layout_22" role="presentation"> <a aria-labelledby="layout_22"  accesskey="A" title="TO" href="https://www.garanteprivacy.it/home/attivita-internazionali"  role="menuitem"><span>International activities</span></a></li></ul></div><div class="pull-right"> <span class="language-select">Choose your language: <span class="selected">IT</span> <a href="https://www.garanteprivacy.it/c/portal/update_language?p_l_id=2011129&redirect=%2Fhome_en&languageId=en_US" accesskey="E">EN</a></span> </div></nav></header><section id="content"><div class="g-100100-layouttpl" id="main-content" role="main"><div class="portlet-layout row"><div class="col-md-6 portlet-column portlet-column-first" id="column-1"><div class="portlet-dropzone portlet-column-content portlet-column-content-first" id="layout-column_column-1"><div class="portlet-boundary portlet-boundary_com_liferay_journal_content_web_portlet_JournalContentPortlet_  portlet-static portlet-static-end portlet-borderless portlet-journal-content " id="p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_"><span id="p_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT"></span><section class="portlet" id="portlet_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Internal rights </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"><div class="visible-interaction"></div></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div class="" data-fragments-editor-item-id="10084-145463" data-fragments-editor-item-type="fragments-editor-mapped-item" ><div class="journal-content-article " data-analytics-asset-id="145461" data-analytics-asset-title="Diritti interna" data-analytics-asset-type="web-content"><div id="diritti-header"> <a href="/home/diritti"><img alt="Rights - How to protect your data" src="/documents/10160/0/Box_diritti_text+%282%29.jpg/5fa07198-2b09-7cc0-3051-1253b90feee0?t=1527846685513" /></a> </div></div></div></div></div></div></section></div></div></div><div class="col-md-6 portlet-column portlet-column-last" id="column-2"><div class="portlet-dropzone portlet-column-content portlet-column-content-last" id="layout-column_column-2"><div class="portlet-boundary portlet-boundary_com_liferay_journal_content_web_portlet_JournalContentPortlet_  portlet-static portlet-static-end portlet-borderless portlet-journal-content " id="p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_"><span id="p_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx"></span><section class="portlet" id="portlet_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Internal duties </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"><div class="visible-interaction"></div></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div class="" data-fragments-editor-item-id="10084-145477" data-fragments-editor-item-type="fragments-editor-mapped-item" ><div class="journal-content-article " data-analytics-asset-id="145475" data-analytics-asset-title="Doveri interna" data-analytics-asset-type="web-content"><div id="doveri-header"> <a href="/home/doveri"><img alt="Duties - How to handle data correctly" src="/documents/10160/0/Box_doveri_text+%282%29.jpg/1d455dd5-a62c-371c-a997-bb8099baf11c?t=1527846710765" /></a> </div></div></div></div></div></div></section></div></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-3"><div class="portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-3"><div class="portlet-boundary portlet-boundary_GSolrFormWeb_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_GSolrFormWeb_"><span id="p_GSolrFormWeb"></span><section class="portlet" id="portlet_GSolrFormWeb"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Search Form Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><script type="text/javascript">
 
Liferay.on('allPortletsReady', function() {
 
//if (typeof jQuery != 'undefined') { 
 
    // jQuery is loaded => print the version
 
    //console.log("jQuery version is "+jQuery.fn.jquery);
 
//}
 
//console.log("allPortletReady ok");
 
var firstTime = 0;
 
 
//console.log("first time" + firstTime);
 
 
jQuery('#search').click(
 
function(){
 
if (firstTime == 0){
 
jQuery('#search').val('');
 
firstTime++;
 
}
 
}
 
);
 
 
jQuery('#search').keypress(
 
function(){
 
if (firstTime == 0){
 
jQuery('#search').val('');
 
firstTime++;
 
}
 
}
 
);
 
 
 
var advFormString = '<form action="/home/ricerca/-/search/key/0" id="advsearchform" name="searchForm" method="post" ><label for="search">Contiene queste parole:</label><input id="advkeyword" name="advkeyword" type="text" value=""  /><label for="not">Non contiene questa parola o frase:</label><input id="not" name="not" type="text" value=""  /><label for="esatta">Contiene questa parola o frase:</label><input id="esatta" name="esatta" type="text" value=""  /><label for="or1">Contiene una o piu di queste parole:</label><input id="or1" name="or1" type="text" value=""  /><label for="or2">Or</label><input id="or2" name="or2" type="text" value=""  /><label for="or3">Or</label><input id="or3" name="or3" type="text" value=""  /><input name="cmd" type="hidden" value="search" /></form>';
 
var searchLabel = 'cerca';
 
 
jQuery("#advancedsearch").html(advFormString);
 
 
var dialog = jQuery("#advancedsearch").dialog({ autoOpen: false, height:350, width:420,
 
      modal: true,
 
      buttons: [{
 
          text: searchLabel,
 
          "id": "btnOk",
 
          click: function () {
 
        goAdvSearch();
 
          },
 
 
 
      }]
 
});
 
 
jQuery("#ricercaavanzata").click(function(event) {
 
event.preventDefault();
 
jQuery("#advancedsearch").dialog('open');
 
 
});
 
 
jQuery("#searchButton").click(function( event ) {
 
event.preventDefault();
 
goSearch();
 
});
 
 
jQuery("input").keypress(function(event) {
 
if (event.keyCode === 13) {
 
event.preventDefault();
 
goSearch();
 
}
 
});
 
 
var goAdvSearch = function() {
 
var actionUrl = "/home/ricerca/-/search/key/" + jQuery("#advkeyword").val().replace(".","")
 
+ "_not_" + jQuery("#not").val().replace(".","")
 
+ "_esatta_" + jQuery("#esatta").val().replace(".","")
 
+ "_or1_" + jQuery("#or1").val().replace(".","")
 
+ "_or2_" + jQuery("#or2").val().replace(".","")
 
+ "_or3_" + jQuery("#or3").val().replace(".","")
 
;
 
jQuery('#advsearchform').attr('action', actionUrl).submit();
 
dialog.dialog('close');
 
}
 
 
var goSearch = function() {
 
var searchKey = jQuery("#search").val();
 
if (!searchKey.trim()) searchKey = "0";
 
searchKey = encodeURI(searchKey).replace(".","");
 
//alert(searchKey);
 
var actionUrl = "/home/ricerca/-/search/key/" + searchKey;
 
 
if (jQuery("#radio-2").prop("checked")) {
 
console.log ("checked");
 
actionUrl = "/home/ricerca/-/search/docweb/" + searchKey;
 
}
 
jQuery('#searchform').attr('action', actionUrl).submit();
 
};
 
 
});
 
