Miropass S.r.l. – €40,000 Fine (Italy, 2020)

€40,000Garante per la protezione dei dati personali17 December 2020Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Miropass S.r.l. was fined EUR 40,000 by the Italian data protection authority for mishandling user data in its TuPassi booking system. The company lacked a legal basis for processing sensitive health data and kept it longer than necessary. This case highlights the importance of having clear legal grounds and data retention policies when handling personal data.

What happened

Miropass processed sensitive health data without a legal basis and violated data storage rules.

Who was affected

Users of the TuPassi booking system, including those booking appointments at healthcare facilities.

What the authority found

The Italian authority found Miropass violated GDPR by processing health data without a legal basis and not adhering to data storage limits.

Why this matters

This decision underscores the need for companies to establish valid legal grounds for processing personal data, especially sensitive data like health information. Businesses should ensure they have clear data retention policies to avoid similar penalties.

GDPR Articles Cited

Art. 6(GDPR)
Art. 9(GDPR)
Art. 28(GDPR)
Art. 5(1)(a) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Miropass S.r.l. actions
Full Legal Summary
Detailed

The Italian DPA (Garante) fined Miropass S.r.l. EUR 40,000. Miropass is the provider of the TuPassi booking system, which among others has been used by the Municipality of Rome since 2015. The booking system enables the booking of appointments both on the website of the controller (www.tupassi.it) as well as via the corresponding app. For this purpose, the company collects and processes the personal data of the users. In the course of its investigation, the Italian DPA found that Miropass, particularly in the context of health data resulting from appointment bookings at health care facilities, had no legal basis for the processing and violated the principle of storage limitation.

Related Enforcement Actions (0)

No other enforcement actions found for Miropass S.r.l. in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 December 2020

Authority

Garante per la protezione dei dati personali

Fine Amount

€40,000

Enforcement Tracker ID

ETid-532

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Miropass S.r.l. - Italy (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: