Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Italy: Garante fines Casilino Polyclinic of Rome €30,000 for unlawful data processing in relation to COVID-19 measures
The Italian data protection authority ('Garante') issued, on 20 October 2022, its Decision No. 356, in which it imposed a fine of €30,000 on Casilino Polyclinic of Rome, for violations of Articles 5(1)(a), 5(1)(b), and 9 of the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR'), Article 75 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), Law No. 87 of 17 June 2021, Legislative Decree No. 44 of 1 April 2021, and the Decree of the President of the Council of Ministries of 17 June 2021, following a complaint submitted by an individual.
Background to the decision
In particular, the Garante reported that the complainant had stated that the Polyclinic only allowed access to its outpatient clinics to those holding a COVID-19 green certificate, alleging a violation of data protection requirements.
Findings of the Garante
Further to the above, the Garante explained that, while the special measures adopted during the COVID-19 pandemic may have required the processing of personal data, such processing activities could not be exempted from complying with the rules in force on the protection of personal data, and, in particular, with the principles laid down by Article 5 of the GDPR. As such, at the end of the investigation carried out, the Garante found that the processing, which lasted until June 2022, involved data on the health status of a significant number of data subjects (150,000 to 200,000 outpatient accesses) in breach of Articles 5(1)(a), 5(1)(b), and 9 of the GDPR, Article 75 of the Code, and the sectoral legislation.
In light of the nature of the violations ascertained, the Garante deemed it appropriate to issue a fine of €30,000. However, considering that the Polyclinic had remedied the shortcomings by changing the procedures of the access to its outpatient services, the Garante did not impose any corrective measures.
Outcomes
In conclusion, the Garante issued the aforementioned fine and highlighted that the Polyclinic has 30 days to lodge an appeal before the judicial authority.
You can read the decision, only available in Italian, here.
