Garante per la protezione dei dati personali (Italy) - 9938413

From GDPRhub
Garante per la protezione dei dati personali - 9938413
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(f) GDPR
Article 10 GDPR
Article 83(5) GDPR
Article 166(2) Codice Privacy
Article 2-octies Codice Privacy
Type: Complaint
Outcome: Upheld
Decided: 31.08.2023
Published: 12.10.2023
Fine: 20,000 EUR
Parties: n/a
National Case Number/Name: 9938413
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: ar

The Italian DPA fined the Italian Bar Association €20,000 for publishing information of two complainant on their website without a legitimate legal basis, in accordance with the combined provisions of Article 10 GDPR and Article 2-octies of the Italian Privacy Code.

English Summary


On 27 August 2020, the complainants, two spouses, brought a complaint to the Italian DPA regarding the publication on the website of an Italian Bar Association (data controller) about certain hearing postponements. According to the complainants, the website of the data controller presented information on hearings of criminal proceedings where the complainants appeared as defendants. This document, which was not anonymised, could also be found and downloaded following a search of their names through the Google search engine.

In a follow-up on 22 September 2020, the complainants provided updates on the matter, informing the DPA that although the document was removed from the website, it still remained indexed on Google and that other non-anonymised documents remained on the web. The complainants argued that the publication of such information had resulted in prejudice against them and damages. For example, they were denied from renting a property because the owner stated to not rent property to convicted criminals.

Following the complaint, the DPA requested the data controller for further information. The data controller issued a response saying that from a procedural point of view, as certain hearings are held in public, the publication of the relevant documents on the website was legitimate. Moreover, these documents were also always posted uncensored on the doors of the Courtrooms and on the notice boards of the Palace of Justice. They further clarified that the lack of information regarding the complainants’ place and date of birth and the tax code prevented their identification.

With regard to the request relating to the anonymisation of the documents in question, the controller stated that it had promptly taken action, when requested by the complainants, to remove the documents from their website. However, they could not take them down from the web portals of other bodies, such as that of the local Court.

Following the statement, the DPA began its proceeding.


The DPA held that the processing of personal data by the data controller fell under Article 10 GDPR, which states that processing of data relating to criminal convictions and offences must take place only under the control of public authority or if the processing is authorised by Union or Member State law providing appropriate safeguards for the rights and freedoms of the data subjects. However, it found that the disclosure on the controller’s website of the data was carried out in the absence of a legitimate legal basis, in accordance with the combined provisions of Article 10 GDPR and Article 2-octies of the Italian Privacy Code. Because there is no law authorising the processing of judicial data as done in the present case.

Additionally, the DPA held that the processing did not comply with the principles set out in Article 5(1)(a) GDPR, Article 5(1)(c) GDPR and Article 5(1)(f) GDPR either. According to the Articles, personal data needs to be processed in accordance with the principles of lawfulness, fairness and transparency, the principle of data minimisation and the principle of integrity and confidentiality.

Thus, the DPA found that the disclosure, in the absence of lawfulness requirements, of such data by the Italian Bar Association in question, in its capacity as data controller, constituted an administrative offence under Article 166(2) of the Italian Privacy Code, read in conjunction with Article 83(5) GDPR.

The DPA fined the data controller €20,000 pursuant to Article 58(2)(i) GDPR and Article 83 GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.