Trento health authority – €150,000 Fine (Italy, 2021)

By a technical mistake, the Trento health authority shared with general practitioners a total of 293 health documents referring to 175 interested parties (including 2 minors) although the interested parties had exercised their right to obscure these documents. The Italian DPA considered that the personal data had been shared in violation of art. 75 of the Italian “Codice in materia di protezione dei dati personali” and of Article 9 GDPR as well as the principles of lawfulness, integrity and confidentiality of the processing as per Article 5 GDPR. In fact, according to Article 9 GDPR, health data may only be disclosed to the person concerned and may only be disclosed to third parties on the basis of an appropriate legal base or on the basis of written authorization by the data subject. In the case under examination, the data subjects explicitly requested not to share their data with their general practitioners, and the DPA therefore found that Article 9 had been violated. The DPA also referred to specific health data guidelines published by the Italian DPA itself (“Linee guida in materia di Dossier sanitario - 4 giugno 2015”) and to Article 75 of the Italian Data Protection Code. According to these guidelines, an important guarantee to protect the confidentiality of the interested party consists in the possibility that the interested party decides to obscure certain data or health documents that can be consulted through the Health Dossier. Since the parties specifically exercised this right, the DPA deemed that these Guidelines, and therefore article 75 of the Italian Code, were also violated. With the power conferred by Article 58(2)(i) and 83 GDPR, the Italian DPA imposed a fine of €150,000 on the Trento health authority.