Garante per la protezione dei dati personali (Italy) - 10057346
| Garante per la protezione dei dati personali - 10057346 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 9 GDPR Article 32(1) GDPR Article 32(2) GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 17.07.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 10057346 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
| Initial Contributor: | elu |
Due to human error, a clinic disclosed personal data of a patient undergoing IVF treatment to another patient. The clinic notified the DPA who found it sufficient and appropriate to reprimand the controller.
English Summary
Facts
A clinic, the controller, notified the Italian DPA about a personal data breach, as per Article 33 GDPR. The data breach concerned the wrongful disclosure of a form containing name, surname, date and place of birth of one couple undergoing IVF treatment to another patient. Specifically, a midwife sent an email containing this form to another IVF patient, who replied within one hour to receive an empty form. The midwife promptly requested the deletion of the mistakenly-sent form and informed the controller about what happened. The patient who mistakenly received the form confirmed the deletion of the form to the controller. The controller considered the information in the form emailed to the wrong patient to constitute sensitive data under Article 9 GDPR.
The controller argued that the violation was due to mere human error and that the midwife attended a privacy course from an external consultancy agency. Moreover, as the receiving patient notified the controller and deleted the wrongfully sent file within two hours, the effects of the data breach were limited. The controller moreover adopted the appropriate safeguards and technical measures required under Article 32(1) and (2) GDPR, which in the case at hand were not in place because the form was supposed to be empty.
Holding
The DPA considered that the episode was an isolated one that resulted in no harm, as confirmed by the lack of the data subject´s complaint. Moreover, the form was promptly deleted and the necessary safeguards to avoid further data breaches were immediately put into place. The controller additionally notified the breach right away and was extremely cooperative throughout the preliminary investigation.
Thus, the DPA found it sufficient and appropriate to reprimand the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