</script><form action="/home/ricerca/-/search/key/0" id="searchform" name="searchForm" method="post"><fieldset><!--  <legend><input type="submit" value="RICERCA" /></legend> --><input name="keyword" id="search" type="text" placeholder="inserisci chiave di ricerca" /><input id="searchButton" type="submit" value="search for" /><input id="radio-1" name="testoodoc" type="radio" value="testo" checked="checked"/> <label for="radio-1">text</label><input id="radio-2" name="testoodoc" type="radio" value="docweb" /> <label for="radio-2">docweb</label> <a class="ricercaavanzata" id="ricercaavanzata" href="#">advanced search</a> <input id="startdate" name="startdate" type="hidden" value="Inizio"/><input id="stopdate" name="stopdate" type="hidden" value="Fine"/><input name="cmd" type="hidden" value="search" /></fieldset></form><div id="advancedsearch" title="ADVANCED SEARCH" ></div></div></div></div></section></div><div class="portlet-boundary portlet-boundary_GDocwebDisplay_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_GDocwebDisplay_"><span id="p_GDocwebDisplay"></span><section class="portlet" id="portlet_GDocwebDisplay"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> g-docweb-display Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div id="internal-content-wrapper" xmlns:dc="//purl.org/dc/elements/1.1/" ><h1 class="interna-titolo" property="dc:title"> Injunction order against Roma Capitale - December 17, 2020 [9524175] </h1><div id="interna-main-sx"><p class="sottotitolo" property="dc:description"></p><div class="tab-container"><div class="tab"> <span>CARD</span></div><div class="scheda"><dl><dt class="autore" style="display: none"> Author:</dt><dd> <span property="dc:creator" style="display: none">Guarantor for the protection of personal data</span></dd><dt class="docweb"> Doc-Web:</dt><dd> <span property="dc:identifier"><a href="/garante/doc.jsp?ID=9524175">9524175</a></span></dd><dt class="data" > Date:</dt><dd> <span property="dc:date">17/12/20</span></dd><dt class="argomenti" > Topics:</dt><dd class="argomenti"> <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Pubblica Amministrazione">Public Administration</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Lavoro pubblico">Public Work</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Comuni">Municipalities</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/App">Apps</a></span> , <span property="dc:subject"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/argomento/Servizi">Services</a></span></dd><dt class="tipologia"> Typology:</dt><dd class="tipologia"> <span property="dc:type"><a  href="https://www.garanteprivacy.it/web/guest/home/ricerca/-/search/tipologia/Ordinanza ingiunzione o revoca">Order injunction or revocation</a></span> </dd></dl></div></div><div id="interna-allegati"><p class="orange" style="padding: 7px 0 10px 7px; font-size: 1.3em;"> DOCUMENTS MENTIONED</p><ul><li class="allegato-testo"> <a title="Regulation 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (current text)" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/1098801">Regulation 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data (current text)</a></li><li class="allegato-testo"> <a title="Provision of 7 March 2019 [9121890]" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9121890">Provision of 7 March 2019 [9121890]</a></li><li class="allegato-testo"> <a title="Newsletter of 25 January 2021 - Rome Capital: sanction of the Privacy Guarantor for"TuPassi" - Telemarketing: RPO, il regolamento si applica solo alle chiamate con operatore - Data breach: le istruzioni dei Garanti privacy Ue per gestire le violazioni di dati" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9525359">Newsletter of 25 January 2021 - Rome Capital: sanction by the Privacy Guarantor for &quot;TuPassi&quot; - Telemarketing: RPO, the regulation applies only to calls with operator - Data breach: the instructions of the EU privacy Guarantors to manage data breaches</a></li><li class="allegato-testo"> <a title="Resolution of 4 April 2019 - Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data [9107633]" href="https://www.garanteprivacy.it:443/home/docweb/-/docweb-display/docweb/9107633">Resolution of 4 April 2019 - Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data [9107633]</a></li></ul></div><br /><div id="interna-quicklinks"><p> SEE ALSO (3)</p><ul><li> <a href="9525315">Injunction order against Miropass Srl - December 17, 2020 [9525315]</a></li><li> <a href="9121890">Provision of 7 March 2019 [9121890]</a></li><li> <a href="9525337">Provision of 17 December 2020 [9525337]</a></li></ul></div></div><div id="interna-main-dx"><div class="azioni"><div class="azione"> <span><a href="javascript:_GDocwebDisplay_printPage();"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_stampa.png" alt="Print"/> <span><span class="helper-hidden-accessible">Print</span> Print</span></a></span> </div><div class="azione"><form action="https://www.garanteprivacy.it:443/pdf?p_p_id=PdfUtil&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_resource_id=%2Foffering%2FprintPDF&p_p_cacheability=cacheLevelPage&_PdfUtil_articleId=9524175" method="post" name="pdfForm" ></form> <a href="#" onclick="document.pdfForm.submit()"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_pdf.png" alt="PDF"/> <span><span class="helper-hidden-accessible">Transform content into</span> PDF</span></a></div><div class="azione"> <span><a href="mailto:?subject=Dal sito del Garante per la protezione dei dati personali&amp;body=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524175"><img src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/icons/icona_condividi.png" alt="Share" /> <span>Send by mail <span class="helper-hidden-accessible">Send by mail</span></span></a></span></div><div class="azione"><table border="0" cellspacing="1"><tr><td><!-- Facebook --> <a rel="nofollow"
 
href="https://www.facebook.com/sharer/sharer.php?u=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524175"><img
 
src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/facebook.png" title="Facebook" alt="Facebook" /></a> </td><!-- <td> --><!-- Google+ <a rel="nofollow" --><!-- </td> --></tr><tr><td><!-- Twitter --> <a rel="nofollow"
 
href="https://twitter.com/home?status=Ordinanza+ingiunzione+nei+confronti+di+Roma+Capitale+-+17+dicembre+2020+%5B9524175%5D+-+https%3A%2F%2Fwww.garanteprivacy.it%2Fweb%2Fguest%2Fhome%2Fdocweb%2F-%2Fdocweb-display%2Fdocweb%2F9524175+-+%23GarantePrivacy"><img
 
src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/twitter.png" title="Twitter" alt="Twitter" /></a></td><td><!-- LinkedIn --> <a rel="nofollow"
 
href="https://www.linkedin.com/sharing/share-offsite/?mini=true&amp;url=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524175" ><img
 
