Garante per la protezione dei dati personali (Italy) - 9344061

From GDPRhub
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - N. 9344061
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 34 GDPR
Article 58(2)(e) GDPR
Type: Other
Outcome: n/a
Decided: 14.05.2020
Fine: None
Parties: Italian National Social Security Institute (“INPS”) vs. anonymous
National Case Number/Name: N. 9344061
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante’s website (in IT)
Initial Contributor: Antonella Luisi

The Italian Data Protection Authority (“Garante”) found that the personal data breach the online portal of the INPS suffered was likely to result in a high risk to the rights and freedoms of the natural persons concerned, hence requiring a notification to the data subjects under Article 34 GDPR.

English Summary


The INPS notified the Garante a data breach that occurred leading to unauthorized access to the personal data of a very large number of taxpayers from the INPS online portal. The information concerned was directly identifying and included health data, work situation data and minors’ data. The Authority also received more than a hundred complaints from individuals who expressed their concerns about the consequences for their fundamental rights and freedoms, and in many cases proved to have accessed to third parties’ personal data. In the INPS’s view, the access to the data was random and available for a limited time, and it concerned persons who seemed to have no connection with the data subjects involved. It therefore considered that the breach was not such as to result in a high risk to the rights and freedoms of natural persons, hence not requiring a communication to the data subjects under Article 34 GDPR.


The Garante had to establish whether the INPS acted lawfully with regard to the communication obligation under Article 34 GDPR. In doing so, the Authority also took into account the criteria enumerated in the Article 29 WP Guidelines on Personal data breach notification, including the nature of personal data, the severity of the consequences for the data subjects and the special characteristics of the data subjects and controller.


The Garante stressed the need to consider both the probability and seriousness of the risk to the rights and freedoms of the data subjects based on an objective assessment, without being affected by the specific context in which the INPS intervened. Therefore, the Authority arrived to the conclusion that the public communication on the data breach published on the INPS website was not sufficient. According to the powers conferred by Article 58 (2) (e) GDPR, the Garante ordered the INPS to communicate the personal data breach to the data subjects without undue delay and in any case within fifteen days from the day of receipt of the decision. The Authority did not exclude as well the possibility of imposing a sanction, if applicable, at the outcome of the ongoing preliminary data breach investigation.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.