Garante per la protezione dei dati personali (Italy) - 9283029

From GDPRhub
- 9283029
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 9(4) GDPR
Type: Complaint
Outcome: Upheld
Decided: 6. 02. 2020
Published: n/a
Fine: 4.000 EUR
Parties: Public High School
National Case Number/Name: 9283029
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

The Italian data protection authority (Garante) imposed a fine of €4.000 on a public high school, finding that the publication on the school website of the details of the teaching staff constituted a breach of the principles of lawfulness, fairness and transparency, as well as of data minimization under Article 5 (1) (a) (c) GDPR. The Garante also found that the school published part of the data failing to rely on a lawful basis and that data concerning health were published in violation of Article 9 (1), (2), (4) GDPR.

English Summary


The Garante examined a complaint against the publication on the school website of the details of the teaching staff (around 1.500 subjects concerned), including address, phone number, number of children and data concerning health.


The Garante had to assess whether such disclosure was justified and lawful.


The Garante considered that the most likely applicable lawful basis for the process of personal data in the public sector is the compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority under Article 6 (1) (c) (e) GDPR. In this regard, in the Garante’s view part of the data was disclosed unlawfully with no Article 6 basis for processing. Moreover, the Garante found that the disclosure of the teaching staff personal data contravened the data protection principle of “lawfulness, fairness and transparency” and “data minimization” under Article 5 (1) (a) (c) GDPR. The Garante further found that the school also published data concerning health, failing to respect the prohibition under Article 9 (1) GDPR and without relying on any specific exemptions under Article 9 (2) (4) GDPR.


Feel free to add your comment here

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.

to be completed