src="https://www.garanteprivacy.it/o/garante-privacy-theme/images/social/linkedin.png" title="LinkedIn" alt="LinkedIn" /></a></td></tr></table> <span style="margin-left: 14px; margin-top: 2px;">Sharing <span class="helper-hidden-accessible">Sharing</span></span> </div></div><div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve" style="margin-top:40px;"> <a class="rsbtn_play" accesskey="L" title="Listen to this page with ReadSpeaker" href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=7205&amp;lang=it_it&amp;readid=content-area&amp;url=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9524175"><span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span><span class="rsbtn_right rsimg rsplay rspart"></span></a> </div><div id="content-area"><div class="testo"><p style="text-align: right;"></p><p style="text-align: right;"> <span style="font-size:14px;">SEE ALSO: <a href="/garante/doc.jsp?ID=9525359">Newsletter of 25 January 2021</a></span></p><p style="text-align: right;"></p><p style="text-align: right;"> <span style="font-size:12px;">[doc. web n. 9524175]</span></p><p> <strong><span style="font-size:12px;">Injunction order against Roma Capitale - 17 December 2020</span></strong><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">Record of measures<br /> n. 280 of 17 December 2020</span></p><p style="text-align: center;"><span style="font-size:12px;"></span> <strong><span style="font-size:12px;">THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA</span></strong><span style="font-size:12px;"></span></p><p style="text-align: justify;"> <span style="font-size:12px;">IN today&#39;s meeting, which was attended by prof. Pasquale Stazione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the cons. Fabio Mattei, general secretary;</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / CE, &quot;General Data Protection Regulation&quot; (hereinafter, &quot;Regulation&quot;);</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the legislative decree 30 June 2003, n. 196 containing the &quot;Code regarding the protection of personal data, containing provisions for the adaptation of the national system to the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to to the processing of personal data, as well as to the free circulation of such data and which repeals Directive 95/46 / EC (hereinafter the &quot;Code&quot;);</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the Regulation n. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in GU n. 106 of 8/5/2019 and in www.gpdp.it, doc. web n. <a href="/garante/doc.jsp?ID=9107633">9107633</a> (hereinafter &quot;Regulation of the Guarantor no. 1/2019&quot;);</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the documentation in the deeds;</span></p><p style="text-align: justify;"> <span style="font-size:12px;">GIVEN the observations made by the Secretary General pursuant to art. 15 of the Guarantor&#39;s Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web n. <a href="/garante/doc.jsp?ID=1098801">1098801</a> ;</span></p><p style="text-align: justify;"> <span style="font-size:12px;">RAPPORTEUR prof. Pasquale Station;</span></p><p style="text-align: center;"> <strong><span style="font-size:12px;">WHEREAS</span></strong></p><p> <strong><span style="font-size:12px;">1. Unlawfulness of the processing of personal data carried out by Roma Capitale through the “Tu Passi” booking system.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">With <a href="/garante/doc.jsp?ID=9121890">provision no. 81 of 7 March 2019</a> , adopted following a complex investigation and investigations carried out pursuant to art. 58 of the Regulation and 157 and 158 of the Code, the unlawfulness of the processing of personal data of users and employees carried out by Roma Capitale through the &quot;TuPassi&quot; system, provided by Miropass srl (hereinafter, the &quot;Company&quot;), was declared, used, since 2015, for the purpose of booking appointments and providing counter services.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">With the aforementioned provision, the Guarantor declared the processing carried out with this system unlawful for violation of articles 5, 13, 14, 28 and 32 of the Regulation and articles 13 and 29 of the Code, in relation to the treatments carried out prior to the changes made to the same. from the legislative decree n. 101/2018.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In particular, it is established that the processing was carried out in contrast:</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- with the principles of lawfulness, correctness and transparency (articles 5, paragraph 1, letter a) and with the obligation, placed on the head of the data controller, to provide information to users and employees (articles 13 and 14 of the Regulations, formerly art.13 of the Code, prior to the amendments referred to in Legislative Decree no.101 / 2018);</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- with the obligation to regulate, with an act having the characteristics referred to in art. 28, paragraphs 2 and 3 of the Regulation (formerly Article 29 of the Code, prior to the amendments referred to in Legislative Decree No. 101/2018), the processing of personal data entrusted, on behalf of the owner, to the Company the assistance and maintenance services of the “TuPassi” system;</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">- with the obligation to adopt technical and organizational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the nature, object, context, purposes and risks inherent in the processing of rights and freedom of natural persons (Article 32 of the Regulation).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The same provision prescribed &quot;adequate corrective actions aimed at eliminating technical and organizational criticalities (see par. 3.1 to 4)&quot;, ordering the Entity to communicate the initiatives undertaken, within 90 days from the date of receipt of the provision , providing in this regard an adequately documented confirmation (see provision provision cit.).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">With the note of the XX (prot. N. XX), the Office notified the provision to the Entity at the same time as the start of the procedure, pursuant to art. 166, paragraph 5, of the Code, for the adoption of the measures referred to in article 58, paragraph 2, of the Regulations, inviting the aforementioned holder to produce defensive writings or documents to the Guarantor or to ask to be heard by the Authority (art . 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of the law n. 689 of 24/11/1981).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">With a note of the XX, prot. XX, the Entity sent its defense writings in relation to the notified violations, representing, in particular, that it &quot;provided for the implementation of all the appropriate activities of competence necessary to ensure timely compliance with the regulatory requirements&quot; and to have proceeded “To the designation of the company […] as data processor [….] With a provision digitally signed on XX (XX)”, reserving also the right to communicate, within the timeframe and in the manner provided for by provision no. 81 of 2019, &quot;the initiatives undertaken for the implementation of the provisions contained in the provision, with particular reference to the IT security profiles in the data traffic between the systems making up the Tupassi architecture&quot;.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">During the investigation, the Entity provided, at different times, also at the specific request of the Office (see, for example, notes of the XX, prot. XX and of the XX prot. No. XX), further elements and a copious documentation, not always relevant, aimed at documenting the fulfillment of the requirements of provision no. 81 of 7 March 2019 (see, minutes of the hearing convened ex officio at the offices of the Guarantor of the XX and notes of the XX, prot.n.XX, of the XX, prot.n.XX and of the XX, prot. N. XX ).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The full compliance by the Entity with the prescriptions issued with the provision of 7 March 2019, n. 81 was definitively detected by the Office with the note of the XX, prot. XX.</span></p><p> <strong><span style="font-size:12px;">2. Conclusions.</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">In light of the statements made by the data controller in the defense writings ˗ whose veracity one may be called to answer pursuant to art. 168 of the Code ˗ and the documentation produced by the same, also taking into account that the owner has not contested the merit profiles ascertained with the provision of 7 March 2019, n. 81 and notified by the Office with the act of initiation of the procedure, the assessments of the Office regarding the unlawfulness of the processing of personal data, of users and employees, carried out by the Entity through the &quot;Tu Passi&quot; system for the booking of services at the counter, for violation of articles 5, 13, 14, 28 and 32 of the Regulations.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Although the processing was undertaken by the Entity in the period prior to the entry into force of the Regulation (the &quot;You pass&quot; system has in fact been adopted since 2015), in order to identify the applicable legislation, in terms of time, it is necessary keep in mind that, based on the principle of legality referred to in art. 1, paragraph 2, of Law 689/1981, &quot;Laws that provide for administrative sanctions are applied only in the cases and times considered in them&quot;. From this follows the need to take into consideration the provisions in force at the time of the violation committed; in the case in question, given the permanent nature of the alleged offense, this moment must be identified at the time of the cessation of the unlawful conduct, determined with the implementation of the provision of 7 March 2019, n. 81 and therefore in full force of the provisions of the Regulation and the Code (as amended by Legislative Decree 101/2018).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The violation of the aforementioned provisions therefore makes the administrative sanction envisaged by art. 83, par. 4 and 5 of the Regulation, pursuant to art. 58, par. 2, lett. i) and 83, par. 5, of the same Regulation as also referred to by art. 166, paragraph 2, of the Code.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In this context, considering that the conduct has exhausted its effects, having been, over time, taken the necessary measures to fulfill the requirements of the aforementioned provision, to make the processing compliant with the personal data protection regulations, as noted with note of the XX, prot. XX the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.</span></p><p> <strong><span style="font-size:12px;">3. Adoption of the injunction order for the application of the pecuniary administrative sanction and ancillary sanctions (articles 58, par. 2, lett. I and 83 of the Regulations; art. 166, paragraph 7, of the Code).</span></strong></p><p style="text-align: justify;"> <span style="font-size:12px;">The Guarantor, pursuant to art. 58, par. 2, lett. i) and 83 of the Regulations as well as art. 166 of the Code, has the power to &quot;inflict an administrative pecuniary sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or instead of such measures, depending on the circumstances of each single case &quot;and, in this context,&quot; the College [of the Guarantor] adopts the injunction order, with which it also disposes with regard to the application of the ancillary administrative sanction of its publication, in whole or in excerpt, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code &quot;(Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In this regard, taking into account art. 83, par. 3, of the Regulation, in the present case - also considering the reference contained in art. 166, paragraph 2, of the Code - the violation of the aforementioned provisions is subject to the application of the same pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">The aforementioned administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the elements provided for by art. 83, par. 2, of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">In relation to the aforementioned elements, the large number of interested parties (users and employees) who have used the system for booking and managing appointments with the offices of the Entity and the duration of the overall treatment, which began in 2015, was considered. . The methods with which, during the investigation, the Entity provided the elements of evaluation requested by the Office were also considered, by sending numerous documents, sometimes not pertinent, with inevitable repercussions on the timeliness of the definition of the procedure , also in the phase of verifying the correct fulfillment of provision no. 81/2019. This, also due to the operational difficulties encountered by the person in charge of data protection - however subject to changes during the investigation -, in cooperating effectively and acting adequately as a contact person for the administration as well as a &quot;contact point for the authority for issues related to processing &quot;(Article 39, paragraph 1, letter d) and e) of the Regulations), due to the not always appropriate organizational choices of the Entity. For the purposes of the overall measurement of the sanction, it was also considered that in relation to the obligation to inform users of the &quot;Tupassi&quot; system there is a specific precedent sanction (see notice of administrative violation of 23 May 2018 no. 51, defined with registration in the role, pursuant to Article 18, paragraph 2, of Legislative Decree 101/2018, &quot;with reference to the processing of data carried out up to that date&quot;, see point 3.1. provision no. 81/2019 ). The same violation was again ascertained, together with the other profiles, during the checks carried out in October 2018 (see note of XX, prot. XX of the start of the procedure, pursuant to art. 5, of the Code).