Garante per la protezione dei dati personali (Italy) - 9556625
| Garante per la protezione dei dati personali - 9556625 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1) GDPR Article 6(2) GDPR Article 37(1) GDPR Article 37(7) GDPR art. 2-ter of the Italian Privacy Code |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 11.02.2021 |
| Published: | 11.03.2021 |
| Fine: | 75000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 9556625 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Italian data protection authority website (in IT) |
| Initial Contributor: | Davide C. |
The Italian DPA has fined the Ministry of Economic Development ('MISE') EUR 75,000 for failing to appoint a DPO by May 25, 2018, and for publishing personal data of more than five thousand managers on its website, including their CVs.
English Summary
Facts
Following some reports, the Italian DPA ascertained that the MISE uploaded on its website a list of more than 5,000 managers containing their personal data, including name, tax code, e-mail address, CV, mobile phone and, in some cases, ID and health card. All this data was freely visible and downloadable. The MISE published that list to help SMEs in booking advice from experienced business professionals on the technological and digital processes to manage vouchers provided in compliance with the 2019 Budget Law.
The DPA has also found that the MISE did not appoint a DPO by MAY 25, 2018, as required for all public bodies according to art. 37 GDPR.
Dispute
Holding
The Italian DPA noted that MISE failed to appoint a DPO by the established deadline (May 25, 2018). Furthermore, it has found that there was no adequate legal basis for the online publication of managers' personal data, as there were less intrusive methods to ensure that SMEs would have access to the managers' consultancy services, such as ensuring restricted access to said information through the use of passwords and usernames. As such, the Authority found that the dissemination of their personal information also consisted of disproportionate processing of data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9556625
