Garante per la protezione dei dati personali (Italy) - 9544504

From GDPRhub
Garante per la protezione dei dati personali - 9544504
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 5(1)(d) GDPR
Article 9 GDPR
Article 32(1)(b) GDPR
Article 58(2)(i) GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare
Codice in materia di protezione dei dati personali (Testo coordinato)
Legge 22 maggio 1978, n. 194
Type: Investigation
Outcome: Violation Found
Decided: 27.01.2021
Fine: 50000 EUR
Parties: Azienda USL della Romagna
National Case Number/Name: 9544504
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of €50,000 to Azienda USL della Romagna, a local public health care provider, for contacting a patient at a phone number different from the one she expressly requested to be contacted at.

English Summary


The inquiry from the Garante originated from a data breach notification received by Azienda USL della Romagna on 19 December 2019, for a violation occurred on 1 March 2019 of which the health care provider officially became aware on 17 December 2019. This was only after the data subject claimed for damages, and the provider carried out an internal inquiry.

As the patient was admitted to the gynaecology ward, she asked that no information related to her health status be revealed to any third party. For this purpose, she provided a personal phone number. After her discharge, a tried to contact her in order to give her information about a treatment, but used a different phone number found on the front page of the patient’s medical record, and hence found herself talking to her husband. The information disclosed to the patient's husband only concerned the type of ward to which the patient was admitted.

During the DPA’s investigation, the provider disclosed that the nurse had been formally authorised to process personal data, and she was provided with operating instructions to properly process personal data. Additionally, the USL presented that the procedure to record the health data of the patient was not computerised. Hence, although the form signed by the data subject and containing her refusal to provide information about her health to third parties was included in the medical record, the medical record itself showed on the front page a telephone number that the patient had given to the provider before her hospitalization.

Concerning the data breach itself, the USL reported that the nurse should have communicated with the patient in person at the hospital, right after her release, but she was interrupted by a call from another patient and hence asked the data subject to wait. After having found out that the patient actually left the hospital, the nurse then quickly tried to contact the patient, finding in the company registry the telephone number to contact her.


During the investigative phase, the USL held that it had not notified the data breach to the data subject, because it was still in the process of verifying the situation. It eventually deemed it unnecessary to notify the data subject because the information disclosed by the nurse concerned only the ward where the patient was admitted and not also the reasons for her admission. Moreover, the patient's husband had in the meantime learned from a different source about the reason of his wife’s hospitalization.

The provider also argued that, at the time of the breach, the nurse was in an emergency situation and, in trying to contact the data subject, merely introduced herself to the person who answered the phone and said she needed to talk to her about a treatment, without any explicit reference to her medical condition. For these reasons, the USL considered that the data breach was not attributable either to the fault or to wilful misconduct of the USL itself. Indeed, according to the provider, the data subject herself contributed to the occurrence of the events that led to the data breach, since she left the ward without notice. Moreover, the USL held that the breach was not serious, since it did not concern the disclosure of specific aspects of the hospitalisation, and hence had no negative consequence.

The Garante explained that data protection rules in the field of health require that information on the state of health can only be communicated to third parties “on the basis of an appropriate legal prerequisite or on the indication of the data subject, subject to the latter's written authorisation”.

The Italian Data protection code, moreover, requires “the implementation of procedures, including staff training, aimed at preventing outsiders from making an explicit link between the person concerned and departments or facilities, indicative of the existence of a particular health condition”.

In this context, the nurse's conduct indeed caused an explicit correlation, by an unauthorised third party, between the data subject and a specific indicative ward, of a specific state of health. The communication of personal data was hence “carried out not only in the absence of an appropriate legal basis, but also in violation of the explicit refusal [of the data subject] to allow knowledge by third parties”. This, according to the Garante, resulted in a breach of the principle of fairness.

Neither the technical nor the organisational measures implemented by the USL, including the organisation of medical records and the instructions given to personnel authorised to process personal data, were adequate to ensure respect for the patients' wishes and protect her dignity.

The Garante finally stressed that it should be taken into account that the data subject had undergone treatment for the voluntary interruption of pregnancy, for which the legislator requires the highest possible level of protection of the woman's dignity and privacy.

The Italian DPA finally considered that “the conduct of the data subject is not relevant for the purposes of assessing the unlawfulness of the processing in relation to the breach that occurred, […] regardless of both the supposed causal impact of the conduct of the data subject on the events, and the fact that the data subject's husband learned of the cause of the hospitalisation in another way”.


Following its investigation, the Garante held that “the processing of personal data carried out by Azienda USL della Romagna in the terms set out in the grounds is unlawful, due to the breach of Articles 5(1)(a), (d) and (f), 9 and 32(1)(b) GDPR.” Pursuant to Article 58(2)(i), the DPA hence imposed an administrative fine as per Article 83(4) and (5) GDPR. Given that the conduct had exhausted its effects, and that the USL was implementing new technical and organisational measures deemed adequate to solve the issue that brought to the data breach, the Garante found that no corrective measure was applicable to the case at hand.

Concerning the administrative fine of € 50 000, the Garante explained that the elements taken into account to decide its amount were the following:

  • the significant detrimental impact and serious unlawfulness of the processing;
  • the fact that the processing involved health data;
  • the fact that the conduct is attributable to the USL fault;
  • the “reinforced system of safeguards” provided by Italian law in cases of voluntary termination of pregnancy;
  • the data subject was in a particularly vulnerable position;
  • the DPA was informed about the breach by the provider itself;
  • the infringement involved a single data subject;
  • the USL implemented new technical and organisational measures, and a policy, to solve the issue;
  • the fact that the USL was “extremely cooperative”;
  • the absence of wilful misconduct;
  • the fact that there was no previous relevant infringement committed by the USL and no measure had been previously ordered pursuant to Article 58 GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.