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">On the other hand, it was considered that, as already noted by the Guarantor, some of the alleged violations originated from the specific characteristics of the system used by the Institution for booking services, which in the &quot;standard version&quot;, originally distributed by the supplier company, did not allow &quot;To configure&quot; case by case &quot;the type of data processed and the maximum retention times, and therefore to comply with the principles applicable to data processing (Article 5, paragraph 1, spec. Letter a), b), c ) and e) Regulations) &quot;(see par. 5, Provv. cit.). Without prejudice to the attribution of the responsibility of the owner for the alleged violations, this circumstance was nevertheless taken into consideration for the purpose of calculating the sanction. Account was also taken of the commitment expressed by the Entity to conform the treatments to the regulations on the protection of personal data (regulation of the relationship with the supplier pursuant to art.28 of the Regulation, integration of the information, suspension of functions reporting, identification of data retention times).</span></p><p style="text-align: justify;"> <span style="font-size:12px;">On the basis of the aforementioned elements, assessed as a whole, it is deemed necessary to determine the amount of the pecuniary sanction also taking into account the phase of first application of the sanctions pursuant to art. 22, paragraph 13, of the d. lgs. 10/08/2018, n. 101, to the extent of € 500,000 (five hundred thousand) for the violation of Articles 5, 13, 14, 28 and 32 of the Regulation. In quantifying the sanction, the Guarantor took particular account of the fact that the violations are connected to a treatment started before the definitive application of the Regulation.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Taking into account the particular delicacy and number of data processed, it is also believed that the accessory sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.</span></p><p style="text-align: justify;"> <span style="font-size:12px;">Finally, it should be noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">WHEREAS, THE GUARANTOR</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">the unlawfulness of the processing carried out by Roma Capitale for violation of Articles articles 5, 13, 14, 28 and 32 of the Regulations in the terms set out in the motivation;</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">ORDER</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">in Roma Capitale in the person of the pro-tempore legal representative, with registered office in Rome, Piazza del Campidoglio, CF 02438750586, pursuant to art. 58, par. 2, lett. i), and 83, par. 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of € 500,000.00 (five hundred thousand) as a pecuniary administrative sanction for the violations indicated in the motivation; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code (see also art.10, paragraph 3, of the legislative decree n.150 of 1/9/2011), has the right to settle the dispute by payment, within the term of 30 days, of an amount equal to half of the sanction imposed, according to the methods indicated in the annex;</span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">INJUNCES</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">to Roma Capitale to pay the sum of € 500,000.00 (five hundred thousand) in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of adoption of the consequent executive acts pursuant to art. 27 of Law 689/1981;</span><span style="font-size:12px;"></span></p><p style="margin-left: 40px; text-align: center;"> <strong><span style="font-size:12px;">HAS</span></strong></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019.</span></p><p style="text-align: justify; margin-left: 40px;"> <span style="font-size:12px;">Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, against this provision, it is possible to appeal to the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.</span></p><p style="text-align: justify;"><span style="font-size:12px;"></span> <em><span style="font-size:12px;">Rome, December 17, 2020</span></em><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">PRESIDENT<br /> Stanzione</span><span style="font-size:12px;"></span></p><p style="text-align: right;"> <span style="font-size:12px;">THE RAPPORTEUR<br /> Stanzione</span></p><p style="text-align: right;"> <span style="font-size:12px;">THE SECRETARY GENERAL<br /> Mattei</span> </p></div></div><br /></div><hr /></div></div></div></div></section></div></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-4"><div class="empty portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-4"></div></div></div><div class="portlet-layout row"><div class="col-md-12 portlet-column portlet-column-only" id="column-5"><div class="portlet-dropzone portlet-column-content portlet-column-content-only" id="layout-column_column-5"><div class="portlet-boundary portlet-boundary_MenuPortlet_  portlet-static portlet-static-end portlet-barebone  " id="p_p_id_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_"><span id="p_MenuPortlet_INSTANCE_gOpqEbGKfxmQ"></span><section class="portlet" id="portlet_MenuPortlet_INSTANCE_gOpqEbGKfxmQ"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> g-menu Portlet </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><c:if test="true"><div id="_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_"><div class="menu"><c:if test="false"></c:if><div class="block"><div id='pre-footer'><div class='pre-footer-column'><p class='pre-footer-header'><a href="https://www.garanteprivacy.it/home/autorita" >The authority</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/autorita/collegio" >The Guarantor</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/compiti" >Duties of the Guarantor</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/ufficio" >The office</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/regolamenti-interni" >Internal regulations</a></li><li> <a href="https://www.garanteprivacy.it/home/autorita/codice-etico" >Ethical code</a></li><li> <a href="https://www.garanteprivacy.it/home/footer/contatti#urp" >URP</a></li><li> <a href="https://www.garanteprivacy.it/home/trasparenza" >Transparent authority</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa" >Measures and legislation</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/provvedimenti" >Measures</a></li><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/normativa" >Regulations</a></li><li> <a href="https://www.garanteprivacy.it/codice" >Code</a></li><li> <a href="https://www.garanteprivacy.it/regolamentoue" >EU Regulation 2016/679</a></li><li> <a href="https://www.garanteprivacy.it/codici-di-condotta" >Codes of conduct</a></li><li> <a href="https://www.garanteprivacy.it/home/provvedimenti-normativa/giurisprudenza" >Law</a></li><li> <a href="https://www.garanteprivacy.it/segnalazioni-al-parlamento-e-al-governo-e-note-istituzionali" >Reports to Parliament and the Government and institutional notes</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti" >Activities and documents</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/documenti/audizioni" >Hearings</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/documenti/relazioni-annuali" >Annual reports</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative" >Events and training</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative/giornate-europee-della-protezione-dei-dati-personali" >European Days</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/iniziative/giornate-europee-della-protezione-dei-dati-personali" >of data protection</a></li><li> <a href="https://www.garanteprivacy.it/temi" >Themes</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/libri" >Publications</a></li><li> <a href="https://www.garanteprivacy.it/faq" >FAQ</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/protocolli-d-intesa" >Protocols and conventions</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione" >Press and communication</a></p><ul class='pre-footer'><li> <a href="/home/ricerca/-/search/tipologia/comunicato stampa" >Press releases</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/newsletter" >Newsletter</a></li><li><a href="https://www.garanteprivacy.it/home/stampa-comunicazione/vademecum-e-campagne-informative" >Vademecum and information campaigns</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/interviste" >Interviews and speeches</a></li><li> <a href="https://www.garanteprivacy.it/home/stampa-comunicazione/contatti-per-la-stampa" >Press contacts</a></li><li> <a href="https://www.garanteprivacy.it/home/footer/link" >Useful links</a></li></ul></div><div class='pre-footer-column'><p class='pre-footer-header'> <a href="https://www.garanteprivacy.it/home/attivita-internazionali" >International activities</a></p><ul class='pre-footer'><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue" >Cooperation</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue" >within the EU</a></li><li> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-extra-ue" >Cooperation</a></br> <a href="https://www.garanteprivacy.it/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-extra-ue" >outside the EU</a></li><li> <a href="https://www.garanteprivacy.it/edpb" >EDPB</a></li><li> <a href="https://www.garanteprivacy.it/schengen" >Schengen</a></li><li> <a href="/home/attivita-e-documenti/attivita-comunitarie-e-internazionali/cooperazione-in-ambito-ue/sistema-di-informazione-visti-vis" >VIS</a> </li></ul></div></div></div></div></div></c:if></div></div></div></section></div></div></div></div></div><form action="#" class="hide" id="hrefFm" method="post" name="hrefFm"><span></span><input hidden type="submit"/></form></section><footer id="footer" role="contentinfo"><div class="portlet-boundary portlet-boundary_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_  portlet-static portlet-static-end portlet-barebone portlet-navigation " id="p_p_id_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_"><span id="p_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"></span><section class="portlet" id="portlet_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"><div class="portlet-content"><div class="autofit-float autofit-row portlet-header"><div class="autofit-col autofit-col-expand"><h2 class="portlet-title-text"> Navigation menu </h2></div><div class="autofit-col autofit-col-end"><div class="autofit-section"></div></div></div><div class=" portlet-content-container"><div class="portlet-body"><div id="navbar_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer"><ul aria-label="Pagine Sito" class="nav nav-justified navbar-blank navbar-nav navbar-site" role="menubar"><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412906" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412906"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/contatti#urp'  role="menuitem"><span class="text-truncate">URP</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412907" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412907"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/contatti'  role="menuitem"><span class="text-truncate">Contacts</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412909" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412909"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/mappa-del-sito'  role="menuitem"><span class="text-truncate">site map</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412910" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412910"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/home/footer/regole-del-sito'  role="menuitem"><span class="text-truncate">Site rules</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412911" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9412911"  class="nav-link text-truncate" href='https://www.garanteprivacy.it/informativa-protezione-dati'  role="menuitem"><span class="text-truncate">Data protection information</span></a> </li><li class="lfr-nav-item nav-item" id="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9502631" role="presentation"> <a aria-labelledby="layout_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_9502631"  class="nav-link text-truncate" href='https://form.agid.gov.it/view/2a9e50ae-a7b6-4859-882a-3aa49a5c071b'  role="menuitem"><span class="text-truncate">Accessibility statement</span></a></li></ul></div><script type="text/javascript">
 
