Editing Garante per la protezione dei dati personali (Italy) - 9682641

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 54: Line 54:
 
}}
 
}}
  
The Italian DPA (Garante) fined the Trento health authority €150,000 for unlawful disclosure of patient health data in violation of Articles 5 and 9 GDPR.  
+
The Italian DPA (Garante) fines Trento health authority €150.000 for unlawful disclosure of patients’ health data, in violation of Articles 5 and 9 GDPR.  
  
 
== English Summary ==
 
== English Summary ==
Line 60: Line 60:
 
=== Facts ===
 
=== Facts ===
 
By a technical mistake, the Trento health authority shared with general practitioners a total of 293 health documents referring to 175 interested parties (including 2 minors) although the interested parties had exercised their right to obscure these documents.  
 
By a technical mistake, the Trento health authority shared with general practitioners a total of 293 health documents referring to 175 interested parties (including 2 minors) although the interested parties had exercised their right to obscure these documents.  
=== Holding ===
 
The Italian DPA considered that the personal data had been shared in violation of art. 75 of the Italian “Codice in materia di protezione dei dati personali” and of [[Article 9 GDPR|Article 9 GDPR]] as well as the principles of lawfulness, integrity and confidentiality of the processing as per [[Article 5 GDPR|Article 5 GDPR]]. 
 
  
In fact, according to [[Article 9 GDPR]], health data may only be disclosed to the person concerned and may only be disclosed to third parties on the basis of an appropriate legal base or on the basis of written authorization by the data subject. In the case under examination, the data subjects explicitly requested not to share their data with their general practitioners, and the DPA therefore found that Article 9 had been violated. 
+
=== Dispute ===
  
The DPA also referred to specific health data guidelines published by the Italian DPA itself (“Linee guida in materia di Dossier sanitario - 4 giugno 2015”) and to Article 75 of the Italian Data Protection Code. According to these guidelines, an important guarantee to protect the confidentiality of the interested party consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through the Health Dossier. Since the parties specifically exercised this right, the DPA deemed that these Guidelines, and therefore article 75 of the Italian Code, were also violated. 
 
  
With the power conferred by Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of €150,000 on the Trento health authority.   
+
=== Holding ===
 +
The Italian DPA considered that the personal data has been shared in violation of art. 75 of the Italian “Codice in materia di protezione dei dati personali” and of [[Article 9 GDPR|Article 9 GDPR]] as well as the principles of lawfulness, integrity and confidentiality of the processing as per [[Article 5 GDPR|Article 5 GDPR]].
 +
In fact, according to [[Article 9 GDPR|Article 9 GDPR]], health data may only be disclosed to the person concerned and may only be disclosed to third parties on the basis of an appropriate legal base or on the basis of written authorization by the data subject. In the case under examination the data subjects explicitly requested not to share their data with their general practitioners, the DPA has therefore found Article 9 to be violated.
 +
The DPA also referred to specific health data guidelines published by the Italian DPA itself (“Linee guida in materia di Dossier sanitario - 4 giugno 2015”) and referred to by Article 75 of the Italian Data Protection Code. According to these guidelines, an important guarantee to protect the confidentiality of the interested party consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through the Health Dossier. Having the parties specifically exercised this right, the DPA deemed these Guidelines, and therefore article 75 of the Italian Code, also violated.
 +
With the power conferred by Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of €150.000 on the Trento health authority.   
  
 
== Comment ==
 
== Comment ==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: