Italy: Garante fines Thin for processing health data without adopting anonymization techniques
On July 26, 2023, the Italian data protection authority (Garante) announced, in its newsletter, its Decision No. 226, as issued on June 1, 2023, in which it imposed a fine of €15,000 on Thin S.r.l., for violations of the General Data Protection Regulation (GDPR), following a complaint by a general practitioner (GP).
Background to the decision
The Garante explained that Thin was engaged in the implementation of an international project aimed at improving patient care through the collection and analysis of health data. In this regard, the Garante noted GPs adhering to the project were required to add to the management system in use (called 'Medico 2000' and supplied by an IT company working in partnership with Thin) a further functionality that would automatically anonymize patients' data and transmit it to a database held by Thin. In return, GPs could obtain benefits, including financial compensation.
Findings of the Garante
Further to the above, the Garante found that the management system add-on did not allow the effective anonymization of the health data, so Thin unlawfully processed pseudonymized personal data violating Articles 5(1)(a) and 9(2) of the GDPR regarding the principles of lawfulness and transparency. In this regard, the Garante highlighted that the mere substitution of the ID attributed to patients, with an encryption system or an irreversible hash code does not, under any circumstances, constitute an appropriate measure with respect to the requirement of the removal of singularities necessary to qualify the processing operation as anonymization.
Moreover, the Garante ascertained that Thin also violated Article 13 of the GDPR, considering that, based on the erroneous assumption that it was processing anonymized data, it had in fact processed personal data without first providing data subjects with adequate information.
In conclusion, the Garante imposed on Thin the aforementioned fine and deemed it necessary to notify the decision to the National Federation of the Orders of Surgeons and Dentists in order to promote awareness in relation to the issues addressed therein concerning the processing of patients' personal data.