Garante per la protezione dei dati personali (Italy) - 9556958

From GDPRhub
Garante per la protezione dei dati personali - 9556958
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(d) GDPR
Article 5(2) GDPR
Article 25 GDPR
Article 35 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 25.02.2021
Published: 09.03.2021
Fine: 300000 EUR
Parties: INPS
National Case Number/Name: 9556958
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: n/a

The Italian DPA (Garante per la protezione dei dati personali) imposed a fine of €300,000 on the national social security institute (INPS) for violating Articles 5(1)(a)(c)(d), 2, 25 and 35 GDPR.

English Summary


The Italian national social security institute (INPS) has provided financial aids to Italian citizens in order to face the Covid crisis. To access this aids, citizens were required to satisfy certain criteria. The INPS, in order to speed up the process to obtain the aid, first assessed the request only on the basis of the documentation provided in the request by the applicant, and just in a second moment, after the dispensing of the aid, carried out a more specific investigation for every applicant.

During the second phase assessment, the INPS checked whether between the requests there were parliamentarians or holders of offices in public administrations. To do so, INPS collected some personal data from open source registers and generated from this open data the personal tax code of the applicants and compared it with the one in the application. This way of calculation of the tax code can entail some mistakes. The secondary examination was carried on also for the subjects to which the aid was already been refused under the first examination. Only afterwards, the Labour ministry declared that parliamentarians and holders of administrative office would be excluded from this financial aid.


Were these activities contrary to the GDPR?


The DPA found that the fact that the second examination on parliamentarians and holders of administrative offices has been carried out before the note of Labour ministry on the exclusion of these categories from the financial aid, comported a violation of the principles of lawfulness, fairness and transparency as per Article 5(1)(a) GDPR.

The fact that the processing was not limited to who received the aid but included who had already been refused, was in violation of the principle of adequacy and minimisation as per Artcle 5(1)(c) GDPR.

The fact that the tax code has been generated from open data and not obtain by official sources and thus potentially erroneous, was violating the principle of adequacy as per Article 5(1)(d) GDPR.

The DPA also considered that all the previous violations constituted together the violation of privacy by default and by design as per Article 25 GDPR and the liability principle of 5(2) GDPR.

The DPA finally found out that the provision on impact assessment, as per Article 35 GDPR was also violated because the INPS has not adequately weighed the existence of a high risk, such as to require the conduct of a preliminary impact assessment on data protection, and has not adequately involved the DPO.

For these reasons and on the basis of Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of € 300 000 on INPS.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.