Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Casilino Polyclinic of Rome €30,000 for unlawful data processing in relation to COVID-19 measures

The Italian data protection authority ('Garante') issued, on 20 October 2022, its Decision No. 356, in which it imposed a fine of €30,000 on Casilino Polyclinic of Rome, for violations of Articles 5(1)(a), 5(1)(b), and 9 of the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR'), Article 75 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), Law No. 87 of 17 June 2021, Legislative Decree No. 44 of 1 April 2021, and the Decree of the President of the Council of Ministries of 17 June 2021, following a complaint submitted by an individual.

Background to the decision

In particular, the Garante reported that the complainant had stated that the Polyclinic only allowed access to its outpatient clinics to those holding a COVID-19 green certificate, alleging a violation of data protection requirements.

Findings of the Garante

Further to the above, the Garante explained that, while the special measures adopted during the COVID-19 pandemic may have required the processing of personal data, such processing activities could not be exempted from complying with the rules in force on the protection of personal data, and, in particular, with the principles laid down by Article 5 of the GDPR. As such, at the end of the investigation carried out, the Garante found that the processing, which lasted until June 2022, involved data on the health status of a significant number of data subjects (150,000 to 200,000 outpatient accesses) in breach of Articles 5(1)(a), 5(1)(b), and 9 of the GDPR, Article 75 of the Code, and the sectoral legislation.

In light of the nature of the violations ascertained, the Garante deemed it appropriate to issue a fine of €30,000. However, considering that the Polyclinic had remedied the shortcomings by changing the procedures of the access to its outpatient services, the Garante did not impose any corrective measures.


In conclusion, the Garante issued the aforementioned fine and highlighted that the Polyclinic has 30 days to lodge an appeal before the judicial authority.

You can read the decision, only available in Italian, here.