Italy: Garante fines Lazio Region €100,000 for failures related to regional platform
The Italian data protection authority ('Garante') announced, on 3 October 2022, in its monthly newsletter, that it had issued, on 15 September 2022, its decision No. 304, in which it imposed a fine of €100,000 on the Region of Lazio, for violations of Articles 5(1)(a), 5(1)(d), 6, 9, 12, 13, 14, and 24 of the General Data Protection Regulation (Regulation (EU) 679/2016) ('GDPR'), following a complaint submitted by an individual.
Background to the decision
In particular, the Garante reported that the complainant had received an invitation from the Local Health Authority of Rieti to participate in the cervical cancer screening programme, addressed to their daughter who had died in 1995.
Findings of the Garante
Further to the above, at the end of the investigation, the Garante ascertained that, in order to carry out the screening campaigns, local health authorities have been using a regional platform, which contains all the parameters necessary to generate the invitations for the screening programme. Based on this, the Garante found that the complainant's daughter was still regularly registered in the regional platform in question, although she had died some time ago.
Subsequently, the Garante determined that the Region had failed to comply with the principles of lawfulness, fairness, and transparency (Article 5(1)(a) of the GDPR) and of accuracy of the data (Article 5(1)(d) of the GDPR), and had incorrectly identified the legal bases of the processing (Articles 6 and 9 of the GDPR) and the roles played by the persons who, for various reasons, process personal data through the regional platform (Article 24 of the GDPR). In this regard, the Garante noted that the Region, as the data controller, must ensure that the personal data it holds is accurate and, if necessary, updated, taking all reasonable measures to delete or rectify the information it uses in a timely manner. Separately, the Garante also found that the Region, when sending the screening invitation letters, had not correctly provided data subjects with the required information on the processing of their personal data (Articles 12, 13, and 14 of the GDPR).
In light of the established facts, the Garante imposed on the Region a fine of €100,000. Additionally, in quantifying the same, the Garante outlined that it had taken into account, among other things, the fact that the Region had already been sanctioned in the past.
In conclusion, the Garante imposed the aforementioned fine and ordered the Region to correctly identify the roles, purposes, and legal bases of the processing, and to modify and integrate the information to be made available to the data subjects. Lastly, the Garante highlighted that the Region may lodge an appeal against the decision before the ordinary judicial authority within 30 days.