// <![CDATA[
 
AUI().use('liferay-navigation-interaction', function(A) {(function() {var $ = AUI.$;var _ = AUI._; var navigation = A.one('#navbar_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer');
 
 
 
Liferay.Data.NAV_INTERACTION_LIST_SELECTOR = '.navbar-site';
 
Liferay.Data.NAV_LIST_SELECTOR = '.navbar-site';
 
 
 
if (navigation) {
 
navigation.plug(Liferay.NavigationInteraction);
 
}
 
})();});
 
// ]]>
 
</script></div></div></div></section></div></footer></div><script type="text/javascript">
 
// <![CDATA[
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Liferay.BrowserSelectors.run();
 
 
 
// ]]>
 
</script><script type="text/javascript">
 
// <![CDATA[
 
 
 
 
 
 
Liferay.currentURL = '\x2fweb\x2fguest\x2fhome\x2fdocweb\x2f-\x2fdocweb-display\x2fdocweb\x2f9524175';
 
Liferay.currentURLEncoded = '\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175';
 
 
 
// ]]>
 
</script><script type="text/javascript">
 
// <![CDATA[
 
 
 
 
 
 
 
// ]]>
 
</script><script type="text/javascript">
 
// <![CDATA[
 
(function() {var $ = AUI.$;var _ = AUI._;
 
var onDestroyPortlet = function() {
 
Liferay.detach('messagePosted', onMessagePosted);
 
Liferay.detach('destroyPortlet', onDestroyPortlet);
 
};
 
 
 
Liferay.on('destroyPortlet', onDestroyPortlet);
 
 
 
var onMessagePosted = function(event) {
 
if (window.Analytics) {
 
Analytics.send('posted', 'Comment', {
 
className: event.className,
 
classPK: event.classPK,
 
commentId: event.commentId,
 
text: event.text
 
});
 
}
 
};
 
 
 
Liferay.on('messagePosted', onMessagePosted);
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
var pathnameRegexp = /\/documents\/(\d+)\/(\d+)\/(.+?)\/([^&]+)/;
 
 
 
function handleDownloadClick(event) {
 
if (event.target.nodeName.toLowerCase() === 'a' && window.Analytics) {
 
var anchor = event.target;
 
var match = pathnameRegexp.exec(anchor.pathname);
 
 
 
var fileEntryId =
 
anchor.dataset.analyticsFileEntryId ||
 
(anchor.parentElement &&
 
anchor.parentElement.dataset.analyticsFileEntryId);
 
 
 
if (fileEntryId && match) {
 
var getParameterValue = function(parameterName) {
 
var result = null;
 
 
 
anchor.search
 
.substr(1)
 
.split('&')
 
.forEach(function(item) {
 
var tmp = item.split('=');
 
 
 
if (tmp[0] === parameterName) {
 
result = decodeURIComponent(tmp[1]);
 
}
 
});
 
 
 
return result;
 
};
 
 
 
Analytics.send('documentDownloaded', 'Document', {
 
groupId: match[1],
 
fileEntryId: fileEntryId,
 
preview: !!window._com_liferay_document_library_analytics_isViewFileEntry,
 
title: decodeURIComponent(match[3].replace(/\+/gi, ' ')),
 
version: getParameterValue('version')
 
});
 
}
 
}
 
}
 
 
 
document.body.addEventListener('click', handleDownloadClick);
 
 
 
var onDestroyPortlet = function() {
 
document.body.removeEventListener('click', handleDownloadClick);
 
Liferay.detach('destroyPortlet', onDestroyPortlet);
 
};
 
 
 
Liferay.on('destroyPortlet', onDestroyPortlet);
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
var onShare = function(data) {
 
if (window.Analytics) {
 
Analytics.send('shared', 'SocialBookmarks', {
 
className: data.className,
 
classPK: data.classPK,
 
type: data.type,
 
url: data.url
 
});
 
}
 
};
 
 
 
var onDestroyPortlet = function() {
 
Liferay.detach('socialBookmarks:share', onShare);
 
Liferay.detach('destroyPortlet', onDestroyPortlet);
 
};
 
 
 
Liferay.on('socialBookmarks:share', onShare);
 
Liferay.on('destroyPortlet', onDestroyPortlet);
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
var onVote = function(event) {
 
if (window.Analytics) {
 
Analytics.send('VOTE', 'Ratings', {
 
className: event.className,
 
classPK: event.classPK,
 
ratingType: event.ratingType,
 
score: event.score
 
});
 
}
 
};
 
