Ministero dello Sviluppo Economico – €75,000 Fine (Italy, 2021)

The Italian DPA (Garante) has fined the Ministry of Economic Development (Ministero dello Sviluppo Economico) EUR 75,000 for failing to appoint a data protection officer by May 28, 2018, and for publishing personal data of more than five thousand managers on its website. In Italy, small and medium-sized companies that had previously received a relevant voucher could book advice on technological and digital processes from experienced business professionals, through the controller. The Italian DPA launched an investigation against the controller after it became known that personal data of more than five thousand managers who had made themselves available for corresponding consultations were freely accessible on its website. The personal data, such as name, tax number, e-mail, full CV and in some cases a copy of the identity card and health card of the data subjects, was publicly visible and could be freely downloaded. On the website, it was also possible to download the directorate resolution that had approved the list, which included the data and information of all the directors. The DPA found that the processing was unlawful and that the directorate resolution referred to by the controller did not constitute an adequate legal basis for the disclosure of online data.