Istituto Nazionale Previdenza Sociale (INPS) – €300,000 Fine (Italy, 2021)

Original fine summary: The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute's data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA identified several violations. The controller had collected data on tens of thousands of politicians from public sources and cross-checked it with data from applicants. In doing so, however, the controller had failed to ensure that data was collected only from those politicians who were eligible to receive the assistance funds. In doing so, the controller violated the principles of lawfulness, fairness, and transparency as set out in the GDPR. Furthermore, the controller had violated the principle of data minimization by initiating checks on reimbursements even for individuals whose applications had been rejected and who had therefore never received payments. Furthermore, the controller had not adequately assessed the risks associated with a data processing operation as sensitive as that on applications for social benefits, since it had not carried out an impact assessment on the rights and freedoms of the data subjects. Update: Following an appeal presented by INPS the judge of the XVIII civil section of the Court of Rome annulled the fine of EUR 300,000.