 
 
var onDestroyPortlet = function() {
 
Liferay.detach('ratings:vote', onVote);
 
Liferay.detach('destroyPortlet', onDestroyPortlet);
 
};
 
 
 
Liferay.on('ratings:vote', onVote);
 
Liferay.on('destroyPortlet', onDestroyPortlet);
 
})();
 
if (Liferay.Data.ICONS_INLINE_SVG) {
 
svg4everybody(
 
{
 
attributeName: 'data-href',
 
polyfill: true
 
}
 
);
 
}
 
 
 
function _GDocwebDisplay_printPage() {
 
window.open('https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/print/9524175', '', "directories=0,height=480,left=80,location=1,menubar=1,resizable=1,scrollbars=yes,status=0,toolbar=0,top=180,width=640");
 
}
 
 
 
Liferay.Portlet.register('GDocwebDisplay');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 1,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_GDocwebDisplay_',
 
portletId: 'GDocwebDisplay',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dGDocwebDisplay\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-3\x26p_p_col_pos\x3d1\x26p_p_col_count\x3d2\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175',
 
refreshURLData: {"_GDocwebDisplay_docweb":["9524175"]}
 
}
 
);
 
 
 
 
Liferay.Portlet.register('com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 0,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer_',
 
portletId: 'com_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_site_navigation_menu_web_portlet_SiteNavigationMenuPortlet_INSTANCE_sitemap_menu_footer\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dnull\x26p_p_col_pos\x3dnull\x26p_p_col_count\x3dnull\x26p_p_static\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175\x26settingsScope\x3dportletInstance',
 
refreshURLData: {}
 
}
 
);
 
 
 
 
Liferay.Portlet.register('com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 0,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx_',
 
portletId: 'com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_D0Mx\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-2\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175',
 
refreshURLData: {}
 
}
 
);
 
 
 
 
Liferay.Portlet.register('MenuPortlet_INSTANCE_gOpqEbGKfxmQ');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 0,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_MenuPortlet_INSTANCE_gOpqEbGKfxmQ_',
 
portletId: 'MenuPortlet_INSTANCE_gOpqEbGKfxmQ',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dMenuPortlet_INSTANCE_gOpqEbGKfxmQ\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-5\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175',
 
refreshURLData: {}
 
}
 
);
 
 
 
 
Liferay.Portlet.register('GSolrFormWeb');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 0,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_GSolrFormWeb_',
 
portletId: 'GSolrFormWeb',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dGSolrFormWeb\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-3\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d2\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175',
 
refreshURLData: {}
 
}
 
);
 
 
 
 
Liferay.Portlet.register('com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT');
 
 
 
 
Liferay.Portlet.onLoad(
 
{
 
canEditTitle: false,
 
columnPos: 0,
 
isStatic: 'end',
 
namespacedId: 'p_p_id_com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT_',
 
portletId: 'com_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT',
 
refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d10563\x26p_p_id\x3dcom_liferay_journal_content_web_portlet_JournalContentPortlet_INSTANCE_A9oT\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dnormal\x26p_p_mode\x3dview\x26p_p_col_id\x3dcolumn-1\x26p_p_col_pos\x3d0\x26p_p_col_count\x3d1\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fweb\x252Fguest\x252Fhome\x252Fdocweb\x252F-\x252Fdocweb-display\x252Fdocweb\x252F9524175',
 
refreshURLData: {}
 
}
 
);
 
Liferay.Loader.require('metal-dom/src/all/dom', 'clay-tooltip/src/ClayTooltip', function(metalDomSrcAllDom, clayTooltipSrcClayTooltip) {
 
(function(){
 
var dom = metalDomSrcAllDom;
 
var ClayTooltip = clayTooltipSrcClayTooltip;
 
(function() {var $ = AUI.$;var _ = AUI._;
 
var focusInPortletHandler = dom.delegate(
 
document,
 
'focusin',
 
'.portlet',
 
function(event) {
 
dom.addClasses(dom.closest(event.delegateTarget, '.portlet'), 'open');
 
}
 
);
 
 
 
var focusOutPortletHandler = dom.delegate(
 
document,
 
'focusout',
 
'.portlet',
 
function(event) {
 
dom.removeClasses(dom.closest(event.delegateTarget, '.portlet'), 'open');
 
}
 
);
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
if (!Liferay.Data.LFR_PORTAL_CLAY_TOOLTIP) {
 
Liferay.Data.LFR_PORTAL_CLAY_TOOLTIP = ClayTooltip.default.init(
 
{
 
selectors: [
 
'.manage-collaborators-dialog .lexicon-icon[data-title]:not(.lfr-portal-tooltip)',
 
'.manage-collaborators-dialog .lexicon-icon[title]:not(.lfr-portal-tooltip)',
 
'.management-bar [data-title]:not(.lfr-portal-tooltip)',
 
'.management-bar [title]:not(.lfr-portal-tooltip)',
 
'.preview-toolbar-container [data-title]:not(.lfr-portal-tooltip)',
 
'.preview-toolbar-container [title]:not(.lfr-portal-tooltip)',
 
'.progress-container[data-title]',
 
'.source-editor__fixed-text__help[data-title]',
 
'.taglib-discussion [data-title]:not(.lfr-portal-tooltip)',
 
'.taglib-discussion [title]:not(.lfr-portal-tooltip):not([title=""])',
 
'.upper-tbar [data-title]:not(.lfr-portal-tooltip)',
 
'.upper-tbar [title]:not(.lfr-portal-tooltip)'
 
]
 
}
 
);
 
}
 
})();})();
 
});AUI().use('aui-tooltip', 'liferay-menu', 'liferay-notice', 'aui-base', 'liferay-session', 'liferay-poller', function(A) {(function() {var $ = AUI.$;var _ = AUI._;
 
if (A.UA.mobile) {
 
Liferay.Util.addInputCancel();
 
}
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
if (!Liferay.Data.LFR_PORTAL_TOOLTIP) {
 
var triggerShowEvent = ['mouseenter', 'MSPointerDown', 'touchstart'];
 
 
 
if (A.UA.ios) {
 
triggerShowEvent = ['touchstart'];
 
}
 
 
 
Liferay.Data.LFR_PORTAL_TOOLTIP = new A.TooltipDelegate(
 
{
 
constrain: true,
 
opacity: 1,
 
trigger: '.lfr-portal-tooltip',
 
triggerHideEvent: ['click', 'mouseleave', 'MSPointerUp', 'touchend'],
 
triggerShowEvent: triggerShowEvent,
 
visible: false,
 
zIndex: Liferay.zIndex.TOOLTIP
 
}
 
);
 
 
 
Liferay.on(
 
'beforeNavigate',
 
function(event) {
 
Liferay.Data.LFR_PORTAL_TOOLTIP.getTooltip().hide();
 
}
 
);
 
}
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
new Liferay.Menu();
 
 
 
var liferayNotices = Liferay.Data.notices;
 
 
 
for (var i = 1; i < liferayNotices.length; i++) {
 
new Liferay.Notice(liferayNotices[i]);
 
}
 
 
 
 
})();(function() {var $ = AUI.$;var _ = AUI._;
 
Liferay.Session = new Liferay.SessionBase(
 
{
 
autoExtend: true,
 
redirectOnExpire: false,
 
redirectUrl: 'https\x3a\x2f\x2fwww\x2egaranteprivacy\x2eit\x2fweb\x2fguest',
 
sessionLength: 600,
 
warningLength: 0
 
}
 
);
 
 
 
 
})();});
 
