Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante reprimands local health authority Roma 1 in abortion-related data mishandling case

The Italian data protection authority (Garante) announced, on June 22, 2023, in its monthly newsletter, its decision No. 165, as issued on April 27, 2023, in which it imposed a reprimand on the Local Health Authority Roma 1, for violations of the General Data Protection Regulation (GDPR), in conjunction with two additional decisions imposed on AMA S.p.A. and the Municipality of Roma Capitale.

Background to the decision

The Garante explained that the investigation was launched further to reports in the media, according to which at the Flaminio cemetery of Roma Capitale, managed by AMA, there were hundreds of white crosses over graves where fetuses had been buried, and labels had been affixed disclosing the data of women who had undergone a termination of pregnancy.

Findings of the Garante

At the end of its investigation, the Garante found that the Local Health Authority had transmitted to AMA the documentation with the women's identification data, which had then been reported in the cemetery registers, potentially leading to the risk of extraction of the personal data of all the women who had undergone a termination of pregnancy in all the hospitals of the area. Moreover, the women's personal information had also been affixed on the crosses, despite the fact that the legislation provides that, for affixing plaques on gravestones, the information to be indicated is only that of the deceased.

As such, the Garante held that the conduct of the Local Health Authority gave rise to the disclosure to AMA of health data which could directly identify women who had undergone a termination of pregnancy (whether spontaneous or voluntary). In light of the foregoing, the Garante found the Local Health Authority in breach of Articles 5(1)(c) and 5(1)(f) of the GDPR.

Outcomes

In conclusion, the Garante imposed on the Local Health Authority a reprimand and ordered the same to implement, within 60 days, certain technical and/or organizational measures, such as obscuring the women's identification data, pseudonymizing or encrypting the data, that would ensure that fetuses and their place of burial could be identified by AMA without allowing the direct identification of the women's identity by third parties.

You can read the newsletter here and the decision here, both only available in Italian.