Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Local Health Authority Roma 1 €46,000 for publishing health data on website

The Italian data protection authority ('Garante') announced, on 30 June 2022, its Decision No. 199, as issued on 26 May 2022, in which it imposed a fine of €46,000 on Local Health Authority Roma 1, for violation of Articles 5(1)(c), 6(1)(c), 6(1)(e), 6(2), 6(3)(b), 9(1), 9(2), and 9(4) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 2-ter(1), 2-ter(3), and 2-septies(8) of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR ('the Code'), following an ex officio investigation by the Garante.

Background to the decision

In particular, the Garante reported that the Local Health Authority had published on its website in plain text names and health data of the individuals who, between 2017 and 2018, had requested access to medical documents such as medical records, disability assessments, tests, and technical reports.

Findings of the Garante

Further to the above, as a result of the investigation carried out, the Garante found that the Local Health Authority had violated:

  • the prohibition on the dissemination of health data as set out under Article 2-septies(8) of the Code and Articles 9(1), 9(2), and 9(4) of the GDPR;
  • the principle of data minimisation, as provided for in Article 5(1)(c) of the GDPR;
  • Articles 2-ter(1) and 2-ter(3) of the Code;
  • the basic principles of the processing contained in Articles 5(1)(a) of the GDPR; and
  • Articles 6(1)(c), 6(1)(e), 6(2), and 6(3)(b) of the GDPR.

In light of the established facts, the Garante imposed an administrative fine, and in quantifying the amount of the same, it took into account mitigating factors, such as the accidental nature of the conduct, the absence of complaints from the data subjects concerned, and the timely intervention of the Local Health Authority to remedy the breach.

Outcomes

In conclusion, the Garante imposed the aforementioned fine and ordered the publication of the decision on its website as an ancillary sanction. Lastly, the Garante highlighted that the Local Health Authority has 30 days to settle the dispute by paying an amount equal to half of the sanction imposed and that, within the same timeframe, it may also lodge an appeal before the ordinary judicial authority.

You can read the newsletter here and the decision here, both only available in Italian.