// ]]>
 
</script><script src="https://www.garanteprivacy.it/o/garante-privacy-theme/js/main.js?browserId=other&amp;minifierType=js&amp;languageId=it_IT&amp;b=7201&amp;t=1610097796000" type="text/javascript"></script><script type="text/javascript">
 
// <![CDATA[
 
AUI().use(
 
'aui-base',
 
function(A) {
 
var frameElement = window.frameElement;
 
 
 
if (frameElement && frameElement.getAttribute('id') === 'simulationDeviceIframe') {
 
A.getBody().addClass('lfr-has-simulation-panel');
 
}
 
}
 
);
 
// ]]>
 
</script><!-- inject:js --><!-- endinject --></body></html>
 
</pre>
 

Latest revision as of 13:19, 24 March 2021

Garante per la protezione dei dati personali - 9524175
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 13 GDPR
Article 14 GDPR
Article 28(2) GDPR
Article 28(3) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Decided: n/a
Published: 17.12.2020
Fine: 500000 EUR
Parties: Roma Capitale
National Case Number/Name: 9524175
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: n/a

The Italian DPA (Garante) imposed a fine of € 500 000 on the municipality of Rome for illicitly processing personal data of users and employees, through the "TuPassi" appointment booking system, in violation of Articles 5, 13, 14, 28 and 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

With a previous measure (n. 81 of 7 march 2019) the Garante already declared the unlawfulness of the processing activity deployed by the Municipality of Rome via the use of the system "TuPassi". In that occasion, the Garante found that the processing was in violation of: - the principles of lawfulness, fairness and transparency as by Article 5(1)(a) GDPR - the obligation of providing a privacy notice to the data subjects as by Articles 13 and 14 GDPR - the obligation to regulate the relation with the processor as by Article 28(2) and (3) - the obligation to adopt technical and organizational measures to ensure the security of the processing as by Article 32 GDPR.

The processing involved a large amount of personal data, even sensitive ones (related to bookings of various healthcare services). The system acquired and stored on the servers of the municipality of Rome for a long period of time, numerous user’s data relating to reservations (type of service, channel used, date and time of the reservation) and of the staff employed in the management of appointments. The system also recorded and generated daily reports containing detailed information on the work activity (date, type of service, name of the counter attendant, call time and waiting time). All operations were carried out without the users or employees having received, as requested by the EU Regulation, complete information on the treatments made possible by the application. The DPA also considered the technical and organizational measures implemented by the Municipality to be inadequate insofar as they did not regulate the relationship with the service provider.

Dispute[edit | edit source]

The municipality of Rome presented its written defense, based on this, is the processing still deemed illicit by the DPA?


Holding[edit | edit source]

The Garante confirmed the unlawfulness of the processing activity for violation of Articles 5, 13, 14, 28 and 32 GDPR. With the power conferred by Article 58(2)(i) and 83 GDPR imposed a fine of 500.000 euros on the municipality of Rome.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

doc. web n. 9524175].

Injunction order against Roma Capitale - 17 December 2020

Register of measures No 280 of 17 December 2020

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

AT TODAY'S MEETING, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter, "Regulation");

HAVING REGARD TO Legislative Decree No 196 of 30 June 2003 on the "Personal Data Protection Code, laying down provisions for the adaptation of the national system to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, the "Code")

HAVING REGARD to Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Garante for the protection of personal data, approved by resolution No. 98 of 4/4/2019, published in G.U. No. 106 of 8/5/2019 and at www.gpdp.it, web doc. No. 9107633 (hereinafter "Garante Regulation No. 1/2019");

HAVING REGARD to the documentation on file;

HAVING REGARD TO the comments made by the Secretary General pursuant to Article 15 of the Regulation of the Garante no. 1/2000 on the organisation and functioning of the office of the Garante for the protection of personal data, web doc. no. 1098801;

REPORTER Prof. Pasquale Stazione;

WHEREAS

1. Unlawfulness of the processing of personal data carried out by Roma Capitale through the "Tu Passi" booking system.

By order no. 81 of 7 March 2019, adopted following a complex preliminary activity and investigations carried out pursuant to Article 58 of the Regulation and 157 and 158 of the Code, it was declared unlawful to process personal data of users and employees carried out by Roma Capitale through the "TuPassi" system, provided by Miropass s.r.l. (hereinafter, the "Company"), used since 2015 for the purpose of booking appointments and providing counter services.

With the aforementioned measure, the Guarantor has declared unlawful the processing carried out with this system for violation of Articles 5, 13, 14, 28 and 32 of the Regulation and Articles 13 and 29 of the Code, in relation to the processing carried out prior to the amendments made to the same by Legislative Decree no. 101/2018.

In particular, it appears to have been established that the processing was carried out in contrast:

- with the principles of lawfulness, fairness and transparency (Article 5(1)(a)) and with the obligation placed on the data controller to provide information to users and employees (Articles 13 and 14 of the Regulation, formerly Article 13 of the Code, prior to the amendments made to it by Legislative Decree No. 101/2018);

- with the obligation to regulate, by means of an act having the characteristics set out in Article 28, paragraphs 2 and 3 of the Regulation (formerly Article 29 of the Code, prior to the amendments set out in Leg. Decree No. 101/2018), the processing of personal data entrusted, on behalf of the owner, to the Company within the scope of the assistance and maintenance services of the "TuPassi" system;

- with the obligation to adopt technical and organisational measures to ensure a level of security appropriate to the risk, taking into account, in particular, the nature, object, context, purpose and risks inherent in the processing for the rights and freedoms of natural persons (Article 32 of the Regulation).

The same measure prescribed "appropriate corrective actions aimed at eliminating the technical and organisational criticalities (see paras. 3.1 to 4)", ordering the body to communicate the initiatives undertaken within 90 days from the date of receipt of the measure, providing adequately documented feedback in this regard (see the provision cited above).

With the note of XX (prot. no. XX), the Office notified the measure to the Entity at the same time as the initiation of the proceedings, pursuant to Article 166, paragraph 5, of the Code, for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation, inviting the above mentioned data controller to produce to the Guarantor defensive writings or documents or to ask to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code; as well as Article 18, paragraph 1, of Law no. 689 of 24/11/1981).

In a note dated XX, prot. XX, the Entity sent its defence in relation to the notified breaches, stating, in particular, that it had "provided for the implementation of all the appropriate activities necessary to ensure the timely compliance with the regulatory requirements" and that it had proceeded "to designate the company [...] as data processor [.... ] with a measure digitally signed on XX (XX)", reserving the right to communicate, within the timeframe and in the manner provided for by measure no. 81 of 2019, "the initiatives undertaken to implement the provisions contained in the measure, with particular reference to the profiles of computer security in data traffic between the systems that make up the Tupassi architecture".

In the course of the investigation, the Entity has provided, at different times, also upon specific request of the Office (see, for instance, notes of XX, prot. XX and of XX prot. no. XX), further elements and copious documentation, not always relevant, aimed at documenting the fulfilment of the requirements set forth in order no. 81 of 7 March 2019 (see, minutes of the hearing convened ex officio at the offices of the Guarantor of XX and notes of XX, prot. no. XX, of XX, prot. no. XX and of XX, prot. no. XX).

The complete compliance of the Entity with the requirements set out in the provision of 7 March 2019, no. 81 was finally acknowledged by the Office with the note of XX, prot. no. XX.

