Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Health Authority €40,000 for violations of data processing principles

The Italian data protection authority (Garante) published on November 27, 2023, in its newsletter, Decision No. 473 issued on October 12, 2023, in which it imposed a fine of €40,000 on the Territorial Social and Health Authority of Lodi for violations of the General Data Protection Regulation (GDPR), the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code), following a complaint.  

Background to the decision  

The Garante noted the complainant reported numerous colleagues repeatedly accessed their health dossier at the Lodi Territorial Social and Health Authority.  

Findings of the Garante  

At the end of its investigation, the Garante concluded that the use of the complainant's health dossier resulted in unlawful data processing as it was carried out for purposes other than those of treatment, as well as by subjects who were not involved in the treatment path of the complainant. Therefore, the Lodi Territorial Social and Health Authority was found to have violated the principles of lawfulness and purpose limitation as provided in Article 5(1)(a) and 5(1)(b) of the GDPR. 

In addition, the Garante explained that the processing also violated the principles of transparency, correctness, and data minimization provided in Article 5(1)(a) and 5(1)(c) of the GDPR owing to the lack of access controls for the complainant's health dossier. Furthermore, the Garante noted that the Lodi Territorial Social and Health Authority did not have a system to detect any anomalies that could indicate unlawful processing or use anomaly indicators that violate the principles of integrity and confidentiality as provided in Article 5(1)(f) of the GDPR. 

Outcomes  

Considering the violations that were identified, the Garante imposed a fine of €40,000 on the Lodi Territorial Social and Health Authority.  

In addition, the Garante ordered the Lodi Territorial Social and Health Authority to adopt new procedures and organizational measures to guarantee the protection of patient and employee data. In particular, the hospital is required to adopt automatic alerts for the detection of any anomalies and automatic recording in special log files of accesses and operations performed on a dossier. The changes must be adopted within 90 days of the decision.   

You can read the newsletter here and the decision here, both only available in Italian. 

Feedback