Garante per la protezione dei dati personali (Italy) - 9344061
Garante per la protezione dei dati personali - N. 9344061 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 34 GDPR Article 58(2)(e) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 14.05.2020 |
Published: | |
Fine: | None |
Parties: | Italian National Social Security Institute (“INPS”) vs. anonymous |
National Case Number/Name: | N. 9344061 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante’s website (in IT) |
Initial Contributor: | Antonella Luisi |
The Italian Data Protection Authority (“Garante”) found that the personal data breach the online portal of the INPS suffered was likely to result in a high risk to the rights and freedoms of the natural persons concerned, hence requiring a notification to the data subjects under Article 34 GDPR.
English Summary
Facts
The INPS notified the Garante a data breach that occurred leading to unauthorized access to the personal data of a very large number of taxpayers from the INPS online portal. The information concerned was directly identifying and included health data, work situation data and minors’ data. The Authority also received more than a hundred complaints from individuals who expressed their concerns about the consequences for their fundamental rights and freedoms, and in many cases proved to have accessed to third parties’ personal data. In the INPS’s view, the access to the data was random and available for a limited time, and it concerned persons who seemed to have no connection with the data subjects involved. It therefore considered that the breach was not such as to result in a high risk to the rights and freedoms of natural persons, hence not requiring a communication to the data subjects under Article 34 GDPR.
Dispute
The Garante had to establish whether the INPS acted lawfully with regard to the communication obligation under Article 34 GDPR. In doing so, the Authority also took into account the criteria enumerated in the Article 29 WP Guidelines on Personal data breach notification, including the nature of personal data, the severity of the consequences for the data subjects and the special characteristics of the data subjects and controller.
Holding
The Garante stressed the need to consider both the probability and seriousness of the risk to the rights and freedoms of the data subjects based on an objective assessment, without being affected by the specific context in which the INPS intervened. Therefore, the Authority arrived to the conclusion that the public communication on the data breach published on the INPS website was not sufficient. According to the powers conferred by Article 58 (2) (e) GDPR, the Garante ordered the INPS to communicate the personal data breach to the data subjects without undue delay and in any case within fifteen days from the day of receipt of the decision. The Authority did not exclude as well the possibility of imposing a sanction, if applicable, at the outcome of the ongoing preliminary data breach investigation.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.