2. Conclusions.

In light of the declarations made by the data controller in his defence, the truthfulness of which may be called to account pursuant to Article 168 of the Code, and the documentation produced by the data controller, taking into account also that the data controller has not contested the substantive aspects ascertained in order no. 81 of 7 March 2019 and notified by the Office with the notice of initiation of proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, users and employees, carried out by the Authority, are confirmed. 81 and notified by the Office with the act of initiation of the proceedings, the Office's assessments regarding the unlawfulness of the processing of personal data, of users and employees, carried out by the Entity through the "Tu Passi" system for the booking of services at the counter, for violation of Articles 5, 13, 14, 28 and 32 of the Regulation are confirmed.

Although the processing was undertaken by the Entity in the period prior to the entry into force of the Regulation (the "Tu passi" system appears to have been adopted as early as 2015), for the purposes of identifying the applicable legislation, in terms of time, it should be borne in mind that, according to the principle of legality referred to in Article 1, paragraph 2, of Law no. 689/1981, "The laws that provide for administrative sanctions apply only in the cases and times considered therein". From this follows the need to take into consideration the provisions in force at the time of the violation committed; in the case in question, given the permanent nature of the offence contested, this moment must be identified at the time of the cessation of the unlawful conduct, determined with the implementation of the measure of 7 March 2019, no. 81 and therefore in the full force of the provisions of the Regulations and the Code (as amended by Legislative Decree 101/2018).

The breach of the aforementioned provisions therefore makes the administrative sanction provided for in Article 83(4) and (5) of the Regulation applicable, pursuant to Articles 58(2)(i) and 83(5) of the Regulation itself as also referred to in Article 166(2) of the Code.

In this context, considering that the conduct has exhausted its effects, since the necessary measures have been adopted over time to comply with the provisions of the aforementioned measure, in order to make the processing compliant with the rules on the protection of personal data, as noted in the note of XX, prot. XX, there are no grounds for the adoption of further corrective measures referred to in Article 58(2) of the Regulation.

3. Adoption of the injunction order for the application of the pecuniary administrative sanction and of the accessory sanctions (art. 58, par. 2, lett. i and 83 of the Regulation; art. 166, par. 7, of the Code).

Pursuant to Articles 58(2)(i) and 83 of the Regulation and Article 166 of the Code, the Guarantor has the power to "impose an administrative fine pursuant to Article 83, in addition to or instead of the [other] [corrective] measures referred to in this paragraph". 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case" and, within this framework, "the College [of the Guarantor] adopts the injunction order, with which it also orders the application of the accessory administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Art. 16, paragraph 1, of the Guarantor's Regulation No. 1/2019).

In this regard, taking into account Article 83, paragraph 3, of the Regulation, in the case in question - also considering the reference contained in Article 166, paragraph 2, of the Code - the violation of the cited provisions is subject to the application of the same administrative pecuniary sanction provided for in Article 83, paragraph 5, of the Regulation.

The amount of the aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, shall be determined by taking into due account the elements provided for in Article 83(2) of the Regulation.

In relation to the aforementioned elements, consideration was given to the large number of interested parties (users and employees) who have used the system over time to book and manage appointments with the offices of the Entity and the duration of the overall processing, which began in 2015. Consideration was also given to the manner in which, during the preliminary investigation, the Entity provided the elements of assessment requested by the Office, by means of numerous submissions of documentation, at times irrelevant, with inevitable repercussions on the timeliness of the definition of the procedure, also in the phase of verification of the correct compliance with measure no. 81/2019. This was also due to the operational difficulties encountered by the Data Protection Officer - who, moreover, was subject to changes during the preliminary investigation - in cooperating effectively and adequately acting as a contact person for the administration as well as a "point of contact for the authority for matters related to the processing" (Article 39(1)(d) and (e) of the Regulation), as a result of the not always appropriate organisational choices of the Entity. For the purposes of the overall commensuration of the sanction, it was also considered that in relation to the obligation to provide information to users of the "Tupassi" system, there is a specific previous sanction (cf. act of contestation of administrative violation of 23 May 2018 no. 51, defined with registration, pursuant to Article 18, paragraph 2, of Legislative Decree 101/2018, "with reference to data processing carried out until that date", see point 3.1. prov. no. 81/2019). The same violation was again ascertained, together with the other profiles, during the checks carried out in October 2018 (see, note of XX, prot. no. XX initiating the procedure, pursuant to Article 166, paragraph 5, of the Code).

On the other hand, it was considered that, as already pointed out by the Guarantor, some of the contested violations originated from the specific characteristics of the system used by the Body for the booking services, which in the "standard version", originally distributed by the supplying Company, did not allow "to configure "case by case" the typology of the processed data and the maximum retention times, and therefore to respect the principles applicable to the data processing (Art. 5, para. 1, spec. lett. a), b), c) and e) Regulation)". (cf. paragraph 5, Provv. cit.). Without prejudice to the attribution of responsibility to the data controller for the alleged infringements, this circumstance was in any case taken into account for the purposes of calculating the penalty. Account was also taken of the undertaking given by the Entity to bring its processing operations into line with the rules on the protection of personal data (regulation of the relationship with the supplier pursuant to Article 28 of the Regulation, integration of the information notice, suspension of the reporting functions, identification of the data retention periods).

Due to the aforementioned elements, assessed as a whole, it is deemed necessary to determine the amount of the pecuniary sanction also taking into account the first application phase of the sanctioning provisions pursuant to Article 22, paragraph 13, of Legislative Decree 10/08/2018, no. 101, in the amount of EUR 500,000 (five hundred thousand) for the violation of Articles 5, 13, 14, 28 and 32 of the Regulation. In quantifying the sanction, the Garante has taken into particular consideration the fact that the violations are connected to processing that began before the Regulation was finally applied.

Taking into account the particular sensitivity and the number of data processed, it is also considered that the ancillary sanction of the publication of this measure on the website of the Garante, as provided for in Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Garante no. 1/2019, should apply.

Lastly, it should be noted that the conditions set out in Article 17 of Regulation No. 1/2019 concerning internal procedures of external relevance, aimed at performing the tasks and exercising the powers delegated to the Garante, are met.

HAVING REGARD TO THE FOREGOING, THE SUPERVISOR

having noted the unlawfulness of the processing carried out by Roma Capitale on the grounds of breach of Articles 5, 13, 14, 28 and 32 of the Regulation in the terms set out in the grounds;

ORDERS

Roma Capitale in the person of its pro-tempore legal representative, with registered office in Rome, p.zza del Campidoglio, tax code 02438750586, pursuant to articles 58, paragraph 2, letter i), and 83, paragraph 5, of the Regulation and 166, paragraph 2, of the Code, to pay the sum of EUR 500,000.00 (five hundred thousand) by way of pecuniary administrative sanction for the violations indicated in the grounds; it should be noted that the offender, pursuant to art. 166, paragraph 8, of the Code (see also art. 10, paragraph 3, of the legislative decree no. 150 of 1/9/2011), the offender has the right to settle the dispute by paying, within the term of 30 days, an amount equal to half of the fine imposed, according to the modalities indicated in the annex;

ENJOINS

Roma Capitale to pay the sum of euro 500,000.00 (five hundred thousand) in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, in accordance with the procedures indicated in the annex, within 30 days of the notification of this measure, under penalty of the adoption of the consequent executive measures pursuant to art. 27 of law no. 689/1981;

DISPOSES

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the website of the Guarantor, considering that the conditions of art. 17 of the Regulation of the Guarantor no. 1/2019 are met.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, 17 December 2020

THE PRESIDENT Stanzione

THE REPORTER Stanzione

THE SECRETARY GENERAL Mattei