Regione Lombardia – €200,000 Fine (Italy, 2021)

€200,000Garante per la protezione dei dati personali22 July 2021Italy
final
ePrivacy
Fine

Regione Lombardia was fined for exposing personal data of over 100,000 students on its website. The published information included names and application details for scholarships, which should have been kept confidential. This incident emphasizes the critical need for organizations to protect sensitive data, especially when it involves minors.

What happened

Regione Lombardia published personal data of students applying for scholarships on its website without adequate protection.

Who was affected

Students and their families whose personal information was publicly accessible online.

What the authority found

The Garante ruled that Regione Lombardia violated GDPR by failing to protect the personal data of scholarship applicants.

Why this matters

This case serves as a crucial reminder for educational institutions and government bodies to safeguard personal information. It highlights the importance of confidentiality in data handling, particularly for vulnerable populations like students.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
national law identified
scope corrected
Italy enforcementGarante per la protezione dei dati personali actionsAll Regione Lombardia actions
Full Legal Summary
Detailed

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number. In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (1)

Other enforcement actions involving Regione Lombardia in IT

Current
Jul 2021

Fine

€200K

Fine
Apr 2025· Garante per la protezione dei dati personali

The Italian DPA imposed a fine of EUR 50,000 on the Regione Lombardia. The controller tracked its employees' browser activities, including private one...

€50K

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

22 July 2021

Authority

Garante per la protezione dei dati personali

Fine Amount

€200,000

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Regione Lombardia - Italy (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: