Garante per la protezione dei dati personali (Italy) - 9285411

From GDPRhub
- 9285411
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Type: Complaint
Outcome: Upheld
Decided: 13. 02. 2020
Published: n/a
Fine: 4.000 EUR
Parties: Municipality of Urago d'Oglio
National Case Number/Name: 9285411
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

the Italian Data Protection Authority (Garante) imposed a fine of EUR 4,000 on the Municipality of Urago d'Oglio for having published the full text of the judgment involving Mrs. XXX - an employee of the Municipality - on its official website. The data controller disseminated personal data of the employee, as well as data related to her health status, without appropriate legal grounds, as required by art. 6 GDPR and art 2-ter and 2-septies of the Italian Privacy Code, and going against the principles of fairness and minimisation set forth by art. 5 GDPR.

English Summary


The Garante examined a complaint submitted by an employee of the Municipality of Urago d'Oglio. The official website of the Municipality published the full text of a judgment containing her personal data, including data related to her health status. Thus, the data controller disseminated this data and users could find it online. It has to be specified that the Municipality deleted the document before the beginning of the proceeding before the Garante.


The Garante had to assess whether such disclosure was justified and lawful, although the controller deleted the document containing the personal data.


The Garante declared that the Municipality of Urago d'Oglio, while having the right to publish the judgement - which is a public document - for transparency purposes, was required not to carry out unnecessary and disproportionate processing of personal data of Mrs. XXX, in breach of art. 5(1) (a)(c) GDPR. It also found that the data controller did not rely on appropriate legal grounds while processing employee's personal data. Indeed, such processing was not based on the cases set forth by art. 6(1) (c)(e) GDPR. Moreover, given that the Municipality was not complying with a legal obligation, nor performing a task carried out in the public interest, the dissemination of personal data, included information related to health status, was unlawful according to art. 2-ter and 2-septies of the Italian Privacy Code. Eventually, the Garante imposed a fine of EUR 4.000, considering the amount and sensitiveness of disseminated data, and, on the other hand, the small budget of the Municipality and the deletion of the document before the proceeding started.


Feel free to add your comment here

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.

to be completed