Italian National Social Security Institute (“INPS”) vs. anonymous – Violation Found (Italy, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Italian data protection authority found that the Italian National Social Security Institute failed to properly notify individuals about a data breach. This matters because timely notifications are crucial for protecting people's personal information after a breach. Organizations need to understand their responsibilities in keeping users informed.
What happened
The authority discovered that the Italian National Social Security Institute did not adequately notify people about a data breach involving their personal data.
Who was affected
Individuals whose personal data was compromised in the breach were affected.
What the authority found
The authority found that the Institute did not fulfill its obligation to inform affected individuals about the data breach, violating GDPR requirements.
Why this matters
This case highlights the importance of prompt data breach notifications. Organizations must have clear procedures in place to inform users quickly to protect their privacy and comply with the law.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The INPS notified the Garante a data breach that occurred leading to unauthorized access to the personal data of a very large number of taxpayers from the INPS online portal. The information concerned was directly identifying and included health data, work situation data and minors’ data. The Authority also received more than a hundred complaints from individuals who expressed their concerns about the consequences for their fundamental rights and freedoms, and in many cases proved to have accessed to third parties’ personal data. In the INPS’s view, the access to the data was random and available for a limited time, and it concerned persons who seemed to have no connection with the data subjects involved. It therefore considered that the breach was not such as to result in a high risk to the rights and freedoms of natural persons, hence not requiring a communication to the data subjects under Article 34 GDPR. The Garante had to establish whether the INPS acted lawfully with regard to the communication obligation under Article 34 GDPR. In doing so, the Authority also took into account the criteria enumerated in the Article 29 WP Guidelines on Personal data breach notification, including the nature of personal data, the severity of the consequences for the data subjects and the special characteristics of the data subjects and controller. The Garante stressed the need to consider both the probability and seriousness of the risk to the rights and freedoms of the data subjects based on an objective assessment, without being affected by the specific context in which the INPS intervened. Therefore, the Authority arrived to the conclusion that the public communication on the data breach published on the INPS website was not sufficient. According to the powers conferred by Article 58 (2) (e) GDPR, the Garante ordered the INPS to communicate the personal data breach to the data subjects without undue delay and in any case within fifteen days from the day of receipt of
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Italian National Social Security Institute (“INPS”) vs. anonymous in IT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Italian National Social Security Institute (“INPS”) vs. anonymous - Italy (2020). Retrieved from cookiefines.eu
Last updated: