Garante per la protezione dei dati personali (Italy) - 9863050

From GDPRhub
Revision as of 15:22, 28 March 2023 by Brunello.da (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9863050
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 9 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Published: 26.01.2023
Fine: 7000 EUR
Parties: Azienda Ospedaliera Bianchi Melacrino Morelli
National Case Number/Name: 9863050
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: DB

X received a third party medical reports from an Italian Hospital. Counter operators sent reports by e-mail in the Covid-19 period contrary to the indication to only deliver them personally. The Italian DPA declares the unlawfulness processing and orders to pay €7,000.

English Summary


X complained of having received, from the Bianchi Melacrino Morelli Hospital (hereinafter the "Company"), a report relating to a third party, a patient of the same Company. The Grande Ospedale Metropolitano “Bianchi - Melacrino — Morelli” (G.O.M.) had formalized precise indications on the procedures to be followed for the delivery, only brevi manu of the medical reports.

Counter operators resorted to sending reports by e-mail, not systematically, but only at the express request of those directly involved in the Covid-19 period. The DPA considers this assessment, carried out on its own by the individual operators, appeared to be not without common sense also considering the particular role of this hospital within the regional hospital network. Counter operators, who in the period of maximum pandemic emergency have sometimes contravened the rigid and formal company procedures aimed at protecting confidentiality, committing that they acted pursuing the most urgent and important public interest, i.e. the one connected to the containment of the pandemic and the continuity of the provision of fundamental and irreplaceable health services at the reference hospital for the whole province of Reggio Calabria.

Considering that the Company has provided suitable assurances declaring: that it has immediately suspended "the sending of reports online"; to have sent a request “to the unauthorized third party (…) to destroy the data subject's documentation, not to use the data, and in any case (…) not to disclose to third parties the health records received by mistake (…); to have started a "cycle of extraordinary training activities to inform all UU.OO directors of the incident"; to have reiterated "the ban on sending health documentation by e-mail and (...) (highlighted) the need to fully apply the company security measures (...)", the conditions for the adoption of the corrective measures pursuant to Article 58 (2) GDPR.

The Guarantee declares the unlawfulness of the processing of personal data carried out by the Bianchi Melacrino Morelli Hospital for the violation of Articles 5, 9 and 32 GDPR and of the art. 75 of the Code. The Guarantee orders to pay the sum of €7,000 (seven thousand) euros as an administrative fine for the violations indicated in this provision.


"Health-related data" deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (recital n. 51). The regulation on the protection of personal data provides that information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal prerequisite.

The data controller is required to implement "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", taking into account, among other things, "the nature, object, context and purpose of the processing , as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (Article 32 of the Regulation)


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.