XX and XX – €4,000 Fine (Italy, 2020)

€4,000Garante per la protezione dei dati personali2 July 2020Italy
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

An Italian company was fined for publishing personal data online without permission. This matters because it highlights the importance of handling personal information carefully to avoid legal penalties. Companies must ensure they have the right to share any personal data they publish.

What happened

The Garante fined the company for the unauthorized online publication of personal data.

Who was affected

Individuals whose personal data was published without their consent.

What the authority found

The authority found that the company violated GDPR rules by not having a valid legal basis for processing personal data.

Why this matters

This case serves as a reminder for businesses to obtain proper consent before sharing personal information online. It reflects a growing trend of strict enforcement of data protection laws.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR
Art. 6(2) GDPR
Art. 6(3)(b) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(1)(c) GDPR
Art. 6(1)(c) GDPR
Art. 6(1)(e) GDPR
Art. 6(2) GDPR
Art. 6(3) GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 73 D. Lgs. 118/2011
Source verified 6 April 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll XX and XX actions
Full Legal Summary
Detailed

Regione Campania published a document containing personal data of XX and XX on its website. The reporting parties complained that their names and addresses were disclosed online because they owed a debt to the Region, as provided by the final judgement of a civil suit. Regione Campania promptly removed personal information upon request of the parties. Moreover, the accused party stated that neither third parties, nor the complaining parties were harmed by the publication of the information and it argued that there was an obligation to publish those data in accordance with art. 73 of D. Lgs. 118/2011. Is the online publication of personal information of a debtor in compliance with art. 5 and 6 of the GDPR? The DPA held that Regione Campania violated art 5(1)(a)(c), art. 6(1)(c)(e), art. 6(2) and art. 6(3)(b) GDPR, and concluded that art. 73 of D. Lgs. 118/2011 imposed no obligation with regard to the online publication of personal information of debtors. Therefore, the DPA issued a sanction of € 4.000.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for XX and XX in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

2 July 2020

Authority

Garante per la protezione dei dati personali

Fine Amount

€4,000

GDPRhub ID

gdprhub-2676

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. XX and XX - Italy (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: